template draft v3 06.04.2005

Document Sample
template draft v3 06.04.2005 Powered By Docstoc
					Welcome to this TechNet Event
 Evaluations are now on-line – see reminder e-mail for URL

 “Pick your Own Collateral”

 Special offers for TechNet Plus Subscribers

 Register for BETAs at: www.microsoft.com/uk/betacentral

 Beer and Pizza no more! 

 No Planned Fire Drills

 Please turn your Mobile Phones off
Advances in Digital
Identity                         Kim Cameron,
                      Chief Architect of Identity
                                       Microsoft
Threats to Online Safety

  The Internet was built without a way to know who and
  what you are connecting to
    – Internet services have one-off “workarounds”
    – Inadvertently taught people to be phished
  Greater use and greater value attract professional
  international criminal fringe
    – Exploit weaknesses in patchwork
    – Phishing and pharming at 1000% CAGR
  Missing an “Identity layer”
    – No simplistic solution is realistic
What is a Digital Identity?


  Set of claims one subject
  makes about another
  Many identities for many uses
  Required for transactions in
  real world and online
  Model on which all modern
  access technology is based
Lessons from Passport

  Passport designed to solve two problems
    – Identity provider for MSN
          – 300M+ users, 1 billion logons per day
    – Identity provider for the Internet
          – Unsuccessful
  Learning: solution must be different than
  Passport
“The Laws of Identity”

 1.   User control and consent

 2.   Minimal disclosure for a defined use

 3.   Justifiable parties

 4.   Directional identity

 5.   Pluralism of operators and technologies

 6.   Human integration

 7.   Consistent experience across contexts
 Join the discussion at www.identityblog.com
Identity Metasystem

  We need a unifying “Identity metasystem”
    – Protect applications from identity complexities
    – Allow digital identity to be loosely coupled: multiple operators,
      technologies, and implementations
  Not first time we’ve seen this in computing
    – Emergence of TCP/IP unified Ethernet, Token Ring, Frame
      Relay, X.25, even the not-yet-invented wireless protocols
Metasystem Players


                                  Identity Providers
                                     Issue identities



Relying Parties
 Require identities

                          Subjects
                      Individuals and other
                       entities about whom
                        claims are made
Empowers the User…


                                Applications
                                  Existing & New
        Technologies
       X509, Kerberos, SAML
                                                   Governments



       Devices
    PCs, Mobile, Phone
                                     You               Organizations



                    Individuals                  Private
                   Work & Consumer             Businesses
 “InfoCard” User
Experience Preview
InfoCard Overview

  Simple user abstraction for digital identity
    – For managing collections of claims
    – For managing keys for sign-in and other uses
  Grounded in real-world metaphor of physical cards
    – Government ID card, driver’s license, credit card, membership card,
      etc…
    – Self-issued cards signed by user
    – Managed cards signed by external authority
  Shipping in WinFX
    – Runs on Windows Vista, XP, and Server 2003
  Implemented as protected subsystem
Implementation Properties

  Cards represent references to identity providers
     – Cards have:
           – Address of identity provider
           – Names of claims
           – Required credential
     – Not claim values
  InfoCard data not visible to applications
     – Stored in files encrypted under system key
     – User interface runs on separate desktop
  Simple self-issued identity provider
     – Stores name, address, email, telephone, age, gender
     – No high value information
     – User must opt-in
Protected Subsystem

       Prevent disclosure of personal data and keys to malicious code on
       the client
   –      System service running at elevated privilege
   –      Encrypted storage accessible only by system service
   –      User session agent process on separate desktop
   –      System managed user secret displayed in UI
   –      User interaction required to release PII
An Identity Metasystem Architecture


 Microsoft worked with industry to develop protocols that
 enable an identity metasystem: WS-* Web Services
    – Encapsulating protocol and claims transformation: WS-Trust
    – Negotiation: WS-MetadataExchange and WS-SecurityPolicy
 Only technology we know of specifically designed to
 satisfy requirements of an identity metasystem
Basic Protocol Flow
  Browser w/ InfoCard        1 HTTP(S)/GET (Protected Page) 
                                                                              Web Site
                                  Redirect to Login Page
                              6 2HTTP(s) / GET WITH COOKIE 
                                  HTTPS/GET (Login Page) 
                             Login PageHTML Content
                                       (HTML) w/ InfoCard Tags

                                    5
                                        HTTP(S)/POST Token to Target Page 
                                         Cookie + Browser Redirect    Web Site Front End
      3

   InfoCard lights up
   User selects card
                        4
     Get token via                                                            Relying Party
  WS-MetadataExchange
     and WS-Trust




              Security Token Server (STS)



       Identity Provider (Managed or Self-Issued)
 “InfoCard” User
Experience Preview
Browser Integration
Design Goals


  Minimal impact on web site front end
  Support from multiple browsers
  Fail gracefully if not supported – no negative impact on
  user experience for browsers that do not support
  integration
Incremental Addition of InfoCard

                               Web Farm
         HTTP
         Server           HTTP                              HTTP
                          Server          HTTP              Server
                                          Server



 Forms                               Cookie                             InfoCard
 Based
                                                                          Login
 Login
                   Cookie                          Cookie



         Authentication                                Authentication
                                    User
 OBJECT Tag
<html>
  <head>
    <title>Welcome to Fabrikam</title>
  </head>
  <body>
    <img src='fabrikam.jpg'/>
    <form name="ctl00" id="ctl00" method="post"
        action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx">
      <center>
        <img src='infocard.bmp' onClick='ctl00.submit()'/>
        <input type="submit" name="InfoCardSignin" value="Log in"
          id="InfoCardSignin" />
      </center>
      <OBJECT type="application/x-informationCard" name="xmlToken">
        <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion">
        <PARAM Name="issuer" Value=
            "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self">
        <PARAM Name="requiredClaims" Value=
    "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress
     http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname
     http://schemas.microsoft.com/ws/2005/05/identity/claims/surname">
      </OBJECT>
    </form>
  </body>
</html>
Ubiquitous Implementation a Key Goal


 Fully interoperable via published protocols
   – With other identity selector implementations
   – With other relying party implementations
   – With other identity provider implementations
 Detailed implementation guide available
 The industry has created an Open Source Identity
 Selector Consortium animated by Verisign, Red Hat,
 Novell, IBM, and others
   – Microsoft provides technical assistance
Components Microsoft is Building


 “InfoCard” identity selector
     – Component of WinFX, usable by any application
     – Hardened against tampering, spoofing
 “InfoCard” simple self-issued identity provider
     – Self-issued identity for individuals running on PCs
     – Uses strong public key-based authentication – user does not disclose
       passwords to relying parties
 Active Directory managed identity provider
    – Plug Active Directory users into the metasystem
    – Full set of policy controls to manage use of simple identities and Active
       Directory identities
 Windows Communication Foundation for building distributed applications
 and implementing relying party services
For More Information
  Whitepapers
    – Microsoft’s Vision for an Identity Metasystem
    – The Laws of Identity
  Documentation
    – InfoCard implementer’s guides
    – InfoCard browser integration guide
  Code and samples
    – Federated Identity and Access Resource Kit
    – WinFX runtime
  Links from:
     – http://www.identityblog.com
     – http://msdn.microsoft.com/winfx/
       reference/infocard/
(Backup Slides)
WS-* Metasystem Architecture

    ID Provider     Relying Party         ID Provider    Relying Party


     Kerberos          SAML                  x509              …


     Security                              Security
      Token       WS-SecurityPolicy         Token       WS-SecurityPolicy
     Service                               Service

                   WS-Trust, WS-MetadataExchange


                           Identity Selector


                                Subject
  Flow with Relying Party STS
Browser w/ InfoCard        1 HTTP(S)/GET (Protected Page) 
                                                                                Web Site
                                 Redirect to Login Page
                            2
                                 HTTPS/GET (Login Page) 
                          Login Page (HTML) w/ InfoCard Tags

                                      7
                                          HTTP(S)/POST Token to Target Page 
                                           Cookie + Browser Redirect    Web Site Front End
                                  3
   4

InfoCard lights up
User selects card                         6
                     5
   Get token via
WS-MetadataExchange
   and WS-Trust
                                                                          Security Token Server (STS)


           Security Token Server (STS)
                                                                                    Relying Party


    Identity Provider (Managed or Self-Issued)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:3/17/2012
language:
pages:25