Presentation is loading. Please wait.

Presentation is loading. Please wait.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Published byMadeline Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009."— Presentation transcript:

1 Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009

2 Agenda Introducing Claims-Based Identity Using Claims-Based Identity: Scenarios Microsoft Technologies for Claims-Based Identity: A Closer Look

3 Introducing Claims-Based Identity

4 Claims-Based Identity The core Microsoft technologies Active Directory Federation Services (AD FS) 2.0 The next release of AD FS CardSpace 2.0 The next release of CardSpace Windows Identity Foundation (WIF) 1.0 Pronounced “Dub-I-F” These three technologies were previously code- named “Geneva”

5 What is Identity? An identity is a set of information about some entity, such as a user Most applications work with identity Identity information drives important aspects of an application’s behavior, such as: Determining what a user is allowed to do Controlling how the application interacts with the user

6 Defining the Problem Working with identity is too hard Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that applications can use in all of these cases? Claims-based identity allows this It can make life simpler for developers

7 Token Signature Example Claims NameGroupAge Claim 1 Claim 2... Claim n Claim 3 Tokens and Claims Representing identity on the wire A token is a set of bytes that expresses information about an identity This information consists of one or more claims Each claim contains some information about the entity to which this token applies Indicates who created this token and guards against changes

8 Identity Providers and STSs An identity provider (or issuer) is an authority that makes claims about an entity Common identity providers today: On your company’s network: Your employer On the Internet: Most often, you An identity provider implements a security token service (STS) It’s software that issues tokens Requests for tokens are made via WS-Trust Many token formats can be used The SAML format is popular

9 Identity Provider Account/ Attribute Store Security Token Service (STS) 2) Get information 1) Authenticate user and request token 3) Create and return token Token Browser or Client User Getting a Token Illustrating an identity provider and an STS

10 4) Use claims in token Browser or Client User Identity Provider Acquiring and Using a Token 1) Authenticate user and get token Token 2) Submit token Token List of Trusted STSs Application 3) Verify token’s signature and check whether this STS is trusted Identity Library STS

11 Why Claims Are an Improvement In today’s world, an application typically gets only simple identity information Such as a user’s name To get more, the application must query: A remote database, e.g., a directory service A local database With claims-based identity, each application can ask for exactly the claims that it needs The STS puts these in the token it creates

12 How Applications Can Use Claims Some examples A claim can identify a user A claim can convey group or role membership A claim can convey personalization information Such as the user’s display name A claim can grant or deny the right to do something Such as access particular information or invoke specific methods A claim can constrain the right to do something Such as indicating the user’s purchasing limit

13 5) Use claims in token User Application Identity Providers STS Identity Selector 1) Access application and learn token requirements 2) Select an identity that matches those requirements 3) Authenticate user and get token for selected identity Token 4) Submit token Token Supporting Multiple Identities Using an identity selector Identity Library Browser or Client STS

14 5) Use claims in token User Application STS CardSpace 2.0 1) Access application and learn token requirements 2) Select an identity that matches those requirements 3) Authenticate user and get token for selected identity Token 4) Submit token Token Claims-Based Identity for Windows Windows Identity Foundation Browser or Client STS AD FS 2.0 Identity Providers

15 Using Claims-Based Identity: Scenarios

16 AD FS 2.0 User 2) Access application and learn token requirements Active Directory Domain Services 5) Find claims required by application and create token 3) Select an identity that matches those requirements STS 8) Use claims in token Application WIF CardSpace 2.0 6) Receive token Token 7) Submit token Token An Enterprise Scenario 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity Browser or Client

17 Internet User 2) Select an identity that matches those requirements AD FS 2.0 Active Directory Domain Services 1) Access application and learn token requirements 5) Use claims in token Application WIF CardSpace 2.0 3) Authenticate user and get token for selected identity Token 4) Submit token Allowing Internet Access STS Browser or Client

18 5) Use claims in token Identity Providers STS Internet Windows Live ID Other User 2) Select an identity that matches those requirements 1) Access application and learn token requirements CardSpace 2.0 Application WIF 4) Submit token Token 3) Authenticate user and get token for selected identity Token Using an External Identity Provider STS Browser or Client

19 Identity Across Organizations Describing the problem A user in one Windows forest must access an application in another Windows forest A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

20 Identity Across Organizations Possible solutions One option: duplicate accounts – Requires separate login, extra administration A better approach: identity federation – One organizations accepts identities provided by the other No duplicate accounts Single sign-on for users

21 2) Select an identity that matches those requirements AD FS 2.0 Organization X User Active Directory Domain Services Organization Y STS Trusted STSs: -Organization Y -Organization X 1) Access application and learn token requirements CardSpace 2.0 5) Use claims in token Application WIF 3) Get token for selected identity Token 4) Submit token Token Identity Federation (1) STS Browser or Client

22 3) Select an identity that matches those requirements AD FS 2.0 User Active Directory Domain Services 1) Access application and learn token requirements 2) Access Organization Y STS and learn token requirements Trusted STSs: -Organization X Trusted STSs: -Organization Y STS CardSpace 2.0 8) Use claims in token Application WIF 6) Issue token for application Token 7) Submit token Token 5) Request token for application Token for STS Y 4) Get token for Organization Y STS Token for STS Y Identity Federation (2) Organization XOrganization Y STS Browser or Client

23 8) Use claims in token AD FS 2.0 User Active Directory Domain Services 3) Access application and learn token requirements 5) Check policy for user, application X, and application Y Application Y WIF 1) Get token for application X Token for X 4) Request token for application Y Token for X 6) If policy allows, issue token for application Y Token for Y 7) Submit token Token for Y 2) Submit token Token for X Delegation STS Browser or Client Application X WIF

24 Microsoft Technologies for Claims- Based Identity: A Closer Look

25 Changes in AD FS 2.0 From the previous release AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation And it doesn’t provide an STS AD FS 2.0: Supports both active and passive clients Provides an STS Supports both WS-Federation and the SAML 2.0 protocol Improves management of trust relationships By automating some exchanges

26 CardSpace 2.0 Selecting identities CardSpace” provides a standard user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

27 Information Cards Behind each card a user sees is an information card It’s an XML file that represents a relationship with an identity provider It contains what’s needed to request a token for a particular identity Information cards don’t contain: Claims for the identity Whatever is required to authenticate to the identity provider’s STS

28 Identity Providers STS Browser or Client CardSpace 2.0 User Information Card 1 Information Card 3 Information Card 2 Information Card 4 Information Cards An illustration

29 Creating Industry Agreement The Information Card Foundation is a multi-vendor group dedicated to making this technology successful Its board members include Google, Microsoft, Novell, Oracle, and PayPal A Web site can display a standard icon to indicate that it accepts card-based logins:

30 Changes in CardSpace 2.0 From the first CardSpace release CardSpace 2.0 is available separately from the.NET Framework It’s smaller and faster CardSpace 2.0 contains optimizations for applications that users visit repeatedly A Web site can display the card you last used to log in the site The CardSpace screen needn’t appear Cards can be set using Group Policy The self-issued identity provider has been dropped

31 Windows Identity Foundation The goal: Make it easier for developers to create claims-aware applications WIF provides: Support for verifying a token’s signature and extracting its claims Classes for working with claims Support for creating a custom STS Visual Studio project types An STS for development and testing More

32 Conclusions Changing how applications (and people) work with identity is not a small thing Widespread adoption of claims-based identity will take time Yet all of the pieces required to make claims-based identity real on Windows are here: AD FS 2.0 CardSpace 2.0 Windows Identity Framework

Download ppt "Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009."

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Implementing and Administering AD FS

Implementing and Administering AD FS
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com.

Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services

Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
A claims-based Identity Metasystem

A claims-based Identity Metasystem

Similar presentations

Ads by Google