1. Tech Ed North America 2010
11/22/2018 4:52 PM
SESSION CODE: SIA201
Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation
David Chappell
Principal
Chappell & Associates
Claims-Based Identity: An Introduction to AD FS 2.0, Windows Identity Foundation, and CardSpace 2.0
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Agenda Introducing Claims-Based Identity
11/22/2018 4:52 PM
Agenda
Introducing Claims-Based Identity
Using Claims-Based Identity: Scenarios
Microsoft Technologies for Claims-Based Identity: A Closer Look
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Introducing Claims-Based Identity
Tech Ed North America 2010
11/22/2018 4:52 PM
Introducing Claims-Based Identity
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Claims-Based Identity The core Microsoft technologies
Active Directory Federation Services (AD FS) 2.0
The newest version of AD FS
Windows Identity Foundation (WIF) 1.0
Pronounced “Dub-I-F”
CardSpace 2.0
The newest version of CardSpace

5. What is Identity?
An identity is a set of information about some entity, such as a user
Most applications work with identity
Identity information drives important aspects of an application’s behavior, such as:
Determining what a user is allowed to do
Controlling how the application interacts with the user

6. Defining the Problem Working with identity is too hard
Applications must use different identity technologies in different situations:
Active Directory (Kerberos) inside a Windows domain
Username/password on the Internet
WS-Federation and the Security Assertion Markup Language (SAML) between organizations
Why not define one approach that applications can use in all of these cases?
Claims-based identity allows this
It can make life simpler for developers

7. Tokens and Claims Representing identity on the wire
A token is a set of bytes that expresses information about an identity
This information consists of one or more claims
Each claim contains some information about the entity to which this token applies
Token
Signature
Example Claims
Claim 1
Claim 2
. . .
Claim n
Claim 3
Name
Group
Indicates who created this token and guards against changes
Age

8. Identity Providers and STSs
An identity provider (or issuer) is an authority that makes claims about an entity
Example identity providers today:
On your company’s network: Your employer
On the Internet: Windows Live ID
An identity provider can implement a security token service (STS)
It’s software that issues tokens
Requests for tokens are made via WS-Trust
Many token formats can be used
The SAML format is popular

9. Getting a Token Illustrating an identity provider and an STS
2) Get information
Security Token Service (STS)
Account/ Attribute Store
1) Authenticate user and request token
3) Create and return token
Token
Browser or Client
User

10. Acquiring and Using a Token
4) Use claims in token
Identity Provider
Application
3) Verify token’s signature and check whether this STS is trusted
STS
Identity
Library
1) Authenticate user and get token
Token
2) Submit token
Token
List of Trusted STSs
Browser or Client
User

11. Why Claims Are an Improvement
In today’s world, an application typically gets only simple identity information
Such as a user’s name
To get more, the application must query:
A remote database, e.g., a directory service
A local database
With claims-based identity, each application can ask for exactly the claims that it needs
The STS puts these in the token it creates

12. How Applications Can Use Claims Some examples
A claim can identify a user
A claim can convey group or role membership
A claim can convey personalization information
Such as the user’s display name
A claim can grant or deny the right to do something
Such as access particular information or invoke specific methods
A claim can constrain the right to do something
Such as indicating the user’s purchasing limit

13. Supporting Multiple Identities Using an identity selector: An option
5) Use claims in token
Identity Providers
STS
Application
STS
Identity
Library
3) Authenticate user and get token for selected identity
Token
1) Access application and learn token requirements
4) Submit token
Token
Browser or Client
Identity Selector
2) (Optionally) select an identity that matches those requirements
User

14. Claims-Based Identity for Windows
5) Use claims in token
Identity Providers
AD FS 2.0
Application
STS
STS
Windows Identity Foundation
3) Authenticate user and get token for selected identity
Token
1) Access application and learn token requirements
4) Submit token
Token
Browser or Client
CardSpace 2.0
2) (Optionally) select an identity that matches those requirements
User

15. Using Claims-Based Identity: Scenarios
Tech Ed North America 2010
11/22/2018 4:52 PM
Using Claims-Based Identity: Scenarios
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. An Enterprise Scenario
8) Use claims in token
Active Directory Domain Services
AD FS 2.0
Application
STS
5) Find claims required by application and create token
WIF
6) Receive token
Token
4) Present Kerberos ticket and request token for selected identity
1) Login to domain and get Kerberos ticket
7) Submit token
Token
2) Access application and learn token requirements
Browser or Client
CardSpace 2.0
3) (Optionally) select an identity that matches those requirements
User

17. Allowing Internet Access
5) Use claims in token
Active Directory Domain Services
AD FS 2.0
Application
STS
WIF
Token
4) Submit token
3) Authenticate user and get token for selected identity
Token
1) Access application and learn token requirements
Internet
Browser or Client
CardSpace 2.0
2) (Optionally) select an identity that matches those requirements
User

18. Using an External Identity Provider
Identity Providers
5) Use claims in token
Windows Live ID
Other
Application
WIF
STS
STS
4) Submit token
Token
1) Access application and learn token requirements
3) Authenticate user and get token for selected identity
Token
Internet
Browser or Client
CardSpace 2.0
2) (Optionally) select an identity that matches those requirements
User

19. Identity Across Organizations Describing the problem
A user in one Windows forest must access an application in another Windows forest
A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

20. Identity Across Organizations Possible solutions
One option: duplicate accounts
Requires separate login, extra administration
A better approach: identity federation
One organizations accepts identities provided by the other
No duplicate accounts
Single sign-on for users

21. Identity Federation (1)
Organization X
Organization Y
Active Directory Domain Services
AD FS 2.0
STS
STS
3) Get token for selected identity
Token
5) Use claims in token
4) Submit token
Token
Application
Browser or Client
WIF
1) Access application and learn token requirements
CardSpace 2.0
2) (Optionally) select an identity that matches those requirements
Trusted STSs:
Organization Y
Organization X
User

22. Identity Federation (2)
Organization X
2) Access Organization Y STS and learn token requirements
Organization Y
Active Directory Domain Services
AD FS 2.0
5) Request token for application
Token for STS Y
STS
6) Issue token for application
Token
STS
4) Get token for Organization Y STS
Token for STS Y
Trusted STSs:
Organization X
8) Use claims in token
7) Submit token
Token
Application
Browser or Client
1) Access application and learn token requirements
WIF
CardSpace 2.0
3) (Optionally) select an identity that matches those requirements
Trusted STSs:
Organization Y
User

23. Active Directory Domain Services
Delegation
Active Directory Domain Services
AD FS 2.0
5) Check policy for user, application X, and application Y
STS
6) If policy allows, issue token for application Y
Token for Y
1) Get token for application X
Token for X
4) Request token for application Y
Token for X
8) Use claims in token
7) Submit token
Token for Y
Browser or Client
Application X
Application Y
2) Submit token
Token for X
3) Access application and learn token requirements
WIF
WIF
User

24. Microsoft Technologies for Claims-Based Identity: A Closer Look
Tech Ed North America 2010
11/22/2018 4:52 PM
Microsoft Technologies for Claims-Based Identity: A Closer Look
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Changes in AD FS 2.0 From the previous release
AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation
And it doesn’t provide an STS
AD FS 2.0:
Supports both active and passive clients
Provides an STS
Supports both WS-Federation and the SAML 2.0 protocol
Improves management of trust relationships
By automating some exchanges

26. Windows Identity Foundation A summary
The goal: Make it easier for developers to create claims-aware applications
WIF provides:
Support for verifying a token’s signature and extracting its claims
Classes for working with claims
Visual Studio project types
An STS for development and testing
Support for creating a custom STS
More

27. CardSpace 2.0 Selecting identities
CardSpace provides a standard user interface for choosing an identity
Using the metaphor of cards
Choosing a card selects an identity (i.e., a token)

28. Information Cards Behind each card a user sees is an information card
It’s an XML file that represents a relationship with an identity provider
It contains what’s needed to request a token for a particular identity
Information cards don’t contain:
Claims for the identity
Whatever is required to authenticate to the identity provider’s STS

29. Information Cards An illustration
Identity Providers
Browser or Client
STS
STS
STS
CardSpace 2.0
Information Card 4
Information Card 3
Information Card 2
Information Card 1
User

30. Creating Industry Agreement
The Information Card Foundation is a multi-vendor group dedicated to making this technology successful
Its board members include Google, Microsoft, Novell, Oracle, and PayPal
A Web site can display a standard icon to indicate that it accepts card-based logins:

31. Changes in CardSpace 2.0 From the first CardSpace release
CardSpace 2.0 is available separately from the .NET Framework
It’s smaller and faster
CardSpace 2.0 contains optimizations for applications that users visit repeatedly
A Web site can display the card you last used to log in the site
The CardSpace screen needn’t appear
The self-issued identity provider has been dropped

32. Shipping Status Today WIF: Released November 2009
AD FS 2.0: Released May 2010
CardSpace 2.0: Currently in beta, release postponed
It’s a fast-moving technology area

33. Conclusions
Changing how applications (and people) work with identity is not a small thing
Widespread adoption of claims-based identity will take time
Yet all of the pieces required to make claims-based identity real on Windows are here:
AD FS 2.0
Windows Identity Framework
CardSpace 2.0 (on the way)

34. References
Claims-Based Identity for Windows: An Introduction to Active Directory Federation Services 2.0, Windows CardSpace 2.0, and Windows Identity Foundation, David Chappell

35. About the Speaker
David Chappell is Principal of Chappell & Associates ( in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in more than forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

36. Tech Ed North America 2010
11/22/2018 4:52 PM
Related Content
SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution
SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation
SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0
SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure
SIA304 | Identity and Access Management: Windows Identity Foundation Overview 
SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove
SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin
SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT 
SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM
SIA319 | Microsoft Forefront Identity Manager 2010: In Production
SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown
SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager
SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0
SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager
SIA06-INT | Identity and Access Management Solution Demos
SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview
SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37. Track Resources Learn more about our solutions: Try our products:
Try our products:

38. Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010
11/22/2018 4:52 PM
Required Slide
Resources
Learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010
11/22/2018 4:52 PM
Required Slide
Complete an evaluation on CommNet and enter to win!
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st
You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

41. Tech Ed North America 2010 11/22/2018 4:52 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

42. Tech Ed North America 2010 11/22/2018 4:52 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.