Upload
sivadon-chaisiri
View
214
Download
0
Embed Size (px)
Citation preview
8/14/2019 02-MS Online Identity - Session 1
1/49
8/14/2019 02-MS Online Identity - Session 1
2/49
LiveID OverView Advantages and Drivers
Types of Authentication WebAuth
DelAuth
ClientAuth
Contacts
Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
3/49
At the end of this session theaudience should understand LiveIDand how to use it.
Feel confident and comfortable to go
and start creating apps that useLiveID.
8/14/2019 02-MS Online Identity - Session 1
4/49
LiveID OverView Advantages and Drivers Types of Authentication
WebAuth DelAuth ClientAuth
Contacts Summary Discussion
8/14/2019 02-MS Online Identity - Session 1
5/49
Standards BasedEnhances DeveloperProductivity
Softw
are
Serv
ices
Claims-BasedAccess
Flexibility viaChoice
8/14/2019 02-MS Online Identity - Session 1
6/49
8/14/2019 02-MS Online Identity - Session 1
7/49
Hotmail
Live ID
MessengerLive Search Spaces Alerts
Live.com Photo Gallery
Writer
MailSky Drive
OneCare
Gallery
Windows Livefor Mobile QnA
Live SearchMaps
Favorites
ExpoGadgets
Contacts
Agents
Events
Toolbar
Calendar
8/14/2019 02-MS Online Identity - Session 1
8/49
8/14/2019 02-MS Online Identity - Session 1
9/49
Business logic
Diferent authentication protocols
Account sign-up / management
Diferent principal types
Child account legal and parental controls
Trust relationship managementAnti-spam account detection
Identity Provider availability and reliability
Identitypain
IdP QoS
AuthN
On-boarding
8/14/2019 02-MS Online Identity - Session 1
10/49
Above all: SECURE!
Consumer +
Enterprise
Federation friendly
Open &Standards-based
Richfunctiona
lity
Ease ofuse
8/14/2019 02-MS Online Identity - Session 1
11/49
8/14/2019 02-MS Online Identity - Session 1
12/49
A
PP
Z AuthoriZationClaims Roles Access control
ProfileAccount registration Membership DB
PolicyTrust relationships Auth token policies
AuthenticationAuth Protocols Principal Types
8/14/2019 02-MS Online Identity - Session 1
13/49
Web site integrationCo-branded user experienceOpen source samples in 7 languages
C#, VB, Java, Perl, PHP, Ruby, Python
App provider accessing user data stored in Live
ServicesOpen source samples in 7 languages
ASP.NET controlssimplified integration
Controls: IDLogin, IDLoginView,Contacts, SilverlightStreaming
Rich client applicationsWindows Client OS
8/14/2019 02-MS Online Identity - Session 1
14/49
Types of Live ID Users
Live / Hotmail EASI (E-mail AsSign-In)
Principal Types CredentialTypes [Strong]Password, Pin eID / Smart
card CardSpace
ThePasswo
rdAnti-
Pattern!
8/14/2019 02-MS Online Identity - Session 1
15/49
LiveID OverView Advantages and Drivers
Types of Authentication WebAuth
DelAuth
ClientAuth
Contacts
Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
16/49
You the end user dont have to worry aboutsetting up and maintaining the back endinfrastructure required for AuthZ and AuthN
LiveID Services takes care of it for you. LiveID Services is always online, secure, backed
up and available
Based on Open standards and platform neutral Easy to provision, access and use Technology agnostic Move seamlessly across multiple applications/
services - A Single Sign In service Last but not least largest collection of users on
a system close to half a billion users already useLiveID. So its easy to tap into this vast existinguser base for your customer base or audience.
8/14/2019 02-MS Online Identity - Session 1
17/49
Provides an identity platform: An authentication platform
A delegation platform
A federation platform
A user and service provisioning platform The first line of anti-spam defense
All delivered as Software + Services Cloud hosted authentication services
Client SDK libraries 6 languages / multiplatform ASP.NET (C# + VB), Java, Perl, Python, Ruby
8/14/2019 02-MS Online Identity - Session 1
18/49
LiveID OverView Advantages and Drivers
Types of Authentication WebAuth DelAuth ClientAuth
Contacts Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
19/49
Enabling appsto be secure
demo
8/14/2019 02-MS Online Identity - Session 1
20/49
Integration Steps:1. Register AppID
2. Get WebAuth library module fromSDK
3. Use WL Tool ASP.NET controls
IDLoginStatus and/or IDLoginView
4. Create Member ID association
page (optional)
5. Test & deploy!
Windows Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?
LinkID=91762
8/14/2019 02-MS Online Identity - Session 1
21/49
8/14/2019 02-MS Online Identity - Session 1
22/49
8/14/2019 02-MS Online Identity - Session 1
23/49
Dont panic! The SDK libraries handle all this for you!
GET http://login.live.com/wlogin.srf?appid=00167FFE80002700&appctx=welcomepageHTTP/1.1...
Sign-inRequest
POST http://www.mydomain.com/wl-handler.aspx HTTP/1.1
action=login&appctx=welcomepage&stoken=MA12BCF0012BAM567890MABD123456ABCDEF12345667890
Sign-inResponse
Encrypted Contents:appid=&uid=&ts=&sig=
8/14/2019 02-MS Online Identity - Session 1
24/49
Enabling seamless sign-in / sign-up userexperience
8/14/2019 02-MS Online Identity - Session 1
25/49
Flexible sign-in customization optionsallow creative and seamless user
Customizable ContentsArea (Orange)Elements that can becustomized.Partner Logo
Task statementProduct descriptionSign up sectionHeader background
Task integration statement
Sign-up section
Customizable ThemeArea (Blue)Elements cannotchange.
Customize look & feel.Font colorBackground colorButton colorUser tile colorLive ID description
8/14/2019 02-MS Online Identity - Session 1
26/49
STRID_LOGO STRID_LOGOALTTEXT #336633 #e5ece5 #b5781e #b5781e #9EB39B #336633 black #C6D6B9
STRID_HEADER STRID_TITLE STRID_SUBTITLE
To make a Reservation, Sign in with your Windows Live ID Welcome to AdventureWorks Resorts
8/14/2019 02-MS Online Identity - Session 1
27/49
Flexible registration screen options
ToS
CAPTCHA
Password
Username
Task integration
Header image
Passwordreset question/ Alt e-mail
Profile info
8/14/2019 02-MS Online Identity - Session 1
28/49
LiveID OverView Advantages and Drivers
Types of Authentication WebAuth
DelAuth ClientAuth
Contacts Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
29/49
Live Identity Services
Delegated
8/14/2019 02-MS Online Identity - Session 1
30/49
ApplicationProvider
(web site)
Windows Live IDDelegation
Service
ResourceProvider (e.g.,
WindowsLive Contacts)
Consent UI(consent.live.com)
Integration Steps:1. Register AppID
2. Get DelAuth library
module from SDK
3. Create consent
request URL link
4. Create authcallback handler page
5. Create store for consent
tokens (optional)
6. Send RP data
request and process reply
7. Test & deploy!
Windows Live ID Delegated Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=107420
8/14/2019 02-MS Online Identity - Session 1
31/49
https://consent.live.com/delegation.aspx ?ru=http://mydomain.myapp.com/ReturnURL.aspx
&ps=Contacts.View,Contacts.Update &pl=http://mydomain.myapp.com/PrivacyPolicy.htm &ttype=1 &mkt=en-US &app=appid%3d10000%26ts%3d1193445084%26ip
%3d157.56.190.178%26sig
%3d7HgcsIEheEVO30BuPAEJhJeB8Pz0xHBV%252f%252bQD27AOdmI%253d
Dont panic! The SDK libraries handle all this for you!
1=Compact token, 2=SAMLtoken
Application Verifiertoken:AppID, Timestamp, ClientIP, SHA256 signature
8/14/2019 02-MS Online Identity - Session 1
32/49
delt=EwCoARAnAAAUgxwUrFTrj0j98kTTv4OX%2FOkhSc2AADHt9dXtiWa4afIM1AtKBgDzW2LOYBmExjIAumf%2B33MyPpGSnwrmtOc2aKG0Oz008Jg6a9Ss8a6L4zi8Za9gT85eqqdS0HNJZW9xAUoD2MOqUz7RxqY%2FpNhAWm6ndhFTj9VWWZYi7zIJJU7RgrIXEJrmQsHSKN1%2B2Iot56mknEECA2YAAAi5VYs8bPiGofgAEiVBGu8ve8kv459FJn8ioXFJMR4f5E
YNJqxMXG8tZhe87ylkvESebImX%2B4T8EGxxgDBTTHmEnK5PtoxJDTLJCSz4UJwRPAS0KW2H5TIi7Ecu6dZ5FbspeKlPCi7pxjevW1WAHuoJY9oow%2FgUCZhcxCusUg2Cg6LmpSm0KwacVzaXLEOwwpfUXtFSwpPsU8w8G9syt4%2F0k1W4HJmdrqU1xqHO7ZEX3JBWpKBscNbKr5z3qCkO2tpW%2BBjFEgy8w%2Fc5wb66At7V4Vs1ccbiBJ7pC%2F0VjyfzKfBYNP2zniAmepap2jY780q73Czc10w0bfMr54cKMaDrK6kAAA%3D%3D
&exp=1196836447
Dont panic! The SDK libraries handle all this for you!
8/14/2019 02-MS Online Identity - Session 1
33/49
http://consent.live.com/RefreshToken.aspx ?ru=http://mydomain.myapp.com/
ReturnURL.aspx &ps=Contacts.View,Contacts.Update
&reft=F7BJdi2ojtPWXv7qVCKrhD0kU35Rf1k4wz0nFx gB33czSkOgk0Ht5n8LGLZW2Mgo06dpFYonRF0e
0ha sWS91l37cf8sq2NaxyXJASrEdKoYOApPUBI6RqYn
DS BgkNqKPQtUbIN%252F%252FXQ
%252B7qUnzyWvn SA%253D%253D &app=appid%3d10000%26ts
Dont panic! The SDK libraries handle all this for you!
8/14/2019 02-MS Online Identity - Session 1
34/49
{ "ConsentToken": "delt%3dEwCoARAnAAAUgxwUrFTrj0j98kTTv4OX
%252FOkhSc2AADHt9dXtiWa4afIM1AtKBgDzW2LOYBmExjIAumf%252B33MyPpGSnwrmtOc2aKG0Oz008Jg6a9Ss8a6L4zi8Za9gT85eqqdS0HNJZW9xAUoD2MOqUz7RxqY
%252FpNhAWm6ndhFTj9VWWZYi7zIJJU7RgrIXEJrmQsHSKN1%252B2Iot56mknEECA2YAAAi5VYs8bPiGofgAEiVBGu8ve8kv459FJn8ioXFJMR4f5EYNJqxMXG8tZhe87ylkvESebImX%252B4T8EGxxgDBTTHmEnK5PtoxJDTLJCSz4UJwRPAS0KW2H5TIi7Ecu6dZ5FbspeKlPCi7pxjevW1WAHuoJY9oow%252FgUCZhcxCusUg2Cg6LmpSm0KwacVzaXLEOwwpfUXtFSwpPsU8w8G9syt4%252F0k1W4HJmdrqU1xqHO7ZEX3JBWpKBscNbKr5z3qCkO2tpW%252BBjFEgy8w%252Fc5wb66At7V4Vs1ccbiBJ7pC%252F0VjyfzKfBYNP2zniAmepap2jY780q73Czc10w0bfMr54cKMaDrK6kAAA%253D%253D%26reft%3dF7BJdi2ojtPWXv7qVCKrhD0kU35Rf1k4wz0nFxgB33czSkOgk0Ht5n8L
GLZW2Mgo06dpFYonRF0e0hasWS91l37cf8sq2NaxyXJASrEdKoYOApPUBI6RqYnDSBgkNqKPQtUbIN%252F%252FXQ%252B7qUnzyWvnSA%253D%253D%26skey%3diS30MXEnIJj7K6HpwUBrXR5isE9rN9zq%26oer%3dContacts.View,Contacts.Update%3a1228350847%26exp%3d1196836447%26sig%3dC1itgV6AL7%252F%252BJFnML1unjGZ6nNNjQsrb8%252BcTtmNAzp8%253D%26lid%3df8eb4468555a951e"
Dont panic! The SDK libraries handle all this for you!
8/14/2019 02-MS Online Identity - Session 1
35/49
Supplies on behalf of functionality
App can act on behalf of the user
Subject to users consent
For a specific ofer only (eg Calendar.Read)
For a defined time period
Re-use / Extend existing building blocks
WS-Trust RequestSecurityToken on-behalf of
element
Re-use existing tokens SAML and Compact with
new elements appid and Ofer
Use Roles and Sharing for storing Permissions
Scenarios that are enabled
Supply auth mechanism for 3rd parties to call WL APIs
Facebook, match.com
Exchange 14 calendar sharing
Application authentication Echoes
Existing WL services integrate easily
RPS Validates the App token, same as auth Token
RPS is configured to map the API to the Ofer in theapp token
App can perform additional AuthZ checks if needed
Basic flow
App needs a token to access WL API
Send user to a consent URL with identifier for Ofer
consent is needed for
User grants consent and a token is return to the App
App uses the token to make authenticated call WL
UsersBrowser
3rd PartyWebsite
WLIDService
WL RPService
1
2
3
4
5
6
7
8
9
10
11
Access 3rd partyapp
Redirect toConsent
Request userconsent & token
Redirect to 3rd partyapp w/ token
Post token to app
Request user dataw/ app token
Return data for theuser to the app
App renderdata to user
Renewtoken
Requestupdated data
render data touser
8/14/2019 02-MS Online Identity - Session 1
36/49
LiveID OverView Advantages and Drivers
Types of Authentication WebAuth
DelAuth ClientAuth
Contacts Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
37/49
Integrate Desktop Applications to useLive ID
SDK provides a managed API
No need to worry about technicaldetails of authentication Live ID authentication manages this
process
Not necessary to bother about storing
8/14/2019 02-MS Online Identity - Session 1
38/49
8/14/2019 02-MS Online Identity - Session 1
39/49
EmbracingOpenStandards
Announced atPDC
8/14/2019 02-MS Online Identity - Session 1
40/49
What is OpenID?
Open ID is a free and easy way to use a singledigital identity across the InternetSource: OpenID Foundation - http://openid.net/
OpenID eliminates the need for multipleusernames across diferent websites
Microsoft is becoming anOpenID Provider (OP)
Next Steps - Try the Live IDOP1. Set up a Live ID INT account:
https://setup.Live-INT.com/
2. Set up OpenID alias: https://OpenID.Live-INT.com /beta/ManageOpenID.srf
3.Users: Use OpenID 2.0 login
URI: OpenID.Live-INT.com
4.Library developers: Test
interop with the Live ID OPendpoint5.Web site owners: Test Live ID
Use your Windows Live ID account
to
sign-in to any OpenID 2.0 enabledWeb site
Key Implementation Details
Create OpenID Alias attached to your Live IDaccount
Authenticate with alias + account credentials
Choice: Either global unique (public) or pair-wise anonymous (private) identifier returned toRP
8/14/2019 02-MS Online Identity - Session 1
41/49
GET http://openid.live-INT.com/OpenIDAuth.srf
?openid.mode=checkid_setup
&openid.identity=http%3a%2f%2fopenid.live-int.com%2fjthelin
&openid.ns=http%3a%2f%2fspecs.openid.net%2fauth%2f2.0
&openid.claimed_id=http%3a%2f%2fopenid.live-int.com%2fjthelin
&openid.realm=http%3a%2f%2flocalhost%3a49413%2f
&openid.return_to=http%3a%2f%2flocalhost%3a49413%2flogin.aspx
%3fReturnUrl%3d%252fDefault.aspx%26token%3dAbu8voGNbjk2%252fH
%252bWGN4vgbrzsETS0aCY%252bCSc%252frV
%252bo6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQ
podHRwOi8vanRoZWxpbi5waXAudmVyaXNpZ25sYWJzLmNvbS8NCg0KaH
R0cDovL3BpcC52ZXJpc2lnbmxhYnMuY29tL3NlcnZlcg0KMi4wDQo%253d &openid.assoc_handle=d7d181a0-632e-11dd-ba82-f91efcd7aef7
HTTP/1.1
Dont panic! The SDK libraries handle all this for you!
8/14/2019 02-MS Online Identity - Session 1
42/49
GET /login.aspx ?ReturnUrl=/Default.aspx
&token=Abu8voGNbjk2/H+WGN4vgbrzsETS0aCY+CSc/rV
+o6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQpodHRwOi8vanR
oZWxpbi5waXAudmVyaXNpZ25sYWJzLmNvbS8NCg0KaHR0cDovL3BpcC52ZXJpc2lnbm
xhYnMuY29tL3NlcnZlcg0KMi4wDQo=
&openid.assoc_handle=d7d181a0-632e-11dd-ba82-f91efcd7aef7 &openid.response_nonce=2008-08-05T20:42:15ZiBs=
&openid.ns=http://specs.openid.net/auth/2.0
&openid.mode=id_res
&openid.op_endpoint=http://openid.live-int.com/openidauth.srf
&openid.claimed_id=http://openid.live-int.com/jthelin
&openid.sig=kdXRyifqU0vd6H4kjgY5kgwmq4nN5ZhXBSck/bfLMDg=
&openid.identity=http://openid.live-int.com/jthelin
&openid.signed=assoc_handle,identity,response_nonce,return_to,claimed_id,op_end
point
&openid.return_to=http%3a%2f%2flocalhost%3a49413%2flogin.aspx%3fReturnUrl%3d
%252fDefault.aspx%26token%3dAbu8voGNbjk2%252fH%252bWGN4vgbrzsETS0aCY
%252bCSc%252frV
%252bo6kKaHR0cDovL2p0aGVsaW4ucGlwLnZlcmlzaWdubGFicy5jb20vDQpodHRwOi8
Dont panic! The SDK libraries handle all this for you!
8/14/2019 02-MS Online Identity - Session 1
43/49
LiveID OverView Advantages and Drivers Types of Authentication
WebAuth
DelAuth ClientAuth
Contacts Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
44/49
Enabling apps to be secure DelegatedAuthentication
8/14/2019 02-MS Online Identity - Session 1
45/49
LiveID OverView Advantages and Drivers Types of Authentication
WebAuth
DelAuth ClientAuth
Contacts
Summary
Discussion
8/14/2019 02-MS Online Identity - Session 1
46/49
The biggest identity provider on the planet!
but Live ID platform is much more than just thefamiliar login box
Various types of users and various authenticationmodels are supported
Sign-in and Sign-up page customizations
Increasing focus on enabling federation and enterpriseaccess to online services
Ease-of-use is always the goal..... and the challenge!
8/14/2019 02-MS Online Identity - Session 1
47/49
Easy
Core Principles Ease of use Rich functionality Open and
Standards-based Personal +
8/14/2019 02-MS Online Identity - Session 1
48/49
8/14/2019 02-MS Online Identity - Session 1
49/49
Windows Live ID Developer Center - http://dev.live.com/liveid Windows Live ID Articles on MSDN - http://go.microsoft.com/fwlink/?LinkId=111111
Windows Live ID Documentation on MSDN - http://msdn2.microsoft.com/en-us/library/bb404787.aspx
Windows Live ID Developer Forum - http://go.microsoft.com/fwlink/?LinkID=78146
Windows Live ID Team Blog - http://winliveid.spaces.live.com
Windows Live ID Whitepapers
Introduction to Windows Live ID - http://msdn2.microsoft.com/en-us/library/bb288408.aspx
Understanding Windows Live Delegated Authentication - http://msdn2.microsoft.com/en-us/library/cc287613.aspx
Windows Live ID Federation - http://msdn2.microsoft.com/en-us/library/cc287610.aspx
Windows Live ID Documentation and SDKs Windows Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?
LinkID=91762Web Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkID=91761
Windows Live ID Delegated Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=107420Delegated Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkId=107419
Windows Live ID Client SDK download - http://go.microsoft.com/fwlink/?LinkId=86974
Delegated Authentication Resource Providers List - http://go.microsoft.com/fwlink/?LinkID=108535