Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna

Digital identity crisis Real world as metaphor The Identity Metasystem as model Agreement on a model Common, consistent User Experience Claims-based security Federation & claims-transformation Summary

www.antiphishing.org

Windows CardSpace

issues queries trusts

The goals of the identity metasystem are to connect individual identity systems, allowing seamless interoperation between them, to provide applications with a technology-independent representation of identities, and to provide a better, more consistent user experience with all of them! http://msdn2.microsoft.com/en-us/library/ms996422.aspx

User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts

WS-Policy WS-MetadataExch. Information cards OpenID, LID, Yadis… WS-Trust SAML Kerberos X.509 etc. WS-Security WS-SecureConversation Auth“N“ happens here Auth“Z“ happens here

Digital Identity Selector „Digital Wallet“ You carry „digital cards“ with you Each card belongs to 1 identity provider IP OneIP Two IP Three

CardSpace is an identity selector Part of.NET Framework 3.0 Uses WCF for its WS-* standards User’s digital identities = information cards CardSpace is an STS Self-issued cards Creates SAML v1.0 tokens Requires no 3rd party identity provider User is in control of which IP is used  which claims exposed

Claims Statements about subject Identify subject… …or only describe attributes …or both Digital Identity Set of claims Asserted by authority / subject RP requests claims via Policy Web app: tag Service: WS-Policy, WS-MEX

ClaimType is the claim URI as a string Right can be one of two things Identity PossessProperty Resource is the value of the claim namespace System.IdentityModel.Claims { public class Claim { public Claim(string claimType, object resource, string right); public string ClaimType { get; } public string Right { get; } public object Resource { get; } //... }

DefaultClaimSet WindowsClaimSet X509CertificateClaimSet namespace System.IdentityModel.Claims { public abstract class ClaimSet : IEnumerable, IEnumerable { public abstract ClaimSet Issuer { get; } public virtual bool ContainsClaim(Claim claim); public abstract IEnumerable FindClaims( string claimType, string right); public abstract int Count { get; } public abstract Claim this[int index] { get; } public abstract IEnumerator GetEnumerator(); //... }

Scenario: relying part IS web site Browser-integration necessary Requested claims embedded in HTML Identity Selector let‘s user select Card/IP Approach: embed for card-request IE 7.0 Firefox and Safari supported

SAML User’s PCWebsite Identity Provider Token Policy Cards Store Browser STS Identities Store GET login page Read policies Pass policies to CardSpace Filter card collection & show cardspace UI User picks a card Cardspace sends a RST The IP authenticates RST… If successful, builds & signs the requested token The IP sends back the token in a RSTR CardSpace gives the token to the app & exits SAML The Browser POSTs the token to the website The website authenticates the token

Sign in with your Information Card Sign in with your Information Card <param name="tokenType" <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion"> value="urn:oasis:names:tc:SAML:1.0:assertion"> <param name="issuer" <param name="issuer" value="http://schemas..../identity/issuer/self"> value="http://schemas..../identity/issuer/self"> <param name="requiredClaims" <param name="requiredClaims" value="http://.../claims/givenname, value="http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier"> http://.../claims/privatepersonalidentifier">

WCF is metasystem-ready Supports necessary WS-* standards Understands many tokens (SAML, Kerberos...) Client integration and CardSpace System.IdentityModel System.ServiceModel.Identity Identity selector triggered based on WS-Policy

Relying party does not manage identity IP authenticates / proves identity Relying party determines truth based on IP with closest relationship to subject IP authentication of subject Consensus of multiple IPs Federation bridges silos!! relies on

Company A Company B Requestor IP/STS ID store IP/STS Target Service WS-Policy WS-Trust WS-Policy WS-Trust

Company A Company B Requestor IP/STS ID store Issues Name Date of Birth Passport Nr. Passport Valid … Transforms from „Date of Birth“ To „Age >= 21?“ FormatFormat X.509 Cert SAML token Asks for Age >= 21 Target Service IP/STS TrustTrust Partner Claim Local Actionable Claim ContentContent Role Access Right

Identity Metasystem Solves many of today’s issues (e.g. phishing) Based on interoperable standards Many supporting vendors (IBM, Novell, OSIS Community, Pamela, Eclipse project etc.) Windows CardSpace Client-integration into metasystem Identity selector and self-issuing STS WCF is meta-system ready by design Full support: ADFS vNext incl..NET Fx Extensions

Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed Includes all the protocols underlying CardSpace Issued September 2006 http://www.microsoft.com/interop/osp

Community site, samples, news http://cardspace.nefx3.com MSDN Forum http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=7 84&SiteID=1 MSDN Home Page http://msdn.microsoft.com/identity Blogs http://identityblog.com http://blogs.msdn.com/card http://self-issued.info/ http://identity-des.com/ http://blogs.msdn.com/vbertocci www.leastprivilege.com

Firefox – Bandit DigitalMe Project Windows, Linux, Apple, Fedora http://www.bandit- project.org/index.php/DigitalMe Firefox – Windows only (Kevin Miller) http://www.codeplex.com/IdentitySelector Apple Identity Selectors http://www.hccp.org/safari-plug-in.html Java Identity Selectors xmldap http://xmldap.org/http://xmldap.org/

Ruby RP projects http://rubyforge.org/projects/informationcard/ http://www.codeplex.com/informationcardruby Java RP projects http://www.eclipse.org/org/press- release/20080221_higgins.php http://sourceforge.net/projects/informationcard/ http://www.codeplex.com/informationcardjava C and PHP projects https://infocard-demo.labs.pingidentity.com/ Python and PHP projects http://code.bandit- project.org/trac/wiki/PythonInfoCard http://code.google.com/p/py-self-issued-rp/ http://www.codeplex.com/InformationCardPHP

Verisign PIP https://pip.verisignlabs.com/ Bandigt IP Framework https://cards.bandit- project.org/BanditIdP/index.jsp Higgings Frameworks http://www.eclipse.org/higgins/

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

Similar presentations

Presentation on theme: "Mario Szpuszta Solutions Architect Microsoft Austria, Vienna."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Mario Szpuszta Solutions Architect Microsoft Austria, Vienna.

Similar presentations

Presentation on theme: "Mario Szpuszta Solutions Architect Microsoft Austria, Vienna."— Presentation transcript:

Similar presentations

About project

Feedback