02-MS Online Identity - Session 1

8/14/2019 02-MS Online Identity - Session 1

1/49


2/49

LiveID OverView Advantages and Drivers

Types of Authentication WebAuth

DelAuth

ClientAuth

Contacts

Summary

Discussion


3/49

At the end of this session theaudience should understand LiveIDand how to use it.

Feel confident and comfortable to go

and start creating apps that useLiveID.


4/49

LiveID OverView Advantages and Drivers Types of Authentication

WebAuth DelAuth ClientAuth

Contacts Summary Discussion


5/49

Standards BasedEnhances DeveloperProductivity

Softw

are

Serv

ices

Claims-BasedAccess

Flexibility viaChoice


6/49


7/49

Hotmail

Live ID

MessengerLive Search Spaces Alerts

Live.com Photo Gallery

Writer

MailSky Drive

OneCare

Gallery

Windows Livefor Mobile QnA

Live SearchMaps

Favorites

ExpoGadgets

Contacts

Agents

Events

Toolbar

Calendar


8/49


9/49

Business logic

Diferent authentication protocols

Account sign-up / management

Diferent principal types

Child account legal and parental controls

Trust relationship managementAnti-spam account detection

Identity Provider availability and reliability

Identitypain

IdP QoS

AuthN

On-boarding


10/49

Above all: SECURE!

Consumer +

Enterprise

Federation friendly

Open &Standards-based

Richfunctiona

lity

Ease ofuse


11/49


12/49

A

PP

Z AuthoriZationClaims Roles Access control

ProfileAccount registration Membership DB

PolicyTrust relationships Auth token policies

AuthenticationAuth Protocols Principal Types


13/49

Web site integrationCo-branded user experienceOpen source samples in 7 languages

C#, VB, Java, Perl, PHP, Ruby, Python

App provider accessing user data stored in Live

ServicesOpen source samples in 7 languages

ASP.NET controlssimplified integration

Controls: IDLogin, IDLoginView,Contacts, SilverlightStreaming

Rich client applicationsWindows Client OS


14/49

Types of Live ID Users

Live / Hotmail EASI (E-mail AsSign-In)

Principal Types CredentialTypes [Strong]Password, Pin eID / Smart

card CardSpace

ThePasswo

rdAnti-

Pattern!


15/49



DelAuth

ClientAuth

Contacts

Summary

Discussion


16/49

You the end user dont have to worry aboutsetting up and maintaining the back endinfrastructure required for AuthZ and AuthN

LiveID Services takes care of it for you. LiveID Services is always online, secure, backed

up and available

Based on Open standards and platform neutral Easy to provision, access and use Technology agnostic Move seamlessly across multiple applications/

services - A Single Sign In service Last but not least largest collection of users on

a system close to half a billion users already useLiveID. So its easy to tap into this vast existinguser base for your customer base or audience.


17/49

Provides an identity platform: An authentication platform

A delegation platform

A federation platform

A user and service provisioning platform The first line of anti-spam defense

All delivered as Software + Services Cloud hosted authentication services

Client SDK libraries 6 languages / multiplatform ASP.NET (C# + VB), Java, Perl, Python, Ruby


18/49


Types of Authentication WebAuth DelAuth ClientAuth

Contacts Summary

Discussion


19/49

Enabling appsto be secure

demo


20/49

Integration Steps:1. Register AppID

2. Get WebAuth library module fromSDK

3. Use WL Tool ASP.NET controls

IDLoginStatus and/or IDLoginView

4. Create Member ID association

page (optional)

5. Test & deploy!

Windows Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?

LinkID=91762


21/49


22/49


23/49

Dont panic! The SDK libraries handle all this for you!

GET http://login.live.com/wlogin.srf?appid=00167FFE80002700&appctx=welcomepageHTTP/1.1...

Sign-inRequest

POST http://www.mydomain.com/wl-handler.aspx HTTP/1.1

action=login&appctx=welcomepage&stoken=MA12BCF0012BAM567890MABD123456ABCDEF12345667890

Sign-inResponse

Encrypted Contents:appid=&uid=&ts=&sig=


24/49

Enabling seamless sign-in / sign-up userexperience


25/49

Flexible sign-in customization optionsallow creative and seamless user

Customizable ContentsArea (Orange)Elements that can becustomized.Partner Logo

Task statementProduct descriptionSign up sectionHeader background

Task integration statement

Sign-up section

Customizable ThemeArea (Blue)Elements cannotchange.

Customize look & feel.Font colorBackground colorButton colorUser tile colorLive ID description


26/49

STRID_LOGO STRID_LOGOALTTEXT #336633 #e5ece5 #b5781e #b5781e #9EB39B #336633 black #C6D6B9

STRID_HEADER STRID_TITLE STRID_SUBTITLE

To make a Reservation, Sign in with your Windows Live ID Welcome to AdventureWorks Resorts


27/49

Flexible registration screen options

ToS

CAPTCHA

Password

Username

Task integration

Header image

Passwordreset question/ Alt e-mail

Profile info


28/49



DelAuth ClientAuth

Contacts Summary

Discussion


29/49

Live Identity Services

Delegated


30/49

ApplicationProvider

(web site)

Windows Live IDDelegation

Service

ResourceProvider (e.g.,

WindowsLive Contacts)

Consent UI(consent.live.com)

Integration Steps:1. Register AppID

2. Get DelAuth library

module from SDK

3. Create consent

request URL link

4. Create authcallback handler page

5. Create store for consent

tokens (optional)

6. Send RP data

request and process reply

7. Test & deploy!

Windows Live ID Delegated Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=107420


31/49

https://consent.live.com/delegation.aspx ?ru=http://mydomain.myapp.com/ReturnURL.aspx

&ps=Contacts.View,Contacts.Update &pl=http://mydomain.myapp.com/PrivacyPolicy.htm &ttype=1 &mkt=en-US &app=appid%3d10000%26ts%3d1193445084%26ip

%3d157.56.190.178%26sig

%3d7HgcsIEheEVO30BuPAEJhJeB8Pz0xHBV%252f%252bQD27AOdmI%253d


1=Compact token, 2=SAMLtoken

Application Verifiertoken:AppID, Timestamp, ClientIP, SHA256 signature


32/49

delt=EwCoARAnAAAUgxwUrFTrj0j98kTTv4OX%2FOkhSc2AADHt9dXtiWa4afIM1AtKBgDzW2LOYBmExjIAumf%2B33MyPpGSnwrmtOc2aKG0Oz008Jg6a9Ss8a6L4zi8Za9gT85eqqdS0HNJZW9xAUoD2MOqUz7RxqY%2FpNhAWm6ndhFTj9VWWZYi7zIJJU7RgrIXEJrmQsHSKN1%2B2Iot56mknEECA2YAAAi5VYs8bPiGofgAEiVBGu8ve8kv459FJn8ioXFJMR4f5E

YNJqxMXG8tZhe87ylkvESebImX%2B4T8EGxxgDBTTHmEnK5PtoxJDTLJCSz4UJwRPAS0KW2H5TIi7Ecu6dZ5FbspeKlPCi7pxjevW1WAHuoJY9oow%2FgUCZhcxCusUg2Cg6LmpSm0KwacVzaXLEOwwpfUXtFSwpPsU8w8G9syt4%2F0k1W4HJmdrqU1xqHO7ZEX3JBWpKBscNbKr5z3qCkO2tpW%2BBjFEgy8w%2Fc5wb66At7V4Vs1ccbiBJ7pC%2F0VjyfzKfBYNP2zniAmepap2jY780q73Czc10w0bfMr54cKMaDrK6kAAA%3D%3D

&exp=1196836447



33/49

http://consent.live.com/RefreshToken.aspx ?ru=http://mydomain.myapp.com/

ReturnURL.aspx &ps=Contacts.View,Contacts.Update

&reft=F7BJdi2ojtPWXv7qVCKrhD0kU35Rf1k4wz0nFx gB33czSkOgk0Ht5n8LGLZW2Mgo06dpFYonRF0e

0ha sWS91l37cf8sq2NaxyXJASrEdKoYOApPUBI6RqYn

DS BgkNqKPQtUbIN%252F%252FXQ

%252B7qUnzyWvn SA%253D%253D &app=appid%3d10000%26ts



34/49

{ "ConsentToken": "delt%3dEwCoARAnAAAUgxwUrFTrj0j98kTTv4OX

%252FOkhSc2AADHt9dXtiWa4afIM1AtKBgDzW2LOYBmExjIAumf%252B33MyPpGSnwrmtOc2aKG0Oz008Jg6a9Ss8a6L4zi8Za9gT85eqqdS0HNJZW9xAUoD2MOqUz7RxqY

%252FpNhAWm6ndhFTj9VWWZYi7zIJJU7RgrIXEJrmQsHSKN1%252B2Iot56mknEECA2YAAAi5VYs8bPiGofgAEiVBGu8ve8kv459FJn8ioXFJMR4f5EYNJqxMXG8tZhe87ylkvESebImX%252B4T8EGxxgDBTTHmEnK5PtoxJDTLJCSz4UJwRPAS0KW2H5TIi7Ecu6dZ5FbspeKlPCi7pxjevW1WAHuoJY9oow%252FgUCZhcxCusUg2Cg6LmpSm0KwacVzaXLEOwwpfUXtFSwpPsU8w8G9syt4%252F0k1W4HJmdrqU1xqHO7ZEX3JBWpKBscNbKr5z3qCkO2tpW%252BBjFEgy8w%252Fc5wb66At7V4Vs1ccbiBJ7pC%252F0VjyfzKfBYNP2zniAmepap2jY780q73Czc10w0bfMr54cKMaDrK6kAAA%253D%253D%26reft%3dF7BJdi2ojtPWXv7qVCKrhD0kU35Rf1k4wz0nFxgB33czSkOgk0Ht5n8L

GLZW2Mgo06dpFYonRF0e0hasWS91l37cf8sq2NaxyXJASrEdKoYOApPUBI6RqYnDSBgkNqKPQtUbIN%252F%252FXQ%252B7qUnzyWvnSA%253D%253D%26skey%3diS30MXEnIJj7K6HpwUBrXR5isE9rN9zq%26oer%3dContacts.View,Contacts.Update%3a1228350847%26exp%3d1196836447%26sig%3dC1itgV6AL7%252F%252BJFnML1unjGZ6nNNjQsrb8%252BcTtmNAzp8%253D%26lid%3df8eb4468555a951e"



35/49

Supplies on behalf of functionality

App can act on behalf of the user

Subject to users consent

For a specific ofer only (eg Calendar.Read)

For a defined time period

Re-use / Extend existing building blocks

WS-Trust RequestSecurityToken on-behalf of

element

Re-use existing tokens SAML and Compact with

new elements appid and Ofer

Use Roles and Sharing for storing Permissions

Scenarios that are enabled

Supply auth mechanism for 3rd parties to call WL APIs

Facebook, match.com

Exchange 14 calendar sharing

Application authentication Echoes

Existing WL services integrate easily

RPS Validates the App token, same as auth Token

RPS is configured to map the API to the Ofer in theapp token

App can perform additional AuthZ checks if needed

Basic flow

App needs a token to access WL API

Send user to a consent URL with identifier for Ofer

consent is needed for

User grants consent and a token is return to the App

App uses the token to make authenticated call WL

UsersBrowser

3rd PartyWebsite

WLIDService

WL RPService

1

2

3

4

5

6

7

8

9

10

11

Access 3rd partyapp

Redirect toConsent

Request userconsent & token

Redirect to 3rd partyapp w/ token

Post token to app

Request user dataw/ app token

Return data for theuser to the app

App renderdata to user

Renewtoken

Requestupdated data

render data touser


36/49



DelAuth ClientAuth

Contacts Summary

Discussion


37/49

Integrate Desktop Applications to useLive ID

SDK provides a managed API

No need to worry about technicaldetails of authentication Live ID authentication manages this

process

Not necessary to bother about storing


38/49


39/49

EmbracingOpenStandards

Announced atPDC


40/49

What is OpenID?

Open ID is a free and easy way to use a singledigital identity across the InternetSource: OpenID Foundation - http://openid.net/

OpenID eliminates the need for multipleusernames across diferent websites

Microsoft is becoming anOpenID Provider (OP)

Next Steps - Try the Live IDOP1. Set up a Live ID INT account:

https://setup.Live-INT.com/

2. Set up OpenID alias: https://OpenID.Live-INT.com /beta/ManageOpenID.srf

3.Users: Use OpenID 2.0 login

URI: OpenID.Live-INT.com

4.Library developers: Test

interop with the Live ID OPendpoint5.Web site owners: Test Live ID

Use your Windows Live ID account

to

sign-in to any OpenID 2.0 enabledWeb site

Key Implementation Details

Create OpenID Alias attached to your Live IDaccount

Authenticate with alias + account credentials

Choice: Either global unique (public) or pair-wise anonymous (private) identifier returned toRP


41/49

GET http://openid.live-INT.com/OpenIDAuth.srf

?openid.mode=checkid_setup

&openid.identity=http%3a%2f%2fopenid.live-int.com%2fjthelin

&openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0

&openid.claimed_id=http%3a%2f%2fopenid.live-int.com%2fjthelin

&openid.realm=http%3a%2f%2flocalhost%3a49413%2f

&openid.return_to=http%3a%2f%2flocalhost%3a49413%2flogin.aspx

%3fReturnUrl%3d%252fDefault.aspx%26token%3dAbu8voGNbjk2%252fH

%252bWGN4vgbrzsETS0aCY%252bCSc%252frV

%252bo6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQ

podHRwOi8vanRoZWxpbi5waXAudmVyaXNpZ25sYWJzLmNvbS8NCg0KaH

R0cDovL3BpcC52ZXJpc2lnbmxhYnMuY29tL3NlcnZlcg0KMi4wDQo%253d &openid.assoc_handle=d7d181a0-632e-11dd-ba82-f91efcd7aef7

HTTP/1.1



42/49

GET /login.aspx ?ReturnUrl=/Default.aspx

&token=Abu8voGNbjk2/H+WGN4vgbrzsETS0aCY+CSc/rV

+o6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQpodHRwOi8vanR

oZWxpbi5waXAudmVyaXNpZ25sYWJzLmNvbS8NCg0KaHR0cDovL3BpcC52ZXJpc2lnbm

xhYnMuY29tL3NlcnZlcg0KMi4wDQo=

&openid.assoc_handle=d7d181a0-632e-11dd-ba82-f91efcd7aef7 &openid.response_nonce=2008-08-05T20:42:15ZiBs=

&openid.ns=http://specs.openid.net/auth/2.0

&openid.mode=id_res

&openid.op_endpoint=http://openid.live-int.com/openidauth.srf

&openid.claimed_id=http://openid.live-int.com/jthelin

&openid.sig=kdXRyifqU0vd6H4kjgY5kgwmq4nN5ZhXBSck/bfLMDg=

&openid.identity=http://openid.live-int.com/jthelin

&openid.signed=assoc_handle,identity,response_nonce,return_to,claimed_id,op_end

point

&openid.return_to=http%3a%2f%2flocalhost%3a49413%2flogin.aspx%3fReturnUrl%3d

%252fDefault.aspx%26token%3dAbu8voGNbjk2%252fH%252bWGN4vgbrzsETS0aCY

%252bCSc%252frV

%252bo6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQpodHRwOi8



43/49


WebAuth

DelAuth ClientAuth

Contacts Summary

Discussion


44/49

Enabling apps to be secure DelegatedAuthentication


45/49


WebAuth

DelAuth ClientAuth

Contacts

Summary

Discussion


46/49

The biggest identity provider on the planet!

but Live ID platform is much more than just thefamiliar login box

Various types of users and various authenticationmodels are supported

Sign-in and Sign-up page customizations

Increasing focus on enabling federation and enterpriseaccess to online services

Ease-of-use is always the goal..... and the challenge!


47/49

Easy

Core Principles Ease of use Rich functionality Open and

Standards-based Personal +


48/49


49/49

Windows Live ID Developer Center - http://dev.live.com/liveid Windows Live ID Articles on MSDN - http://go.microsoft.com/fwlink/?LinkId=111111

Windows Live ID Documentation on MSDN - http://msdn2.microsoft.com/en-us/library/bb404787.aspx

Windows Live ID Developer Forum - http://go.microsoft.com/fwlink/?LinkID=78146

Windows Live ID Team Blog - http://winliveid.spaces.live.com

Windows Live ID Whitepapers

Introduction to Windows Live ID - http://msdn2.microsoft.com/en-us/library/bb288408.aspx

Understanding Windows Live Delegated Authentication - http://msdn2.microsoft.com/en-us/library/cc287613.aspx

Windows Live ID Federation - http://msdn2.microsoft.com/en-us/library/cc287610.aspx

Windows Live ID Documentation and SDKs Windows Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?

LinkID=91762Web Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkID=91761

Windows Live ID Delegated Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=107420Delegated Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkId=107419

Windows Live ID Client SDK download - http://go.microsoft.com/fwlink/?LinkId=86974

Delegated Authentication Resource Providers List - http://go.microsoft.com/fwlink/?LinkID=108535

Documents

02-MS Online Identity - Session 1