View
274
Download
0
Category
Preview:
DESCRIPTION
InfoCard can bring a new level of security to authenticating users to your site. In this session, take a deep developer look at how this can be achieved. A traditional forms-based authentication implementation is converted to use InfoCard, along with explanations of the Web services, protocols, and security considerations that one needs to understand.Watch a video at http://www.bestechvideos.com/2009/03/23/mix06-from-username-and-password-to-infocard
Citation preview
From Username & Password
to "InfoCard"
Richard Turner
"InfoCard" Product Manager
Microsoft Corporation
Garrett Serack
Program Manager
Microsoft Corporation
Agenda
Internet Identity Crisis
"InfoCard" Overview
Implementation
The Identity Metasystem
Getting "InfoCard"
Suppliers & Partners
Businesses
Employees
Friends & Family
Consumers
Who Are You?
The Internet Identity Crisis
Phishing & Phraud
Password fatigue
Inconsistent, proprietary identification mechanisms
Lack of Identity Online
Phishing & Phraud
New Phishing Sites by Month
December 2004 – December 2005
Dec
04
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
05
7,197
4,6304,367
5,2425,2594,564
4,280
3,3262,8542,870
2,6252,560
1,707
Source: http://www.antiphishing.org
Password Fatigue
"InfoCard"
Consistent user experience
Helps eliminate unames and passwords
Helps protect users from many forms of phishing & phraud attack
Support for two-factor authentication
Easier Safer
Built on WS-* Web Services Protocols
"InfoCard" cards
Stored locally
Assertions about me
Not corroborated
Provided by banks, government, clubs, etc
Stored at STS
Metadata only
Richard’s Card Woodgrove Bank
Private Desktop
Runs under separate desktop and restricted account
Isolates "InfoCard" from Windows desktop
Deters hacking attempts by user-mode processes
Contoso Car Rental
Participants
Relying Party (website)Identity Provider
User
Login with Self Issued Card
Relying Party (website)
User
Login
Select Self Issued Card
Relying Party (website)
User
Create Token from Card
Relying Party (website)
User
Sign, Encrypt & Send Token
Relying Party (website)
User
Login with Managed Card
Relying Party (website)Identity Provider
User
Login
Select Managed Card
Relying Party (website)Identity Provider
User
Request Security Token
Relying Party (website)Identity Provider
User
Auth’:
X509, Kerb,
SIC, U/PWD
…
Create Token from Card
Relying Party (website)Identity Provider
User
Sign, Encrypt & Send Token
Relying Party (website)Identity Provider
User
The Identity Metasystem
Identity layer for the Internet
Open, inclusive, standards-based model
Built upon “The Laws of Identity”
"InfoCard" is a client agent within the IDMS
Building A Relying Party
Integrating with “InfoCard”
Four key tasks:
1. Update the database
2. Create an association page
3. Update the sign in page
4. Update the registration page
1. Associate a user with a card
CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar(50) ) AS ...
CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar(50) ) AS ...
2a. Create an association page
<!-- ... --><button onclick="javascript:return infocardlogin.submit();">
Update account with your Information Card</button>
<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"><param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"><param name="issuer“
value="http://schemas..../identity/issuer/self"><param name="requiredClaims"
value="http://.../claims/givenname,http://.../claims/surname,http://../claims/emailaddress,http://.../claims/privatepersonalidentifier">
</object></form>
<!-- ... -->
2b. Create an association page
public partial class Associate_aspx : System.Web.UI.Page{
protected void Page_Load(object sender, EventArgs e){
// check if an xmlToken is postedstring xmlToken = Request["xmlToken"];if (xmlToken != null) {
TokenHelper tokenHelper = new TokenHelper(xmlToken);// get the unique idstring uniqueID = tokenHelper.getUniqueID();if (uniqueID != null && uniqueID != ""){
//store it with the account.MembershipUser user = Membership.GetUser();MembershipHelper.AssociateUser(
user.UserName, uniqueID );}
}}
}
3a. Update the sign in page
<!-- ... --><button onclick="javascript:return infocardlogin.submit();">
Sign in with your Information Card</button>
<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"><param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"><param name="issuer“
value="http://schemas..../identity/issuer/self"><param name="requiredClaims"
value="http://.../claims/givenname,http://.../claims/surname,http://../claims/emailaddress,http://.../claims/privatepersonalidentifier">
</object></form>
<!-- ... -->
3b. Update the sign in page
public partial class Login_aspx : System.Web.UI.Page{protected void Page_Load(object sender, EventArgs e){
string xmlToken = Request["xmlToken"];
TokenHelper tokenHelper = new TokenHelper(xmlToken);
// Lookup the account using the uniqueIdstring username = MembershipHelper.GetUser(
tokenHelper.getUniqueID());if (username != null) {MembershipUser user = Membership.GetUser(username);
// give the cookie back to the browser.FormsAuthentication.SetLoginCookie(user.UserName, false);
}}
}
4a. Update the registration page
<!-- ... --><button onclick="javascript:return infocardlogin.submit();">
Register with your Information Card</button>
<form name="infocardlogin" target="_self" method="post"><object type="application/x-informationcard" name="xmlToken"><param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"><param name="issuer“
value="http://schemas..../identity/issuer/self"><param name="requiredClaims"
value="http://.../claims/givenname,http://.../claims/surname,http://../claims/emailaddress,http://.../claims/privatepersonalidentifier">
</object></form>
<!-- ... -->
4b. Update the registration page
// ...
string xmlToken = Request["xmlToken"];TokenHelper tokenHelper = new TokenHelper(xmlToken);
string uniqueId = tokenHelper.getUniqueID();string emailAddress = tokenHelper.GetClaim(
“http://schemas.../emailaddress”);string username = tokenHelper.GetClaim(
“http://schemas.../givenname”);
if (username != null) {MembershipUser user = CreateUser( name , emailAddress ,... );MembershipHelper.AssociateUser( user.UserName, uniqueID );
}
// ...
Summary
WinFX: .NET to the core
Getting WinFX & "InfoCard"
Built in to Windows Vista
Also available for Windows XP & Windows Server 2003
CTPs available today
Beta 2 coming
RTM 2nd half 2006
Q2 Q3 Q1
2006
Q2Q4Q1
2005
Q3 Q4
B1 CTPV1
RTM
"InfoCard" Summary
Labs available in the MIX Sandbox!
Consistent authentication for digital identities
Reduces chances of being phished
Adopting takes little developer effort
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Recommended