Windows CardSpace

Windows CardSpace

Martin ParryDeveloper [email protected]

Event slides will be posted at:

http://www.microsoft.com/uk/msdnevents



Identity: problems

Passwords too easy to crackOr too hard to remember

I want multiple identitiesResults in identity silos

Banks etc. would like to make sign-on data a lot more complex

Users’ ability to remember is the obstacle

Nobody trusts a single organization to store all identity information

Identity: a new approach

Kim Cameron; www.identityblog.com

Seven laws of identity

We have interoperable WS-* specsAllow multiple identity systems to take part

We have a standard format for credentials

SAML tokens

The Identity Metasystem

Security Tokens

SAMLSecurity Assertion Markup Language

Prevailing format for credentials today

What’s in a security token?Collection of claims (self-asserted or verifiable)

Token signed by issuer

Issuing a tokenUse WS-Security and WS-Trust

Consuming a tokenVerify signature, decide if issuer trusted

Read claims (for authZ decisions)

Example Security Token

Given Name: Martin

Family Name: Parry

Email: [email protected]

MartinParrymartin.parry@...


Security Token Service

Username/passwordX.509 CertificateAnother security tokenBiometricEtc...

Give it something...



Federation

If users have accounts elsewhere and you trust the authN that takes place there

Don’t add user accounts to your systemAccept security tokens issued elsewhereEstablish trust between systems

WS-Federation

Think of B2B scenarios

Federation: example

Instead of provisioning a new user account for a partner, I’ll let her organization authenticate her

Automate the trust relationship

Ask user to supply a SAML token issued by a partner org

SAML token contains claims about the userPartner org claims that this user’s name is Alice

Partner org claims that Alice is a Purchaser

Partner org claims that Alice is authorized to purchase bike parts

Reduces identity management burden and latency

Information Cards

Identities represented as cardsUsers understand that they need to be careful when giving out credit card details

Self-issued “personal card”Created by user and held in local secure store

Private personal identifier

“Managed card”Issued by trusted Identity Provider

Visible locally but identity information is stored at IP

Cards do not contain security tokensThey represent my ability to supply a token

How it works

Policy

2.

“I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*”

3. UI filters cards that can satisfy policy

4. User picks a card

5. Token is requested

1. Access resource

6. Token is created

7. Token is presented

Relying Party

Identity Provider

Demo

Create a self-issued card

Sign on to a website using the card

HTML

<form id="form1" method="post" action="login1.aspx"><div> <button type="submit">Click here to sign in</button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"

value="urn:oasis:names:tc:SAML:1.0:assertion"/> <param name="issuer"

value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/>

<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/

givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />

</object></div></form>

Server-side codeprotected void Page_Load(object sender, EventArgs e){ string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper =

new TokenHelper(xmlToken, "www.fabrikam.com"); givenname.Text =

tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); email.Text = tokenHelper.GetClaim(ClaimTypes.Email); }}

Clearly all the work’s in TokenHelperGet it in the samples at www.netfx3.com

How to implement a RP

Update user databaseTo include unique IDs from CardSpace

Create an association pageUsers can associate cards with their accounts

Update the sign-in pageTo allow the use of cardsCan still allow other credentials

Update registration pageTo allow the use of cards

Event slides will be posted at:




Get the latest technology previews, trial software, special offers

Get information tailored to your needs

Pick your RSS feeds

Sign up for MSDN Connection at:

http://www.msdn.co.uk

http://www.msdn.co.uk/

Resources, tools and betas

Learn about development for Windows Live http://dev.live.com

Useful resource for .NET Framework 3.0, the development platform for Windows Vista

http://www.netfx3.com Get the latest betas for Windows Vista and Office 2007

http://www.microsoft.com/betaexperienceTry Visual Studio

http://www.microsoft.com/getthetrials Check out the free Express versions of Visual Studio

http://msdn.microsoft.com/expressLearn about and try the new Web and client designer tools

http://www.microsoft.com/expressionResources

http://www.gotdotnet.comhttp://www.asp.net

http://dev.live.com/

http://www.netfx3.com/

http://www.microsoft.com/betaexperience

http://www.microsoft.com/getthetrials

Additional Information

UK MSDN Events Post events page including slide decks


Upcoming eventshttp://www.microsoft.com/uk/msdn/events/upcoming.aspx

UK MSDN Site & Flash NewsletterLocal news, events, nuggets & webcasts

http://www.microsoft.com/uk/msdn

Register to receive the bi-weekly MSDN Flash by email

http://www.microsoft.com/uk/msdn/flash.aspx

Documents

Windows CardSpace