Identity: “Geneva” Deep Dive

Jan AlexanderProgram ManagerMicrosoft Corporation

BB43

Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities

“Geneva” Framework

Live Framework

Windows CardSpace “Geneva”

Active Directory

“Geneva” Server

Microsoft Services

Connector

Soft

war

eSe

rvic

es Claims-Based Access

Standards BasedEnhances Developer ProductivityFlexibility via Choice

Live Identity Services

Microsoft Federation Gateway

.Net Access Control Service

Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities

Live Framework

Standards BasedEnhances Developer Productivity

Live Identity Services

Microsoft Federation Gateway

.Net Access Control Service

Microsoft Services

ConnectorWindows

CardSpace “Geneva”

“Geneva” Framework

Active Directory

“Geneva” Server

Soft

war

eSe

rvic

es Claims-Based Access

Flexibility via Choice

Identity Meta-System & Claims Creating Claims-based Application Adding Custom Claims Federated Authentication Custom STS Claims & WCF Identity Delegation Futures

Agenda

Identity Meta-System & Claims

Identity Meta-System Introduction

Claims RequestorClient

(Web Browser, WCF Smart Client, SSP-based

application)

Claims ProducerSecurity Token Service

(Geneva Server, Custom STS)

Claims ConsumerRelying Party

(ASP.NET, WCF service, SSP-based service)

1.Trust

established2.Authenticate

and get claims in a token 3.

Send the issued token with claims to authenticate

with the service

Claim Statement made by an entity

(issuer) about an entity (subject) Security Token

Represents a collection of claims Usually asserted and cryptographically signed

by an issuing authority Security Token Service

Issues security tokens Relying Party

Accepts security tokens and uses claims contained in them

Terminology

Claims Model

IClaimsPrincipal

IClaimsIdentity

IClaimsIdentity

Sample FillSample FillClaim

ClaimType = “Name”Value = “Bob”

Issuer = “WLID”Subject

Creating Claims-Based Application

Federated Claims-Based Application

STS(Geneva Server)

Bob Relying Party(ASP.NET + Geneva FX)

Identity: Contoso\BobGoing to: Relying Party

SAML(Shoe Size = 41)

Claims Transformation

Policy forRelying Party

Name = Contoso\Bob->

ShoeSize = 41

SAML(Shoe Size = 41)

AuthorizationPolicy

secret.aspx ->Shoe Size = 41

HTTP GET /secret.aspx

Secret content

Original Application Without Claims

IIS + ASP.NET

Only Shoe Size 41

secret.aspx

Everyone

default.aspx

URL Authorization

Module

AuthorizationPolicy

default.aspx -> *secret.aspx ->

janalex

Windows Authentication

Module

Client

Kerberos

Infrastructure

Application Code

Making The Application Claim-BasedConverting authorization to use claims

IIS + ASP.NET

Only Shoe Size 41

secret.aspx

Everyone

default.aspx

Claims Authorization

Manager

AuthorizationPolicy

default.aspx -> Everyone

secret.aspx ->Claim Type =

“Name“Claim Value =

“janalex”

Windows Authentication

Module

Client

ClaimsAuthentication

ModuleKerberos

ClaimsAuthorization

Module

URL Authorization

Module

AuthorizationPolicy

default.aspx -> *secret.aspx ->

janalex

Infrastructure

Geneva Framework

Application Code

Securing a Web Page

demo

Adding Custom Claims

Geneva Framework Architecture

Hosting Layer

(WCF or ASP.NET)

Geneva FX integration

layer

Token Handling

Issuer Name Registry

Token Serialization

Token Validation

Claims Extraction

XML/Binary

Security Token

Security Token

Claims Identity

Issuer’s Token

Issuer’s Name

Claims Authentication Manager

Security Session Management

Claims Authorization Manager

Claims Principal

Claims Principal

Claims Principal

Session Token

Claims Principal

True/False

Application Code

Claims Principal

Request

Token Resolver

Token Reference

Security Token

Making The Application Claims-BasedAdding shoe size claim

IIS + ASP.NET

Only Shoe Size 41

secret.aspx

Everyone

default.aspx

AuthorizationPolicy

default.aspx -> Everyone

secret.aspx ->ShoeSize = 41

Windows Authentication

Module

Client

ClaimsAuthentication

Module

Claims Authentication

Manager

Claims Transformation

Policy

Name = REDMOND\janalex

->ShoeSize = 41

AuthorizationPolicy

default.aspx -> Everyone

secret.aspx ->Name =

REDMOND\janalex

Kerberos

Claims Authorization

Manager

ClaimsAuthorization

Module

Infrastructure

Geneva Framework

Application Code

Adding Shoe Size Claim

demo

Federated Authentication

Security Token Service for AD Identity and federation provider

Managed Card Provider for AD CardSpace and InfoCard Identity Selectors

Federation Trust Manager Automates trust management using metadata

Standards Based and Interoperable WS-* & SAML 2.0 protocol “Web SSO profile” SAML 1.1 & 2.0 tokens

What Is Geneva Server?

Geneva Server Architecture

HomeRealm

DiscoveryService

Client

CardSpace

MMC:Policy UX

Relying Party

Geneva Server Runtime

Policy Management

Service WMI Provider

Config File

Geneva FX API

Information Card Issuance

Service

Protocol Hosting (WS-Trust, Metadata, WS-Federation)

Issuance Engine

MMC:Service UX

{FileIO}{SQL}{LDAP}

AD/ADAMUser AttributeAuthN Store

SQLPolicy Store

{WS-FedPassive }

{WS-TrustWS-MEX}{InformationCard Issuance}

{WS-Fed Metadata}{PolicyManagement}

{WMI}

Identity Store Interface Policy Store Interface

LDAP Store

Geneva FX API

{WS-FedPassive }

{WS-Fed Metadata}

Geneva FX API

SQL Store

Making The Application Claims-BasedConverting to the federated authentication

IIS + ASP.NET

Only Shoe Size 41

secret.aspx

Everyone

default.aspx

AuthorizationPolicy

default.aspx -> Everyone

secret.aspx ->Shoe Size = 41

Windows Authentication

Module

Client

ClaimsAuthentication

Module

Claims Authentication

Manager

Claims Transformation

Policy

Name = REDMOND\janalex

->ShoeSize = 41

Geneva ServerSTS

Federated Authentication Module

Issuer Name Registry

EstablishTrust

Claims Authentication

Policy

Issuer = STS->

Can say Shoe Size

Kerberos

KerberosSAML Token

Claims Authorization

Manager

ClaimsAuthorization

Module

Converting to the Federated Authentication

demo

Making The Application Claims-BasedAdding a new identity provider

Windows Live ID UserRelying Party

Fabrikam STSWLID STS

Trust Established

WindowsLive ID

Fabrikam

Fabrikam User

Identity Delegation

Claims Model

IClaimsPrincipal

IClaimsIdentityIClaimsIdentity

Sample FillSample FillClaim

ClaimType = “Name”Value = “Bob”

Issuer = “WLID”Subject

Delegate

IClaimsIdentity

Sample FillSample FillClaim

ClaimType = “Name”Value = “Server1”Issuer = “MS STS”

Subject

Delegate

Identity Delegation

STS(Geneva Server)

Bob WFE(ASP.NET)

Backend(WCF)

HTTP/HTML SOAP

Issue Token{ Bob}

Issue Token{ WFE, ActAs(Bob)}

{ Bob } { Bob delegate WFE }

Futures

Authorization

Imagine this:

Turned into this:

foreach (IClaimsIdentity identity in subject.Identities){ if ((from c in identity.Claims where c.ClaimType == ClaimTypes.Name && c.Value == "REDMOND\janalex" select c).Count() > 0) { return true; }}

[AccessCheck(Resource="page1.aspx", Operation="GET")]

Geneva Server Issuance Policy

Accessing arbitrary Claim properties Today limited to claim type and claim value

Complex conditions Today only a single expression is supported

Custom attribute stores Today only LDAP

Policy analysis support Enhanced identity delegation policy

Today on-par with AD constraint delegation Support for custom issuance engines

"Geneva" Schedule

Beta 1October

2008

Beta 21st Half

2009

RTM2nd Half

2009

“Geneva” components are Windows components

Supported platforms Beta: Windows Server 2008, Windows Vista RTM: To Be Determined

See us in Lounge, Pavilion, Hands On Lab Learn about Technology

Adoption Partner program

Details

Claims are flexible and powerful. Security Token Service is here to

help you to get the right identity information to your applications

“Geneva” Framework gives you a consistent programming model for every situation

Summary

Software (BB42) Identity: "Geneva"

Server and Framework Overview (BB43) Identity: "Geneva" Deep Dive (BB44) Identity: Windows

CardSpace "Geneva" Under the Hood Services

(BB22) Identity: Live Identity Services Drilldown (BB29) Identity: Connecting Active

Directory to Microsoft Services (BB28) .NET Services: Access Control Service Drilldown (BB55) .NET Services: Access

Control In the Cloud Services

Identity @ PDC

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.