View
784
Download
0
Category
Tags:
Preview:
DESCRIPTION
InfoCard can bring a new level of security to authenticating users to your site. In this session, take a deep developer look at how this can be achieved. A traditional forms-based authentication implementation is converted to use InfoCard, along with explanations of the Web services, protocols, and security considerations that one needs to understand.
Citation preview
From Username & Password to "InfoCard"
Richard Turner"InfoCard" Product Manager
Microsoft Corporation
Garrett SerackProgram Manager
Microsoft Corporation
AgendaAgenda
Internet Identity CrisisInternet Identity Crisis
"InfoCard" Overview"InfoCard" Overview
Implementation Implementation
The Identity MetasystemThe Identity Metasystem
Getting "InfoCard"Getting "InfoCard"
Suppliers & Partners
Businesses
Employees
Friends & Family
Consumers
Who Are You?Who Are You?
The Internet Identity CrisisThe Internet Identity Crisis
Phishing & PhraudPhishing & Phraud
Password fatiguePassword fatigue
Inconsistent, proprietary identification Inconsistent, proprietary identification mechanismsmechanisms
Lack of Identity OnlineLack of Identity Online
Phishing & PhraudPhishing & Phraud
New Phishing Sites by MonthNew Phishing Sites by Month
December 2004 – December 2005December 2004 – December 2005
Dec04
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05
7,197
4,6304,367
5,2425,2594,564
4,280
3,3262,8542,870
2,6252,560
1,707
Source: http://www.antiphishing.org
Password FatiguePassword Fatigue
"InfoCard""InfoCard"
Consistent Consistent user user experienceexperience
Helps Helps eliminate eliminate unames and unames and passwordspasswords
Helps protect Helps protect users from users from many forms of many forms of phishing & phishing & phraud attackphraud attack
Support for Support for two-factor two-factor authenticationauthentication
Easier Safer
Built on WS-* Web Services Protocols
"InfoCard" cards"InfoCard" cards
Stored locallyStored locally
Assertions about meAssertions about me
Not corroboratedNot corroborated
Provided by banks, Provided by banks, government, clubs, government, clubs, etcetc
Stored at STSStored at STS
Metadata onlyMetadata only
Richard’s Card Woodgrove Bank
Private DesktopPrivate Desktop
Runs under separate Runs under separate desktop and desktop and restricted accountrestricted account
Isolates "InfoCard" Isolates "InfoCard" from Windows from Windows desktopdesktop
Deters hacking Deters hacking attempts by user-attempts by user-mode processesmode processes
Contoso Car Contoso Car RentalRental
ParticipantsParticipants
Relying Party (website)Identity Provider
User
Object Tag
Login with Self Issued CardLogin with Self Issued Card
Relying Party (website)
User
Login
Select Self Issued CardSelect Self Issued Card
Relying Party (website)
User
Create Token from CardCreate Token from Card
Relying Party (website)
User
Sign, Encrypt & Send TokenSign, Encrypt & Send Token
Relying Party (website)
User
Object Tag
Login with Managed CardLogin with Managed Card
Relying Party (website)Identity Provider
User
Login
Select Managed CardSelect Managed Card
Relying Party (website)Identity Provider
User
Request Security TokenRequest Security Token
Relying Party (website)Identity Provider
User
Auth’:X509, Kerb, SIC, U/PWD…
Create Token from CardCreate Token from Card
Relying Party (website)Identity Provider
User
Sign, Encrypt & Send TokenSign, Encrypt & Send Token
Relying Party (website)Identity Provider
User
The Identity MetasystemThe Identity Metasystem
Identity layer for the InternetIdentity layer for the Internet
Open, inclusive, standards-based modelOpen, inclusive, standards-based model
Built upon “The Laws of Identity”Built upon “The Laws of Identity”
"InfoCard" is a client agent within the IDMS"InfoCard" is a client agent within the IDMS
Building A Building A Relying PartyRelying Party
Integrating with “InfoCard”Integrating with “InfoCard”
Four key tasks:Four key tasks:1.1. Update the databaseUpdate the database
2.2. Create an association pageCreate an association page
3.3. Update the sign in pageUpdate the sign in page
4.4. Update the registration pageUpdate the registration page
1. Associate a user with a card1. Associate a user with a card
CREATE PROCEDURECREATE PROCEDURE aspnet_infocard_associate aspnet_infocard_associate (@UserId nvarchar(256), @card (@UserId nvarchar(256), @card nvarcharnvarchar(50) )(50) ) ASAS ......
CREATE PROCEDURECREATE PROCEDURE aspnet_infocard_lookup aspnet_infocard_lookup (@card (@card nvarcharnvarchar(50) )(50) ) ASAS ......
2a. Create an association page2a. Create an association page
<!-- ... --><!-- ... --> <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Update account with your Information CardUpdate account with your Information Card </</buttonbutton>>
<<formform namename="infocardlogin"="infocardlogin" targettarget="_self"="_self" methodmethod="post">="post"> <<objectobject typetype="application/x-informationcard"="application/x-informationcard" namename="xmlToken">="xmlToken"> <<paramparam namename="tokenType"="tokenType" valuevalue="urn:oasis:names:tc:SAML:1.0:assertion">="urn:oasis:names:tc:SAML:1.0:assertion"> <<paramparam namename="issuer“ ="issuer“ valuevalue="http://schemas..../identity/issuer/self">="http://schemas..../identity/issuer/self"> <<paramparam namename="requiredClaims"="requiredClaims" valuevalue="http://.../claims/givenname,="http://.../claims/givenname, http://.../claims/surname,http://.../claims/surname, http://../claims/emailaddress, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier">http://.../claims/privatepersonalidentifier"> </</objectobject>> </</formform>><!-- ... --><!-- ... -->
2b. Create an association page2b. Create an association page
publicpublic partialpartial classclass Associate_aspxAssociate_aspx : System.Web.UI. : System.Web.UI.PagePage{{ protectedprotected voidvoid Page_Load( Page_Load(objectobject sender, sender, EventArgsEventArgs e) e) {{ // check if an xmlToken is posted// check if an xmlToken is posted stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];]; ifif (xmlToken != (xmlToken != nullnull) {) {
TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken); // get the unique id// get the unique id stringstring uniqueID = tokenHelper.getUniqueID(); uniqueID = tokenHelper.getUniqueID(); ifif (uniqueID != (uniqueID != nullnull && uniqueID != && uniqueID != """")) {{ //store it with the account.//store it with the account. MembershipUserMembershipUser user = user = MembershipMembership.GetUser();.GetUser(); MembershipHelperMembershipHelper.AssociateUser(.AssociateUser(
user.UserName, uniqueID );user.UserName, uniqueID ); }} }} }}}}
3a. Update the sign in page3a. Update the sign in page
<!-- ... --><!-- ... --> <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Sign in with your Information CardSign in with your Information Card </</buttonbutton>>
<<formform namename="infocardlogin"="infocardlogin" targettarget="_self"="_self" methodmethod="post">="post"> <<objectobject typetype="application/x-informationcard"="application/x-informationcard" namename="xmlToken">="xmlToken"> <<paramparam namename="tokenType"="tokenType" valuevalue="urn:oasis:names:tc:SAML:1.0:assertion">="urn:oasis:names:tc:SAML:1.0:assertion"> <<paramparam namename="issuer“ ="issuer“ valuevalue="http://schemas..../identity/issuer/self">="http://schemas..../identity/issuer/self"> <<paramparam namename="requiredClaims"="requiredClaims" valuevalue="http://.../claims/givenname,="http://.../claims/givenname, http://.../claims/surname,http://.../claims/surname, http://../claims/emailaddress, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier">http://.../claims/privatepersonalidentifier"> </</objectobject>> </</formform>><!-- ... --><!-- ... -->
3b. Update the sign in page3b. Update the sign in page
publicpublic partialpartial classclass Login_aspxLogin_aspx : System.Web.UI. : System.Web.UI.PagePage{{ protectedprotected voidvoid Page_Load( Page_Load(objectobject sender, sender, EventArgsEventArgs e) e) {{ stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];];
TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken);
// Lookup the account using the uniqueId// Lookup the account using the uniqueId stringstring username = username = MembershipHelperMembershipHelper.GetUser(.GetUser( tokenHelper.getUniqueID());tokenHelper.getUniqueID()); ifif (username != (username != nullnull) {) { MembershipUserMembershipUser user = user = MembershipMembership.GetUser(username);.GetUser(username);
// give the cookie back to the browser.// give the cookie back to the browser. FormsAuthenticationFormsAuthentication.SetLoginCookie(user.UserName, .SetLoginCookie(user.UserName, falsefalse);); }} } } }}
4a. Update the registration page4a. Update the registration page
<!-- ... --><!-- ... --> <<buttonbutton onclickonclick="javascript:return infocardlogin.submit();">="javascript:return infocardlogin.submit();"> Register with your Information CardRegister with your Information Card </</buttonbutton>>
<<formform namename="infocardlogin"="infocardlogin" targettarget="_self"="_self" methodmethod="post">="post"> <<objectobject typetype="application/x-informationcard"="application/x-informationcard" namename="xmlToken">="xmlToken"> <<paramparam namename="tokenType"="tokenType" valuevalue="urn:oasis:names:tc:SAML:1.0:assertion">="urn:oasis:names:tc:SAML:1.0:assertion"> <<paramparam namename="issuer“ ="issuer“ valuevalue="http://schemas..../identity/issuer/self">="http://schemas..../identity/issuer/self"> <<paramparam namename="requiredClaims"="requiredClaims" valuevalue="http://.../claims/givenname,="http://.../claims/givenname, http://.../claims/surname,http://.../claims/surname, http://../claims/emailaddress, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier">http://.../claims/privatepersonalidentifier"> </</objectobject>> </</formform>><!-- ... --><!-- ... -->
4b. Update the registration page4b. Update the registration page
// ...// ...
stringstring xmlToken = Request[ xmlToken = Request["xmlToken""xmlToken"];]; TokenHelperTokenHelper tokenHelper = tokenHelper = newnew TokenHelperTokenHelper(xmlToken);(xmlToken);
stringstring uniqueId = tokenHelper.getUniqueID(); uniqueId = tokenHelper.getUniqueID(); stringstring emailAddress = tokenHelper.GetClaim( emailAddress = tokenHelper.GetClaim( “ “http://schemas.../emailaddresshttp://schemas.../emailaddress”);”); stringstring username = tokenHelper.GetClaim( username = tokenHelper.GetClaim( “ “http://schemas.../givennamehttp://schemas.../givenname”);”);
ifif (username != (username != nullnull) {) { MembershipUser MembershipUser user = CreateUser( name , emailAddress ,... );user = CreateUser( name , emailAddress ,... ); MembershipHelperMembershipHelper.AssociateUser( user.UserName, uniqueID );.AssociateUser( user.UserName, uniqueID ); }}
// ...// ...
SummarySummary
WinFX: .NET to the coreWinFX: .NET to the core
Getting WinFX & "InfoCard"Getting WinFX & "InfoCard"
Built in to Windows VistaBuilt in to Windows Vista
Also available for Windows XP & Windows Server Also available for Windows XP & Windows Server 20032003
CTPs available today CTPs available today
Beta 2 comingBeta 2 coming
RTM 2nd half 2006RTM 2nd half 2006
Q2 Q3 Q12006
Q2Q4Q12005
Q3 Q4
B1 CTPV1
RTM
"InfoCard" Summary"InfoCard" Summary
Labs available in the MIX Sandbox!Labs available in the MIX Sandbox!
Consistent authentication for digital identities
Reduces chances of being phished
Adopting takes little developer effort
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Recommended