Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Chappell Chappell & Associates www.davidchappell.com ARC206.

Published byMaximilian Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "David Chappell Chappell & Associates www.davidchappell.com ARC206."— Presentation transcript:

1

2 David Chappell Chappell & Associates www.davidchappell.com ARC206

3 Agenda Introducing “Geneva” and Claims-Based Identity Using “Geneva”: Scenarios A Closer Look at the “Geneva” Technologies

4

5 What is "Geneva"? Three related technologies: The “Geneva” Server The next release of Active Directory Federation Services (AD FS) CardSpace “Geneva” The next release of CardSpace The “Geneva” Framework The goal of “Geneva” is to help make claims- based identity real

6 What is Identity? An identity is a set of information about some entity, such as a user Most applications work with identity Identity information drives important aspects of an application’s behavior, such as: Determining what a user is allowed to do Controlling how the application interacts with the user

7 Defining the Problem Working with identity is too hard Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that can be used in all of these cases? Claims-based identity allows this It can make life simpler for developers

8 Token Signature Example Claims NameGroupAge Claim 1 Claim 2... Claim n Claim 3 Tokens and Claims Representing identity on the wire A token is a set of bytes that expresses information about an identity This information consists of one or more claims Each claim contains some information about the entity to which this token applies Indicates who created this token and guards against changes

9 Identity Providers and STSs An identity provider is an authority that makes claims about an entity Common identity providers today: On your company’s network: Your employer On the Internet: Most often, you An identity provider implements a security token service (STS) It’s software that issues tokens Requests for tokens are made via WS-Trust Many token formats can be used The SAML format is increasingly popular

10 Identity Provider Account/ Attribute Store Security Token Service (STS) 2) Get information 1) Authenticate and request token 3) Create and return token Token Browser or Client User Getting a Token Illustrating an identity provider and an STS

11 4) Use claims in token Browser or Client User Identity Provider Acquiring and Using a Token 1) Get token Token 2) Submit token Token List of Trusted STSs Application 3) Verify token’s signature and check whether this STS is trusted Identity Library STS

12 Why Claims Are an Improvement In today’s world, an application typically gets only simple identity information Such as a user’s name To get more, the application must query: A remote database, e.g., a directory service A local database With claims-based identity, each application can ask for exactly the claims that it needs The STS puts these in the token it creates

13 How Applications Can Use Claims Some examples A claim can identify a user A claim can convey group or role membership A claim can convey personalization information Such as the user’s display name A claim can grant or deny the right to do something Such as access particular information or invoke specific methods A claim can constrain the right to do something Such as indicating the user’s purchasing limit

14 5) Use claims in token User Application Identity Providers STS Identity Selector 1) Access application and learn token requirements 2) Select an identity that matches those requirements 3) Get token for selected identity Token 4) Submit token Token Supporting Multiple Identities Using an identity selector Identity Library Browser or Client STS

15 5) Use claims in token CardSpace “Geneva” Browser or Client User 4) Submit token Application Identity Providers STS 3) Get token for selected identity STS 2) Select an identity that matches those requirements “Geneva” Server 1) Access application and learn token requirements “Geneva” Framework Token The "Geneva" Technologies

16

17 “Geneva” Server User 2) Access application and learn token requirements Active Directory Domain Services 5) Find claims required by application and create token 3) Select an identity that matches those requirements STS 8) Use claims in token Application “Geneva” Framework CardSpace “Geneva” 6) Receive token Token 7) Submit token Token Using "Geneva" in an Enterprise 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity Browser or Client

18 Internet User 2) Select an identity that matches those requirements “Geneva” Server Active Directory Domain Services 1) Access application and learn token requirements 5) Use claims in token Application “Geneva” Framework CardSpace “Geneva” 3) Get token for selected identity Token 4) Submit token Token Allowing Internet Access STS Browser or Client

19 5) Use claims in token Identity Providers STS Internet Windows Live ID Other User 2) Select an identity that matches those requirements 1) Access application and learn token requirements CardSpace “Geneva” Application “Geneva” Framework 4) Submit token Token 3) Get token for selected identity Token Using an External Identity Provider STS Browser or Client

20 Identity Across Organizations Describing the problem A user in one Windows forest must access an application in another Windows forest A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

21 Identity Across Organizations Possible solutions One option: duplicate accounts Requires separate login, extra administration A better approach: identity federation One organizations accepts identities provided by the other No duplicate accounts Single sign-on for users

22 2) Select an identity that matches those requirements “Geneva” Server Organization X User Active Directory Domain Services Organization Y STS Trusted STSs: -Organization Y -Organization X 1) Access application and learn token requirements CardSpace “Geneva” 5) Use claims in token Application “Geneva” Framework 3) Get token for selected identity Token 4) Submit token Token Identity Federation (1) STS Browser or Client

23 3) Select an identity that matches those requirements “Geneva” Server User Active Directory Domain Services 1) Access application and learn token requirements 2) Access Organization Y STS and learn token requirements Trusted STSs: -Organization X Trusted STSs: -Organization Y STS CardSpace “Geneva” 8) Use claims in token Application “Geneva” Framework 6) Issue token for application Token 7) Submit token Token 5) Request token for application Token for STS Y 4) Get token for Organization Y STS Token for STS Y Identity Federation (2) Organization XOrganization Y STS Browser or Client

24 8) Use claims in token “Geneva” Server User Active Directory Domain Services 3) Access application and learn token requirements 5) Check policy for user, application X, and application Y Application Y “Geneva” Framework 1) Get token for application X Token for X 4) Request token for application Y Token for X 6) If policy allows, issue token for application Y Token for Y 7) Submit token Token for Y 2) Submit token Token for X Delegation STS Browser or Client Application X “Geneva” Framework

25

26 Changes in the "Geneva" Server From AD FS AD FS today supports only passive clients (i.e., browsers) using WS-Federation And it doesn’t provide an STS The “Geneva” Server: Supports both active and passive clients Provides an STS Supports both WS-Federation and the SAML 2.0 protocol Improves management of trust relationships By automating some exchanges

27 CardSpace "Geneva" Selecting identities CardSpace “Geneva” provides a standard user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

28 Information Cards Behind each card a user sees is an information card It’s an XML file that represents a relationship with an identity provider It contains what’s needed to request a token for a particular identity Information cards don’t contain: Claims for the identity Whatever is required to authenticate to the identity provider’s STS

29 Identity Providers STS Browser or Client CardSpace “Geneva” User Information Card 1 Information Card 3 Information Card 2 Information Card 4 Information Cards An illustration

30 Creating Industry Agreement The Information Card Foundation is a multi- vendor group dedicated to making this technology successful Its board members include Google, Microsoft, Novell, Oracle, and PayPal A Web site can display a standard icon to indicate that it accepts card-based logins:

31 Changes in CardSpace "Geneva" From the first CardSpace release CardSpace “Geneva” is available separately from the.NET Framework It’s smaller and faster CardSpace “Geneva” contains optimizations for applications that users visit repeatedly A Web site can display the card you last used to log in the site The CardSpace “Geneva” screen needn’t appear The self-issued identity provider has been dropped

32 The "Geneva" Framework The goal: Make it easier for developers to create claims-aware applications Originally known as “Zermatt” The “Geneva” Framework provides: Support for verifying a token’s signature and extracting its claims Classes for working with claims Support for creating a custom STS More

33 Conclusions Changing how applications (and people) work with identity is not a small thing Widespread adoption of claims-based identity will take time Yet all of the pieces required to make claims- based identity real on Windows are coming: The “Geneva” Server CardSpace “Geneva” The “Geneva” Framework

34 References Introducing “Geneva”: An Overview of the “Geneva” Server, CardSpace “Geneva”, and the “Geneva” Framework http://download.microsoft.com/download/7/d/0/7d0b5166-6a8a- 418a-addd-95ee9b046994/GenevaBeta1_Whitepaper_Chappell.docx Keith Brown’s “Geneva” Framework White Paper for Developers http://download.microsoft.com/download/7/d/0/7d0b5166-6a8a- 418a-addd- 95ee9b046994/GenevaFrameworkWhitepaperForDevelopers.pdf

35 About the Speaker David Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for many events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

36

37 www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/learning Microsoft Certification and Training Resources

38 Complete an evaluation on CommNet and enter to win! Required Slide

39 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide

Download ppt "David Chappell Chappell & Associates www.davidchappell.com ARC206."

Similar presentations

 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,

Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com.

Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
David Chappell Chappell & Associates www.davidchappell.com Workflow in Windows SharePoint: Technology for Web 2.0? Copyright © 2007 David Chappell.

David Chappell Chappell & Associates Workflow in Windows SharePoint: Technology for Web 2.0? Copyright © 2007 David Chappell.
David Chappell Chappell & Associates www.davidchappell.com.

David Chappell Chappell & Associates
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.
Dan Parish Program Manager Microsoft OFC305 Excel Services Microsoft Office Excel 2007 Thin Rendering in Browser View and interact Custom Applications.

Dan Parish Program Manager Microsoft OFC305 Excel Services Microsoft Office Excel 2007 Thin Rendering in Browser View and interact Custom Applications.
 Pablo Castro Software Architect Microsoft Corporation TL08.

 Pablo Castro Software Architect Microsoft Corporation TL08.
Session 1.

Session 1.
Платформа 2010 Understanding the SharePoint 2010 Developer Platform An Introduction for ASP.NET Solution Architects Chappell.

Платформа 2010 Understanding the SharePoint 2010 Developer Platform An Introduction for ASP.NET Solution Architects Chappell.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Dan Parish Program Manager Microsoft Session Code: OFC 304.

Dan Parish Program Manager Microsoft Session Code: OFC 304.
David Chappell Chappell & Associates www.davidchappell.com ARC205.

David Chappell Chappell & Associates ARC205.
Identity & Access Control in the Cloud Name Title Organization.

Identity & Access Control in the Cloud Name Title Organization.
Bhushan NeneGrzegorz Gogolowicz Principal ArchitectSenior ArchitectMicrosoft Session Code: DEV304.

Bhushan NeneGrzegorz Gogolowicz Principal ArchitectSenior ArchitectMicrosoft Session Code: DEV304.
Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.

Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.
Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.

Office 365: Identity and Access Solutions Suresh Menon Technology Specialist – Office 365 Microsoft Corporation India.

Similar presentations

Ads by Google