Embed Size (px)
DESCRIPTION
Advances in Digital Identity. Steve Plank Identity Architect. Identity. no consistency. Naming. DNS. Connectivity. IP. taught users. type. usernames & passwords. web page. what is identity?. attributes: givenName sn preferredName planky dateOfBirth 170685! over18true - PowerPoint PPT Presentation
Citation preview
Advances in Digital Identity
Steve PlankIdentity Architect
Connectivity
Naming
IP
DNS
Identityno consistency
taught users
typeusernames &passwords
web page
what is identity?
attributes:attributes:givenNamegivenNamesnsnpreferredNamepreferredName plankyplankydateOfBirthdateOfBirth 170685!170685!over18over18 truetrueover21over21 truetrueover65over65 falsefalseimageimage
stevesteveplankplank
self assertedself asserted
verifiableverifiable
what claims i make about myself
what claims another party makes about me
elvis presley
only 1 of them is real
probably
trusttrust
make thesemake these claimsclaims
SECURITY TOKEN
steveplankover 18over 21under 65image
security token servicesecurity token service
give it somethinggive it something
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
“Secret”
identity metasystem
participants
relying party (website)identity provider
subject
WS-*
securitytoken
service
SAML
WS-*
SAML
securitytoken
serviceWS-*
x509
identity identity providerprovider
x509
identityidentityproviderprovider
subjectsubject
relying partyrelying party relying partyrelying party
identity selector
identity selector
human integration
consistent experience across contexts
• contains claims about my identity that I assert
• not corroborated• stored locally• signed and encrypted to prevent
replay attacks
• provided by banks, stores, government, clubs, etc
• locally stored cards contain metadata only!
• data stored by identity provider and obtained only when card submitted
cards
self-issued managed
object tag
login with self issued card
relying party (website)
user
login
select self issued card
relying party (website)
user
Planky
create token from card
relying party (website)
Planky
FN: SteveLN: PlankEmail: splankCO: UK
user
sign, encrypt & send token
relying party (website)
Planky
user
object tag
login with managed card
relying party (website)
user
login
identity provider
select managed card
relying party (website)
userWoodgroveBank
identity provider
WoodgroveBank
request security token
relying party (website)identity provider
user
authN:X509, kerb, SC, U/pwd…
WoodgroveBank
request security token response
relying party (website)identity provider
user
sign, encryptsend
<body> <form id="form1" method="post" action="login.aspx"> <div> <button type="submit"> Click here to sign in with your Information Card </button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="issuer
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> <param name="requiredClaims" value=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object> </div> </frm></body>
relying party (website)
token decrypter
claims extracto
r
first name
last name
phone
user database
123456789
456
xmlToken(signed &encrypted)
xmlToken(plaintext)
ppid
inde
x in
to D
B
demo
review• identity layer
• phishing, phraud
• human integration
• consistent experience across contexts
• ip
• rp
• user
• identity selector
Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt
