Embed Size (px)
Citation preview
Claims-Based Identity: An Overview of Microsoft Code Name "Geneva"
David ChappellChappell & Associateswww.davidchappell.comARC206
Agenda
Introducing “Geneva” and Claims-Based IdentityUsing “Geneva”: ScenariosA Closer Look at the “Geneva” Technologies
Introducing "Geneva" and Claims-Based Identity
What is "Geneva"?
Three related technologies:The “Geneva” Server
The next release of Active Directory Federation Services (AD FS)
CardSpace “Geneva”The next release of CardSpace
The “Geneva” Framework
The goal of “Geneva” is to help make claims-based identity real
What is Identity?
An identity is a set of information about some entity, such as a user
Most applications work with identityIdentity information drives important aspects of an application’s behavior, such as:
Determining what a user is allowed to doControlling how the application interacts with the user
Defining the ProblemWorking with identity is too hard
Applications must use different identity technologies in different situations:
Active Directory (Kerberos) inside a Windows domainUsername/password on the InternetWS-Federation and the Security Assertion Markup Language (SAML) between organizations
Why not define one approach that can be used in all of these cases?
Claims-based identity allows thisIt can make life simpler for developers
Token
Signature
Example Claims
Name
Group
Age
Claim 1Claim 2
. . .Claim n
Claim 3
Tokens and Claims Representing identity on the wire
A token is a set of bytes that expresses information about an identity
This information consists of one or more claimsEach claim contains some information about the entity to which this token applies
Indicates who created this token
and guards against changes
Identity Providers and STSs
An identity provider is an authority that makes claims about an entity
Common identity providers today:On your company’s network: Your employerOn the Internet: Most often, you
An identity provider implements a security token service (STS)
It’s software that issues tokensRequests for tokens are made via WS-Trust
Many token formats can be usedThe SAML format is increasingly popular
Identity Provider
Account/ Attribute Store
Security Token Service (STS)
2) Get information
1) Authenticate and request
token
3) Create and return token
Token
Browser or Client
User
Getting a TokenIllustrating an identity provider and an STS
4) Use claims in token
Browser or Client
User
Identity Provider
Acquiring and Using a Token
1) Get token
Token2) Submit
token
Token
List of Trusted STSs
Application 3) Verify token’s signature and check whether
this STS is trustedIdentity Library
STS
Why Claims Are an Improvement
In today’s world, an application typically gets only simple identity information
Such as a user’s nameTo get more, the application must query:
A remote database, e.g., a directory serviceA local database
With claims-based identity, each application can ask for exactly the claims that it needs
The STS puts these in the token it creates
How Applications Can Use ClaimsSome examples
A claim can identify a userA claim can convey group or role membershipA claim can convey personalization information
Such as the user’s display nameA claim can grant or deny the right to do something
Such as access particular information or invoke specific methods
A claim can constrain the right to do something Such as indicating the user’s purchasing limit
5) Use claims in token
User
ApplicationIdentity Providers
STSSTS
Identity Selector
1) Access application and
learn token requirements
2) Select an identity that matches those
requirements
3) Get token for selected
identity
Token 4) Submit token
Token
Supporting Multiple IdentitiesUsing an identity selector
Identity Library
Browser or Client
STS
5) Use claims in token
CardSpace “Geneva”
Browser or Client
User
4) Submit token
Application
Identity Providers
STS
3) Get token for selected
identity
STSSTS
2) Select an identity that matches those
requirements
“Geneva”Server
1) Access application and
learn token requirements
“Geneva” Framework
Token
Token
The "Geneva" Technologies
Using "Geneva": Scenarios
“Geneva”Server
User
2) Access application and
learn token requirements
Active Directory Domain Services
5) Find claims required by application and create
token
3) Select an identity that matches those
requirements
STS
8) Use claims in token
Application
“Geneva” Framework
CardSpace “Geneva”
6) Receive token
Token
7) Submit token
Token
Using "Geneva" in an Enterprise
1) Login to domain and get Kerberos
ticket
4) Present Kerberos ticket
and request token for
selected identity
Browser or Client
Internet
User
2) Select an identity that matches those
requirements
“Geneva”Server
Active Directory Domain Services
1) Access application and
learn token requirements
5) Use claims in token
Application
“Geneva” Framework
CardSpace “Geneva”
3) Get token for selected
identity
Token
4) Submit token
Token
Allowing Internet Access
STS
Browser or Client
5) Use claims in token
Identity Providers
STS
Internet
Windows Live ID
Other
User
2) Select an identity that matches those
requirements
1) Access application and
learn token requirements
CardSpace “Geneva”
Application
“Geneva” Framework4) Submit
token
Token
3) Get token for selected
identity
Token
Using an External Identity Provider
STS
Browser or Client
Identity Across OrganizationsDescribing the problem
A user in one Windows forest must access an application in another Windows forest
A user in a non-Windows world must access an application in a Windows forest (or vice-versa)
Identity Across OrganizationsPossible solutions
One option: duplicate accountsRequires separate login, extra administration
A better approach: identity federation One organizations accepts identities provided by the other
No duplicate accountsSingle sign-on for users
2) Select an identity that
matches those requirements
“Geneva”Server
Organization X
User
Active Directory Domain Services
Organization Y
STS
Trusted STSs:-Organization Y-Organization X
1) Access application and learn token
requirements
CardSpace “Geneva”
5) Use claims in token
Application
“Geneva” Framework
3) Get token for selected identity
Token
4) Submit token Token
Identity Federation (1)
STS
Browser or Client
3) Select an identity that
matches those requirements
“Geneva”Server
User
Active Directory Domain Services
1) Access application and learn token
requirements
2) Access Organization Y STS and learn
token requirements
Trusted STSs:-Organization X
Trusted STSs:-Organization Y
STS
CardSpace “Geneva”
8) Use claims in token
Application
“Geneva” Framework
6) Issue token for application
Token
7) Submit token Token
5) Request token for application
Token for STS Y
4) Get token for Organization Y STS
Token for STS Y
Identity Federation (2)Organization X Organization Y
STS
Browser or Client
8) Use claims in token
“Geneva”Server
User
Active Directory Domain Services
3) Access application and
learn token requirements
5) Check policy for user, application X, and application Y
Application Y
“Geneva” Framework
1) Get token for
application X
Token for X
4) Request token for
application Y
Token for X
6) If policy allows, issue token for application Y
Token for Y
7) Submit token
Token for Y
2) Submit token
Token for X
Delegation
STS
Browser or Client Application X
“Geneva” Framework
A Closer Look at the "Geneva" Technologies
Changes in the "Geneva" ServerFrom AD FS
AD FS today supports only passive clients (i.e., browsers) using WS-Federation
And it doesn’t provide an STSThe “Geneva” Server:
Supports both active and passive clientsProvides an STSSupports both WS-Federation and the SAML 2.0 protocolImproves management of trust relationships
By automating some exchanges
CardSpace "Geneva"Selecting identities
CardSpace “Geneva” provides a standard user interface for choosing an identity
Using the metaphor of cardsChoosing a card selects an identity (i.e., a token)
Information Cards
Behind each card a user sees is an information card
It’s an XML file that represents a relationship with an identity providerIt contains what’s needed to request a token for a particular identity
Information cards don’t contain:Claims for the identityWhatever is required to authenticate to the identity provider’s STS
Identity Providers
STSSTSSTSBrowser or Client
CardSpace “Geneva”
User
Information Card 1
Information Card 3
Information Card 2
Information Card 4
Information CardsAn illustration
Creating Industry Agreement
The Information Card Foundation is a multi-vendor group dedicated to making this technology successful
Its board members include Google, Microsoft, Novell, Oracle, and PayPal
A Web site can display a standard icon to indicate that it accepts card-based logins:
Changes in CardSpace "Geneva"From the first CardSpace release
CardSpace “Geneva” is available separately from the .NET Framework
It’s smaller and faster CardSpace “Geneva” contains optimizations for applications that users visit repeatedly
A Web site can display the card you last used to log in the site The CardSpace “Geneva” screen needn’t appear
The self-issued identity provider has been dropped
The "Geneva" Framework
The goal: Make it easier for developers to create claims-aware applications
Originally known as “Zermatt”
The “Geneva” Framework provides:Support for verifying a token’s signature and extracting its claimsClasses for working with claimsSupport for creating a custom STSMore
Conclusions
Changing how applications (and people) work with identity is not a small thing
Widespread adoption of claims-based identity will take time
Yet all of the pieces required to make claims-based identity real on Windows are coming:
The “Geneva” ServerCardSpace “Geneva”The “Geneva” Framework
ReferencesIntroducing “Geneva”: An Overview of the “Geneva” Server, CardSpace “Geneva”, and the “Geneva” Framework
http://download.microsoft.com/download/7/d/0/7d0b5166-6a8a-418a-addd-95ee9b046994/GenevaBeta1_Whitepaper_Chappell.docx
Keith Brown’s “Geneva” Framework White Paper for Developers
http://download.microsoft.com/download/7/d/0/7d0b5166-6a8a-418a-addd-95ee9b046994/GenevaFrameworkWhitepaperForDevelopers.pdf
About the SpeakerDavid Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for many events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.
question & answer
www.microsoft.com/teched Sessions On-Demand & Community
http://microsoft.com/technet Resources for IT Professionals
http://microsoft.com/msdn Resources for Developers
www.microsoft.com/learning Microsoft Certification & Training Resources
Resources
www.microsoft.com/learningMicrosoft Certification and Training Resources
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
