Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt.

Published byMildred Watkins Modified over 7 years ago

Similar presentations

Presentation on theme: "Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt."— Presentation transcript:

1 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt Principal Program Manager Architect, Microsoft Corp http://identity-des.com

2 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based IdentityClaims-based Identity –Identity Federation –Claim Transformation –User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda

3 Copyright © 2007 Microsoft Corporation. All Rights Reserved. eCommerce System Snapshot Network de-perimeterizationNetwork de-perimeterization –Organizational boundaries dissolving Service oriented application architectureService oriented application architecture –Reusable, “legonic” web services Isolated, inflexible Identity silosIsolated, inflexible Identity silos –Local identity system is the only source of truth Authenticates all users directlyAuthenticates all users directly Manages authoritative version of all user attributesManages authoritative version of all user attributes

4 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Your EMPLOYEES on your NETWORK Your PARTNERS and their NETWORKS Your REMOTE and MOBILE EMPLOYEES Your CUSTOMERS Your SUPPLIERS and their NETWORKS De-perimeterization and SOA

5 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Your SUPPLIERS and their NETWORKS Your PARTNERS and their NETWORKS Your EMPLOYEES on your NETWORK Your REMOTE and MOBILE EMPLOYEES Your CUSTOMERS Identity Silos

6 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Silos Cost Institutions Productivity, Security & Compliance Privacy protection End-end auditing Repudiation Regulatory Compliance Provisioning latency Forgotten passwords Logon frequency End User Productivity External user account provisioning requests Password reset requests Lifecycle management Orphaned or inaccurate accounts Compromised passwords Unnecessary access Security IT/Helpdesk Efficiency

7 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Silos Threaten People Privacy, Reputation and Finances Internet built without identity safeguardsInternet built without identity safeguards –Web sites trained users to fill in forms –Filling in forms trained users to be phished Ease and profit of identity fraud growingEase and profit of identity fraud growing –High value transactions attracting professional criminals –Phishing and pharming about 1000% CAGR (per www.antiphishing.org)

8 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda

9 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Digital Identity Set of claims about a subjectSet of claims about a subject –Asserted by subject or third party –Uniquely identify subject, describe attributes, both Possibly many IDs for many purposesPossibly many IDs for many purposes –Use may require proving ownership Parallels physical worldParallels physical world Common model for access technologyCommon model for access technology

10 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Federation Relying Party does not mange identityRelying Party does not mange identity RP depends on external Identity ProvidersRP depends on external Identity Providers –Authenticate a subject –Provide accurate digital identity RP determines “it’s truth” based on:RP determines “it’s truth” based on: –IP with closest relationship to subject, or –How IP authenticated subject, or –Average of multiple IPs, or …

11 Copyright © 2007 Microsoft Corporation. All Rights Reserved. RelyingPartyIdentityProvider Identity Federation Flow AppSTS Signing Certificate Security Token Token Assert Claims Send Claims PKI Trust

12 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda

13 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claim Transformation Claims can be transformed by Security Token Services before RP consumes themClaims can be transformed by Security Token Services before RP consumes them Provides impedance matching between RP, IP and subjectProvides impedance matching between RP, IP and subject –IP may not store claim values in same data type as RP requires –IP may not issue claims with same syntax as RP requires –User may want to send derived claims (e.g. >21) rather than stored claim value

14 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Simplifies Programming No application code needed to retrieve identity claimsNo application code needed to retrieve identity claims –Required claims published as part of configuration Applications get exactly & only the claims they needApplications get exactly & only the claims they need –Generated per-application by claims transform –Excellent privacy characteristics  Claims  Transform  Claims  Transform  Trust WS-SecurityPolicy Required Claims: Name Name Job Title Job Title Projects Projects

15 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claim Transformation Flow     IP STS WS-SecurityPolicy Required Claims: Name Name Job Title Job Title Projects Projects  RP STS  Client  Application

16 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda

17 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Laws of Identity Established through industry dialog 1.User control and consent 2.Minimal disclosure for a defined use 3.Justifiable parties 4.Directional identity 5.Pluralism of operators and technologies 6.Human integration 7.Consistent experience across contexts

18 Copyright © 2007 Microsoft Corporation. All Rights Reserved. User Selection Integrates Silos Government Services Financial Institutions Business Partners Online Merchants Educational Institutions Community Web Sites Government Agencies Your Bank Your Employer Your Telco or ISP Your University Communities Of Interest Relying Parties (RP) Require claims Identity Providers (IP) Issue claims Subjects Get and present claims

19 Copyright © 2007 Microsoft Corporation. All Rights Reserved.  HTML Content HTTPS GET + Cookie  7 Security Token Service (STS) Browser w/ CardSpace Identity Provider (Managed or Self-Issued) Relying Party Web Site Front End 6 HTTPS POST (w/ Token )   Cookie + Browser Redirect 3 CardSpace lights up User selects card HTTP(S) GET (Protected Page)  1  Redirect to Login Page CardSpace Selector Flow 4 WS-Trust RST/RSTR Authenticate user to STS and get token  Login Page (w/ InfoCard Tag) HTTP(S) GET (Login Page)  2 5 CardSpace delivers token to browser Identity Provider

20 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda

21 Copyright © 2007 Microsoft Corporation. All Rights Reserved. IdentitySTSIdentitySTS Application / Web Service Application / Web Service ClientClient Identity Provider Realm Migrating to the Metasystem Federation STS IdentitySTSIdentitySTS Identity Selector (2) { WS-MEX } { WS-SecurityPolicy} Relying Party Realm (4) { WS-Trust } { WS-Federation} ClaimStore (1) { WS-MetadataExchange } { WS-SecurityPolicy } PolicyServicePolicyServicePolicyStore Policy Service PolicyStore (6) { WS-Security } { Application Request } (5) { WS-Trust } { WS-Federation } (3) { WS-MEX } { WS-SecurityPolicy} Pseudonym Token Service Pseudonym Service (7) { WS-Trust } “OnBehalfOf” AgentAgent ClaimStore Attribute Token Service Authorization Service Attribute Service Authorization Token Service ClaimStore (8) { WS-Security } { Application Response }

22 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Microsoft Open Specification Promise (OSP) Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listedPerpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed –Includes all the protocols underlying CardSpace Issued September 2006Issued September 2006 http://www.microsoft.com/interop/osp/

23 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Please visit Microsoft Exhibition Area Microsoft & Partner Identity & Access Solutions TopicVendor CardSpaceA.T.E. Software ( windowscardspace.de) Certificate ManagementMicrosoft (microsoft.com/ILM) Federated IdentityMicrosoft (microsoft.com/FederatedIdentity) Password ManagementFastPassCorp.com Unix/AD IntegrationCentrify.com User & Role Management / Provisioning OxfordComputerGroup.de Omada.net  IDA Topics represented by Microsoft & partners at the 1st European Identity Conference, May 2007, Munich, Germany.  Active Directory Federation Services  Identity Lifecycle Manager 2007

24 Copyright © 2007 Microsoft Corporation. All Rights Reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt."

Similar presentations

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)

Windows 8 (1) (2) (3) Windows 8 (1) (2) (3)
Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.

Feature: Identity Management - Login © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or.
Feature: Reprint Outstanding Transactions Report © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.

Feature: Reprint Outstanding Transactions Report © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product.
Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.

Feature: Purchase Requisitions - Requester © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names.
MIX 09 4/15/2017 11:14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

MIX 09 4/15/ :14 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,

Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.

Windows 7 Training Microsoft Confidential. Windows ® 7 Compatibility Version Checking.
www.sitemasher.com Multitenant Model Request/Response General Model.

Multitenant Model Request/Response General Model.
Feature: OLE Notes Migration Utility

Feature: OLE Notes Migration Utility
Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Feature: Web Client Keyboard Shortcuts © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are.

Similar presentations

Ads by Google