Docstoc

Slides

Document Sample
Slides Powered By Docstoc
					  InfoCard and the
Identity Metasystem

     Kim Cameron,
Chief Architect of Identity
        Microsoft
Threats to Online Safety
 The Internet was built without a way to
 know who and what you are connecting to
  Internet services have one-off “workarounds”
  Inadvertently taught people to be phished
 Greater use and greater value attract
 professional international criminal fringe
  Exploit weaknesses in patchwork
  Phishing and pharming at 1000% CAGR
 Missing an “Identity layer”
  No simplistic solution is realistic
What is a Digital Identity?

Set of claims one
subject makes about
another
Many identities for
many uses
Required for
transactions in real
world and online
Model on which all
modern access
technology is based
Lessons from Passport
 Passport designed to solve two
 problems
  Identity provider for MSN
    300M+ users, 1 billion logons per day
  Identity provider for the Internet
    Unsuccessful
 Learning: solution must be
 different than Passport
“The Laws of Identity”

1.   User control and consent
2.   Minimal disclosure for a defined use
3.   Justifiable parties
4.   Directional identity
5.   Pluralism of operators and technologies
6.   Human integration
7.   Consistent experience across contexts
Join the discussion at www.identityblog.com
Identity Metasystem
 We need a unifying “Identity metasystem”
  Protect applications from identity complexities
  Allow digital identity to be loosely coupled:
  multiple operators, technologies, and
  implementations
 Not first time we’ve seen this in computing
  Emergence of TCP/IP unified Ethernet, Token
  Ring, Frame Relay, X.25, even the not-yet-
  invented wireless protocols
Metasystem Players

                                 Identity Providers
                                    Issue identities




Relying Parties
Require identities

                         Subjects
                     Individuals and other
                      entities about whom
                       claims are made
Empowers the User…
                            Applications
                               Existing & New
      Technologies
     X509, Kerberos, SAML
                                                Governments



     Devices
  PCs, Mobile, Phone
                                  You               Organizations



                 Individuals                  Private
                Work & Consumer             Businesses
InfoCard Overview
 Simple user abstraction for digital identity
  For managing collections of claims
  For managing keys for sign-in and other uses
 Grounded in real-world metaphor of physical
 cards
  Government ID card, driver’s license, credit card,
  membership card, etc…
  Self-issued cards signed by user
  Managed cards signed by external authority
 Shipping in WinFX
  Runs on Windows Vista, XP, and Server 2003
 Implemented as protected subsystem
Implementation Properties
 Cards represent references to identity providers
  Cards have:
    Address of identity provider
    Names of claims
    Required credential
  Not claim values
 InfoCard data not visible to applications
  Stored in files encrypted under system key
  User interface runs on separate desktop
 Simple self-issued identity provider
  Stores name, address, email, telephone, age, gender
  No high value information
  User must opt-in
Protected Subsystem
  Prevent disclosure of personal data and keys to
  malicious code on the client
    System service running at elevated privilege
    Encrypted storage accessible only by system service
    User session agent process on separate desktop
    System managed user secret displayed in UI
    User interaction required to release PII
  “InfoCard” User
Experience Preview
An Identity Metasystem
Architecture
 Microsoft worked with industry to develop
 protocols that enable an identity
 metasystem: WS-* Web Services
  Encapsulating protocol and claims
  transformation: WS-Trust
  Negotiation: WS-MetadataExchange and WS-
  SecurityPolicy
 Only technology we know of specifically
 designed to satisfy requirements of an
 identity metasystem
Basic Protocol Flow
 Browser w/ InfoCard        1 HTTP(S)/GET (Protected Page) 
                                                                             Web Site
                                 Redirect to Login Page
                             6 2HTTP(s) / GET WITH COOKIE 
                                 HTTPS/GET (Login Page) 
                                      (HTML) w/ InfoCard Tags
                            Login PageHTML Content

                                   5
                                       HTTP(S)/POST Token to Target Page 
                                        Cookie + Browser Redirect    Web Site Front End
     3

  InfoCard lights up
  User selects card
                       4
    Get token via                                                            Relying Party
 WS-MetadataExchange
    and WS-Trust




             Security Token Server (STS)



      Identity Provider (Managed or Self-Issued)
Browser Integration
Design Goals
 Minimal impact on web site front end
 Support from multiple browsers
 Fail gracefully if not supported – no
 negative impact on user experience for
 browsers that do not support integration
Incremental Addition of
InfoCard
                              Web Farm
        HTTP
        Server           HTTP                              HTTP
                         Server          HTTP              Server
                                         Server



Forms                               Cookie                             InfoCard
Based
                                                                         Login
Login
                  Cookie                          Cookie



        Authentication                                Authentication
                                   User
 OBJECT Tag
<html>
  <head>
    <title>Welcome to Fabrikam</title>
  </head>
  <body>
    <img src='fabrikam.jpg'/>
    <form name="ctl00" id="ctl00" method="post"
        action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx">
      <center>
        <img src='infocard.bmp' onClick='ctl00.submit()'/>
        <input type="submit" name="InfoCardSignin" value="Log in"
          id="InfoCardSignin" />
      </center>
      <OBJECT type="application/x-informationCard" name="xmlToken">
        <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
        <PARAM Name="issuer" Value=
            "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self">
        <PARAM Name="requiredClaims" Value=
    "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress
     http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname
     http://schemas.microsoft.com/ws/2005/05/identity/claims/surname">
      </OBJECT>
    </form>
  </body>
</html>
Ubiquitous Implementation a
Key Goal
 Fully interoperable via published protocols
  With other identity selector implementations
  With other relying party implementations
  With other identity provider implementations
 Detailed implementation guide available
 The industry has created an Open Source
 Identity Selector Consortium animated by
 Verisign, Red Hat, Novell, IBM, and others
  Microsoft provides technical assistance
Components Microsoft is
Building
 “InfoCard” identity selector
   Component of WinFX, usable by any application
   Hardened against tampering, spoofing
 “InfoCard” simple self-issued identity provider
   Self-issued identity for individuals running on PCs
   Uses strong public key-based authentication – user does not
   disclose passwords to relying parties
 Active Directory managed identity provider
   Plug Active Directory users into the metasystem
   Full set of policy controls to manage use of simple identities and
   Active Directory identities
 Windows Communication Foundation for building
 distributed applications and implementing relying party
 services
For More Information
 Whitepapers
  Microsoft’s Vision for an Identity Metasystem
  The Laws of Identity
 Documentation
  InfoCard implementer’s guides
  InfoCard browser integration guide
 Code and samples
  Federated Identity and Access Resource Kit
  WinFX runtime
 Links from:
   http://www.identityblog.com
   http://msdn.microsoft.com/winfx/
   reference/infocard/
(Backup Slides)
WS-* Metasystem Architecture
 ID Provider     Relying Party     ID Provider    Relying Party


  Kerberos          SAML               x509             …


  Security                            Security
   Token       WS-SecurityPolicy       Token     WS-SecurityPolicy
  Service                             Service

                WS-Trust, WS-MetadataExchange


                        Identity Selector



                            Subject
  Flow with Relying Party STS
Browser w/ InfoCard        1 HTTP(S)/GET (Protected Page) 
                                                                                Web Site
                                 Redirect to Login Page
                            2    HTTPS/GET (Login Page) 
                          Login Page (HTML) w/ InfoCard Tags

                                      7
                                          HTTP(S)/POST Token to Target Page 
                                           Cookie + Browser Redirect    Web Site Front End
                                  3
   4

InfoCard lights up
User selects card                         6
                     5
   Get token via
WS-MetadataExchange
   and WS-Trust
                                                                          Security Token Server (STS)


           Security Token Server (STS)
                                                                                    Relying Party


    Identity Provider (Managed or Self-Issued)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:11/6/2011
language:English
pages:23