Upload
joselyn-battin
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
InfoCard and theInfoCard and theIdentity MetasystemIdentity Metasystem
Kim Cameron, Kim Cameron, Chief Architect of IdentityChief Architect of Identity
MicrosoftMicrosoft
Threats to Online SafetyThreats to Online Safety
The Internet was built without a way The Internet was built without a way to know who and what you are to know who and what you are connecting toconnecting to
Internet services have one-off Internet services have one-off “workarounds”“workarounds”Inadvertently taught people to be phished Inadvertently taught people to be phished
Greater use and greater value attract Greater use and greater value attract professional international criminal professional international criminal fringefringe
Exploit weaknesses in patchworkExploit weaknesses in patchworkPhishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR
Missing an “Identity layer”Missing an “Identity layer”No simplistic solution is realisticNo simplistic solution is realistic
What is a Digital Identity?What is a Digital Identity?
Set of Set of claims claims one one subject makes subject makes about anotherabout anotherMany identities for Many identities for many usesmany usesRequired for Required for transactions in real transactions in real world and onlineworld and onlineModel on which all Model on which all modern access modern access technology is technology is basedbased
Lessons from PassportLessons from Passport
Passport designed to solve Passport designed to solve two problemstwo problems
Identity provider for MSNIdentity provider for MSN300M+ users, 1 billion logons per 300M+ users, 1 billion logons per dayday
Identity provider for the Identity provider for the InternetInternet
UnsuccessfulUnsuccessful
Learning: solution must be Learning: solution must be different than Passportdifferent than Passport
““The Laws of Identity”The Laws of Identity”
1.1. User control and consentUser control and consent
2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use
3.3. Justifiable partiesJustifiable parties
4.4. Directional identityDirectional identity
5.5. Pluralism of operators and Pluralism of operators and
technologiestechnologies
6.6. Human integrationHuman integration
7.7. Consistent experience across Consistent experience across
contextscontexts
Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com
Identity MetasystemIdentity Metasystem
We need a unifying “Identity We need a unifying “Identity metasystem”metasystem”
Protect applications from identity Protect applications from identity complexitiescomplexitiesAllow digital identity to be loosely Allow digital identity to be loosely coupled: multiple operators, technologies, coupled: multiple operators, technologies, and implementationsand implementations
Not first time we’ve seen this in Not first time we’ve seen this in computingcomputing
Emergence of TCP/IP unified Ethernet, Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the Token Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsnot-yet-invented wireless protocols
Metasystem PlayersMetasystem Players
Relying PartiesRelying PartiesRequire identitiesRequire identities
SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom
claims are madeclaims are made
Identity Identity ProvidersProviders
Issue identitiesIssue identities
Empowers the User…Empowers the User…
GovernmentsGovernments
IndividualsIndividualsWork & ConsumerWork & Consumer
PrivatePrivateBusinessesBusinesses
TechnologiesTechnologiesX509, Kerberos, SAMLX509, Kerberos, SAML
ApplicationsApplicationsExisting & NewExisting & New
OrganizationsOrganizations
DevicesDevicesPCs, Mobile, PhonePCs, Mobile, Phone YouYou
InfoCard OverviewInfoCard Overview
Simple user abstraction for digital Simple user abstraction for digital identityidentity
For managing collections of claimsFor managing collections of claimsFor managing keys for sign-in and other For managing keys for sign-in and other usesuses
Grounded in real-world metaphor of Grounded in real-world metaphor of physical cardsphysical cards
Government ID card, driver’s license, credit Government ID card, driver’s license, credit card, membership card, etc…card, membership card, etc…Self-issued cards signed by userSelf-issued cards signed by userManaged cards signed by external authorityManaged cards signed by external authority
Shipping in WinFXShipping in WinFXRuns on Windows Vista, XP, and Server Runs on Windows Vista, XP, and Server 20032003
Implemented as protected subsystemImplemented as protected subsystem
Implementation PropertiesImplementation Properties
Cards represent references to identity Cards represent references to identity providersproviders
Cards have:Cards have:Address of identity providerAddress of identity providerNames of claimsNames of claimsRequired credentialRequired credential
Not claim valuesNot claim values
InfoCard data not visible to applicationsInfoCard data not visible to applicationsStored in files encrypted under system keyStored in files encrypted under system keyUser interface runs on separate desktopUser interface runs on separate desktop
Simple self-issued identity providerSimple self-issued identity providerStores name, address, email, telephone, age, Stores name, address, email, telephone, age, gendergenderNo high value informationNo high value informationUser must opt-inUser must opt-in
Protected SubsystemProtected Subsystem
Prevent disclosure of personal data and Prevent disclosure of personal data and keys to malicious code on the clientkeys to malicious code on the client
System service System service running at elevated privilegerunning at elevated privilegeEncrypted storage Encrypted storage accessible only by system accessible only by system serviceserviceUser session agent process on User session agent process on separate separate desktopdesktopSystem managed System managed user secret user secret displayed in UIdisplayed in UIUser interaction User interaction required to release PIIrequired to release PII
““InfoCard” UserInfoCard” UserExperience PreviewExperience Preview
An Identity Metasystem An Identity Metasystem ArchitectureArchitecture
Microsoft worked with industry to Microsoft worked with industry to develop protocols that enable an develop protocols that enable an identity metasystem: WS-* Web identity metasystem: WS-* Web ServicesServices
Encapsulating protocol and claims Encapsulating protocol and claims transformation: WS-Trusttransformation: WS-TrustNegotiation: WS-MetadataExchange and Negotiation: WS-MetadataExchange and WS-SecurityPolicyWS-SecurityPolicy
Only technology we know of Only technology we know of specifically designed to satisfy specifically designed to satisfy requirements of an identity requirements of an identity metasystemmetasystem
Web Site Web Site
Security Token Server (STS)Security Token Server (STS)
Browser w/ InfoCardBrowser w/ InfoCard
Identity Provider (Managed or Self-Issued)Identity Provider (Managed or Self-Issued)
Relying PartyRelying Party
Web Site Front EndWeb Site Front End
55HTTP(S)/POST Token to Target PageHTTP(S)/POST Token to Target Page
Cookie + Browser Redirect
33
InfoCard lights upInfoCard lights upUser selects cardUser selects card
HTTP(S)/GET (Protected Page) HTTP(S)/GET (Protected Page) 11
Redirect to Login PageRedirect to Login Page
Basic Protocol FlowBasic Protocol Flow
44
Get token viaGet token viaWS-MetadataExchangeWS-MetadataExchange
and WS-Trustand WS-Trust
Login Page (HTML) w/ InfoCard TagsLogin Page (HTML) w/ InfoCard Tags
HTTPS/GET (Login Page) HTTPS/GET (Login Page) 22
HTML ContentHTML Content
HTTP(s) / GET WITH COOKIE HTTP(s) / GET WITH COOKIE 66
Browser IntegrationBrowser IntegrationDesign GoalsDesign Goals
Minimal impact on web site front endMinimal impact on web site front endSupport from multiple browsersSupport from multiple browsersFail gracefully if not supported – no Fail gracefully if not supported – no negative impact on user experience negative impact on user experience for browsers that do not support for browsers that do not support integrationintegration
Incremental Addition of Incremental Addition of InfoCardInfoCard
User
Web Farm
FormsBasedLogin
Authentication
Cookie
InfoCardLogin
Cookie
Authentication
Cookie
HTTPServer HTTP
Server HTTPServer
HTTPServer
OBJECT TagOBJECT Tag<html> <head> <title>Welcome to Fabrikam</title> </head> <body> <img src='fabrikam.jpg'/> <form name="ctl00" id="ctl00" method="post" action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx"> <center> <img src='infocard.bmp' onClick='ctl00.submit()'/> <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" /> </center> <OBJECT type="application/x-informationCard" name="xmlToken"> <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion"> <PARAM Name="issuer" Value= "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"> <PARAM Name="requiredClaims" Value= "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"> </OBJECT> </form> </body></html>
<html> <head> <title>Welcome to Fabrikam</title> </head> <body> <img src='fabrikam.jpg'/> <form name="ctl00" id="ctl00" method="post" action="https://www.fabrikam.com/InfoCard-Browser/Main.aspx"> <center> <img src='infocard.bmp' onClick='ctl00.submit()'/> <input type="submit" name="InfoCardSignin" value="Log in" id="InfoCardSignin" /> </center> <OBJECT type="application/x-informationCard" name="xmlToken"> <PARAM Name="tokenType" Value="urn:oasis:names:tc:SAML:1.0:assertion"> <PARAM Name="issuer" Value= "urn:schemas-microsoft-com:ws:2005:05:identity:issuer:self"> <PARAM Name="requiredClaims" Value= "http://schemas.microsoft.com/ws/2005/05/identity/claims/emailaddress http://schemas.microsoft.com/ws/2005/05/identity/claims/givenname http://schemas.microsoft.com/ws/2005/05/identity/claims/surname"> </OBJECT> </form> </body></html>
Ubiquitous Ubiquitous Implementation a Key Implementation a Key GoalGoalFully interoperable via published Fully interoperable via published
protocolsprotocolsWith other identity selector With other identity selector implementationsimplementationsWith other relying party implementationsWith other relying party implementationsWith other identity provider With other identity provider implementationsimplementations
Detailed implementation guide Detailed implementation guide availableavailableThe industry has created an Open The industry has created an Open Source Identity Selector Consortium Source Identity Selector Consortium animated by Verisign, Red Hat, animated by Verisign, Red Hat, Novell, IBM, and othersNovell, IBM, and others
Microsoft provides technical assistanceMicrosoft provides technical assistance
Components Microsoft is Components Microsoft is BuildingBuilding
““InfoCard” identity selectorInfoCard” identity selectorComponent of WinFX, usable by any applicationComponent of WinFX, usable by any applicationHardened against tampering, spoofingHardened against tampering, spoofing
““InfoCard” simple self-issued identity providerInfoCard” simple self-issued identity providerSelf-issued identity for individuals running on PCsSelf-issued identity for individuals running on PCsUses strong public key-based authentication – user does Uses strong public key-based authentication – user does not disclose passwords to relying partiesnot disclose passwords to relying parties
Active Directory managed identity providerActive Directory managed identity providerPlug Active Directory users into the metasystemPlug Active Directory users into the metasystemFull set of policy controls to manage use of simple Full set of policy controls to manage use of simple identities and Active Directory identitiesidentities and Active Directory identities
Windows Communication Foundation for building Windows Communication Foundation for building distributed applications and implementing relying distributed applications and implementing relying party servicesparty services
For More InformationFor More InformationWhitepapersWhitepapers
Microsoft’s Vision for an Identity MetasystemMicrosoft’s Vision for an Identity MetasystemThe Laws of IdentityThe Laws of Identity
DocumentationDocumentationInfoCard implementer’s guidesInfoCard implementer’s guidesInfoCard browser integration guideInfoCard browser integration guide
Code and samplesCode and samplesFederated Identity and Access Resource KitFederated Identity and Access Resource KitWinFX runtimeWinFX runtime
Links from:Links from:http://www.identityblog.comhttp://msdn.microsoft.com/winfx/reference/infocard/
(Backup Slides)(Backup Slides)
WS-Trust, WS-MetadataExchange
WS-* Metasystem WS-* Metasystem ArchitectureArchitecture
SecurityToken
Service
Kerberos
WS-SecurityPolicy
SAML
SecurityToken
ServiceWS-SecurityPolicy
…
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
Identity Selector
Web Site Front EndWeb Site Front End
Identity Provider (Managed or Self-Issued)Identity Provider (Managed or Self-Issued)
Security Token Server (STS)Security Token Server (STS)
Browser w/ InfoCardBrowser w/ InfoCard
Relying PartyRelying Party
66Token Token via WS-Trust/RST
via WS-Trust/RSTToken Token via WS-Trust/RSTR
via WS-Trust/RSTR
33
Security Token Server (STS)Security Token Server (STS)
Login Page (HTML) w/ InfoCard TagsLogin Page (HTML) w/ InfoCard Tags
HTTPS/GET (Login Page) HTTPS/GET (Login Page) 22
44
InfoCard lights upInfoCard lights upUser selects cardUser selects card
55
Get token viaGet token viaWS-MetadataExchangeWS-MetadataExchange
and WS-Trustand WS-Trust
77
HTTP(S)/GET (Protected Page) HTTP(S)/GET (Protected Page) Redirect to Login PageRedirect to Login Page
11Web Site Web Site
HTTP(S)/POST Token to Target PageHTTP(S)/POST Token to Target Page
Retrieve Policy
Retrieve Policy via WS-MetadataExchange
via WS-MetadataExchange
Cookie + Browser Redirect
Flow with Relying Party Flow with Relying Party STSSTS