InfoCard and theInfoCard and theIdentity MetasystemIdentity Metasystem

Kim Cameron, Kim Cameron, Chief Architect of IdentityChief Architect of Identity

MicrosoftMicrosoft

Threats to Online SafetyThreats to Online Safety

The Internet was built without a way The Internet was built without a way to know who and what you are to know who and what you are connecting toconnecting to

Internet services have one-off Internet services have one-off “workarounds”“workarounds”Inadvertently taught people to be phished Inadvertently taught people to be phished

Greater use and greater value attract Greater use and greater value attract professional international criminal professional international criminal fringefringe

Exploit weaknesses in patchworkExploit weaknesses in patchworkPhishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR

Missing an “Identity layer”Missing an “Identity layer”No simplistic solution is realisticNo simplistic solution is realistic

What is a Digital Identity?What is a Digital Identity?

Set of Set of claims claims one one subject makes subject makes about anotherabout anotherMany identities for Many identities for many usesmany usesRequired for Required for transactions in real transactions in real world and onlineworld and onlineModel on which all Model on which all modern access modern access technology is technology is basedbased

Lessons from PassportLessons from Passport

Passport designed to solve Passport designed to solve two problemstwo problems

Identity provider for MSNIdentity provider for MSN300M+ users, 1 billion logons per 300M+ users, 1 billion logons per dayday

Identity provider for the Identity provider for the InternetInternet

UnsuccessfulUnsuccessful

Learning: solution must be Learning: solution must be different than Passportdifferent than Passport

““The Laws of Identity”The Laws of Identity”

1.1. User control and consentUser control and consent

2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use

3.3. Justifiable partiesJustifiable parties

4.4. Directional identityDirectional identity

5.5. Pluralism of operators and Pluralism of operators and

technologiestechnologies

6.6. Human integrationHuman integration

7.7. Consistent experience across Consistent experience across

contextscontexts

Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com

Identity MetasystemIdentity Metasystem

We need a unifying “Identity We need a unifying “Identity metasystem”metasystem”

Protect applications from identity Protect applications from identity complexitiescomplexitiesAllow digital identity to be loosely Allow digital identity to be loosely coupled: multiple operators, technologies, coupled: multiple operators, technologies, and implementationsand implementations

Not first time we’ve seen this in Not first time we’ve seen this in computingcomputing

Emergence of TCP/IP unified Ethernet, Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the Token Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsnot-yet-invented wireless protocols

Metasystem PlayersMetasystem Players

Relying PartiesRelying PartiesRequire identitiesRequire identities

SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom

claims are madeclaims are made

Identity Identity ProvidersProviders

Issue identitiesIssue identities

Empowers the User…Empowers the User…

GovernmentsGovernments

IndividualsIndividualsWork & ConsumerWork & Consumer

PrivatePrivateBusinessesBusinesses

TechnologiesTechnologiesX509, Kerberos, SAMLX509, Kerberos, SAML

ApplicationsApplicationsExisting & NewExisting & New

OrganizationsOrganizations

DevicesDevicesPCs, Mobile, PhonePCs, Mobile, Phone YouYou

InfoCard OverviewInfoCard Overview

Simple user abstraction for digital Simple user abstraction for digital identityidentity

For managing collections of claimsFor managing collections of claimsFor managing keys for sign-in and other For managing keys for sign-in and other usesuses

Grounded in real-world metaphor of Grounded in real-world metaphor of physical cardsphysical cards

Government ID card, driver’s license, credit Government ID card, driver’s license, credit card, membership card, etc…card, membership card, etc…Self-issued cards signed by userSelf-issued cards signed by userManaged cards signed by external authorityManaged cards signed by external authority

Shipping in WinFXShipping in WinFXRuns on Windows Vista, XP, and Server Runs on Windows Vista, XP, and Server 20032003

Implemented as protected subsystemImplemented as protected subsystem

Implementation PropertiesImplementation Properties

Cards represent references to identity Cards represent references to identity providersproviders

Cards have:Cards have:Address of identity providerAddress of identity providerNames of claimsNames of claimsRequired credentialRequired credential

Not claim valuesNot claim values

InfoCard data not visible to applicationsInfoCard data not visible to applicationsStored in files encrypted under system keyStored in files encrypted under system keyUser interface runs on separate desktopUser interface runs on separate desktop

Simple self-issued identity providerSimple self-issued identity providerStores name, address, email, telephone, age, Stores name, address, email, telephone, age, gendergenderNo high value informationNo high value informationUser must opt-inUser must opt-in

Protected SubsystemProtected Subsystem

Prevent disclosure of personal data and Prevent disclosure of personal data and keys to malicious code on the clientkeys to malicious code on the client

System service System service running at elevated privilegerunning at elevated privilegeEncrypted storage Encrypted storage accessible only by system accessible only by system serviceserviceUser session agent process on User session agent process on separate separate desktopdesktopSystem managed System managed user secret user secret displayed in UIdisplayed in UIUser interaction User interaction required to release PIIrequired to release PII

““InfoCard” UserInfoCard” UserExperience PreviewExperience Preview

An Identity Metasystem An Identity Metasystem ArchitectureArchitecture

Microsoft worked with industry to Microsoft worked with industry to develop protocols that enable an develop protocols that enable an identity metasystem: WS-* Web identity metasystem: WS-* Web ServicesServices

Encapsulating protocol and claims Encapsulating protocol and claims transformation: WS-Trusttransformation: WS-TrustNegotiation: WS-MetadataExchange and Negotiation: WS-MetadataExchange and WS-SecurityPolicyWS-SecurityPolicy

Only technology we know of Only technology we know of specifically designed to satisfy specifically designed to satisfy requirements of an identity requirements of an identity metasystemmetasystem

Web Site Web Site

Security Token Server (STS)Security Token Server (STS)

Browser w/ InfoCardBrowser w/ InfoCard

Identity Provider (Managed or Self-Issued)Identity Provider (Managed or Self-Issued)

Relying PartyRelying Party

Web Site Front EndWeb Site Front End

55HTTP(S)/POST Token to Target PageHTTP(S)/POST Token to Target Page

Cookie + Browser Redirect

33

InfoCard lights upInfoCard lights upUser selects cardUser selects card

HTTP(S)/GET (Protected Page) HTTP(S)/GET (Protected Page) 11

Redirect to Login PageRedirect to Login Page

Basic Protocol FlowBasic Protocol Flow

44

Get token viaGet token viaWS-MetadataExchangeWS-MetadataExchange

and WS-Trustand WS-Trust

Login Page (HTML) w/ InfoCard TagsLogin Page (HTML) w/ InfoCard Tags

HTTPS/GET (Login Page) HTTPS/GET (Login Page) 22

HTML ContentHTML Content

HTTP(s) / GET WITH COOKIE HTTP(s) / GET WITH COOKIE 66

Browser IntegrationBrowser IntegrationDesign GoalsDesign Goals

Minimal impact on web site front endMinimal impact on web site front endSupport from multiple browsersSupport from multiple browsersFail gracefully if not supported – no Fail gracefully if not supported – no negative impact on user experience negative impact on user experience for browsers that do not support for browsers that do not support integrationintegration

Incremental Addition of Incremental Addition of InfoCardInfoCard

User

Web Farm

FormsBasedLogin

Authentication

Cookie

InfoCardLogin

Cookie

Authentication

Cookie

HTTPServer HTTP

Server HTTPServer

HTTPServer

OBJECT TagOBJECT Tag<html> <head> <title>Welcome to Fabrikam</title> </head> <body> <img src='fabrikam.jpg'/> <form name="ctl00" id="ctl00" method="post" action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx"> <center> <img src='infocard.bmp' onClick='ctl00.submit()'/> <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" /> </center> <OBJECT type="application/x-informationCard" name="xmlToken"> <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion"> <PARAM Name="issuer" Value= "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"> <PARAM Name="requiredClaims" Value= "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"> </OBJECT> </form> </body></html>

<html> <head> <title>Welcome to Fabrikam</title> </head> <body> <img src='fabrikam.jpg'/> <form name="ctl00" id="ctl00" method="post" action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx"> <center> <img src='infocard.bmp' onClick='ctl00.submit()'/> <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" /> </center> <OBJECT type="application/x-informationCard" name="xmlToken"> <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion"> <PARAM Name="issuer" Value= "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"> <PARAM Name="requiredClaims" Value= "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"> </OBJECT> </form> </body></html>

Ubiquitous Ubiquitous Implementation a Key Implementation a Key GoalGoalFully interoperable via published Fully interoperable via published

protocolsprotocolsWith other identity selector With other identity selector implementationsimplementationsWith other relying party implementationsWith other relying party implementationsWith other identity provider With other identity provider implementationsimplementations

Detailed implementation guide Detailed implementation guide availableavailableThe industry has created an Open The industry has created an Open Source Identity Selector Consortium Source Identity Selector Consortium animated by Verisign, Red Hat, animated by Verisign, Red Hat, Novell, IBM, and othersNovell, IBM, and others

Microsoft provides technical assistanceMicrosoft provides technical assistance

Components Microsoft is Components Microsoft is BuildingBuilding

““InfoCard” identity selectorInfoCard” identity selectorComponent of WinFX, usable by any applicationComponent of WinFX, usable by any applicationHardened against tampering, spoofingHardened against tampering, spoofing

““InfoCard” simple self-issued identity providerInfoCard” simple self-issued identity providerSelf-issued identity for individuals running on PCsSelf-issued identity for individuals running on PCsUses strong public key-based authentication – user does Uses strong public key-based authentication – user does not disclose passwords to relying partiesnot disclose passwords to relying parties

Active Directory managed identity providerActive Directory managed identity providerPlug Active Directory users into the metasystemPlug Active Directory users into the metasystemFull set of policy controls to manage use of simple Full set of policy controls to manage use of simple identities and Active Directory identitiesidentities and Active Directory identities

Windows Communication Foundation for building Windows Communication Foundation for building distributed applications and implementing relying distributed applications and implementing relying party servicesparty services

For More InformationFor More InformationWhitepapersWhitepapers

Microsoft’s Vision for an Identity MetasystemMicrosoft’s Vision for an Identity MetasystemThe Laws of IdentityThe Laws of Identity

DocumentationDocumentationInfoCard implementer’s guidesInfoCard implementer’s guidesInfoCard browser integration guideInfoCard browser integration guide

Code and samplesCode and samplesFederated Identity and Access Resource KitFederated Identity and Access Resource KitWinFX runtimeWinFX runtime

Links from:Links from:http://www.identityblog.comhttp://msdn.microsoft.com/winfx/reference/infocard/

(Backup Slides)(Backup Slides)

WS-Trust, WS-MetadataExchange

WS-* Metasystem WS-* Metasystem ArchitectureArchitecture

SecurityToken

Service

Kerberos

WS-SecurityPolicy

SAML

SecurityToken

ServiceWS-SecurityPolicy

…

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

Identity Selector

Web Site Front EndWeb Site Front End

Identity Provider (Managed or Self-Issued)Identity Provider (Managed or Self-Issued)

Security Token Server (STS)Security Token Server (STS)

Browser w/ InfoCardBrowser w/ InfoCard

Relying PartyRelying Party

66Token Token via WS-Trust/RST

via WS-Trust/RSTToken Token via WS-Trust/RSTR

via WS-Trust/RSTR

33

Security Token Server (STS)Security Token Server (STS)

Login Page (HTML) w/ InfoCard TagsLogin Page (HTML) w/ InfoCard Tags

HTTPS/GET (Login Page) HTTPS/GET (Login Page) 22

44

InfoCard lights upInfoCard lights upUser selects cardUser selects card

55

Get token viaGet token viaWS-MetadataExchangeWS-MetadataExchange

and WS-Trustand WS-Trust

77

HTTP(S)/GET (Protected Page) HTTP(S)/GET (Protected Page) Redirect to Login PageRedirect to Login Page

11Web Site Web Site

HTTP(S)/POST Token to Target PageHTTP(S)/POST Token to Target Page

Retrieve Policy

Retrieve Policy via WS-MetadataExchange

via WS-MetadataExchange

Cookie + Browser Redirect

Flow with Relying Party Flow with Relying Party STSSTS