Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claims-based Identity Beyond Identity Silos 1st European Identity Conference 2007 Don Schmidt Principal Program Manager Architect, Microsoft Corp
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based IdentityClaims-based Identity –Identity Federation –Claim Transformation –User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda
Copyright © 2007 Microsoft Corporation. All Rights Reserved. eCommerce System Snapshot Network de-perimeterizationNetwork de-perimeterization –Organizational boundaries dissolving Service oriented application architectureService oriented application architecture –Reusable, “legonic” web services Isolated, inflexible Identity silosIsolated, inflexible Identity silos –Local identity system is the only source of truth Authenticates all users directlyAuthenticates all users directly Manages authoritative version of all user attributesManages authoritative version of all user attributes
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Your EMPLOYEES on your NETWORK Your PARTNERS and their NETWORKS Your REMOTE and MOBILE EMPLOYEES Your CUSTOMERS Your SUPPLIERS and their NETWORKS De-perimeterization and SOA
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Your SUPPLIERS and their NETWORKS Your PARTNERS and their NETWORKS Your EMPLOYEES on your NETWORK Your REMOTE and MOBILE EMPLOYEES Your CUSTOMERS Identity Silos
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Silos Cost Institutions Productivity, Security & Compliance Privacy protection End-end auditing Repudiation Regulatory Compliance Provisioning latency Forgotten passwords Logon frequency End User Productivity External user account provisioning requests Password reset requests Lifecycle management Orphaned or inaccurate accounts Compromised passwords Unnecessary access Security IT/Helpdesk Efficiency
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Silos Threaten People Privacy, Reputation and Finances Internet built without identity safeguardsInternet built without identity safeguards –Web sites trained users to fill in forms –Filling in forms trained users to be phished Ease and profit of identity fraud growingEase and profit of identity fraud growing –High value transactions attracting professional criminals –Phishing and pharming about 1000% CAGR (per
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Digital Identity Set of claims about a subjectSet of claims about a subject –Asserted by subject or third party –Uniquely identify subject, describe attributes, both Possibly many IDs for many purposesPossibly many IDs for many purposes –Use may require proving ownership Parallels physical worldParallels physical world Common model for access technologyCommon model for access technology
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity Federation Relying Party does not mange identityRelying Party does not mange identity RP depends on external Identity ProvidersRP depends on external Identity Providers –Authenticate a subject –Provide accurate digital identity RP determines “it’s truth” based on:RP determines “it’s truth” based on: –IP with closest relationship to subject, or –How IP authenticated subject, or –Average of multiple IPs, or …
Copyright © 2007 Microsoft Corporation. All Rights Reserved. RelyingPartyIdentityProvider Identity Federation Flow AppSTS Signing Certificate Security Token Token Assert Claims Send Claims PKI Trust
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claim Transformation Claims can be transformed by Security Token Services before RP consumes themClaims can be transformed by Security Token Services before RP consumes them Provides impedance matching between RP, IP and subjectProvides impedance matching between RP, IP and subject –IP may not store claim values in same data type as RP requires –IP may not issue claims with same syntax as RP requires –User may want to send derived claims (e.g. >21) rather than stored claim value
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Simplifies Programming No application code needed to retrieve identity claimsNo application code needed to retrieve identity claims –Required claims published as part of configuration Applications get exactly & only the claims they needApplications get exactly & only the claims they need –Generated per-application by claims transform –Excellent privacy characteristics Claims Transform Claims Transform Trust WS-SecurityPolicy Required Claims: Name Name Job Title Job Title Projects Projects
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Claim Transformation Flow IP STS WS-SecurityPolicy Required Claims: Name Name Job Title Job Title Projects Projects RP STS Client Application
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Laws of Identity Established through industry dialog 1.User control and consent 2.Minimal disclosure for a defined use 3.Justifiable parties 4.Directional identity 5.Pluralism of operators and technologies 6.Human integration 7.Consistent experience across contexts
Copyright © 2007 Microsoft Corporation. All Rights Reserved. User Selection Integrates Silos Government Services Financial Institutions Business Partners Online Merchants Educational Institutions Community Web Sites Government Agencies Your Bank Your Employer Your Telco or ISP Your University Communities Of Interest Relying Parties (RP) Require claims Identity Providers (IP) Issue claims Subjects Get and present claims
Copyright © 2007 Microsoft Corporation. All Rights Reserved. HTML Content HTTPS GET + Cookie 7 Security Token Service (STS) Browser w/ CardSpace Identity Provider (Managed or Self-Issued) Relying Party Web Site Front End 6 HTTPS POST (w/ Token ) Cookie + Browser Redirect 3 CardSpace lights up User selects card HTTP(S) GET (Protected Page) 1 Redirect to Login Page CardSpace Selector Flow 4 WS-Trust RST/RSTR Authenticate user to STS and get token Login Page (w/ InfoCard Tag) HTTP(S) GET (Login Page) 2 5 CardSpace delivers token to browser Identity Provider
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Identity SilosIdentity Silos – Summary of problems and costs Claims-based Identity MetasystemClaims-based Identity Metasystem –Identity Federation –Claim Transformation –System or User Selection Rx for Identity SilosRx for Identity Silos –Enterprise Directory to Identity Metasystem Agenda
Copyright © 2007 Microsoft Corporation. All Rights Reserved. IdentitySTSIdentitySTS Application / Web Service Application / Web Service ClientClient Identity Provider Realm Migrating to the Metasystem Federation STS IdentitySTSIdentitySTS Identity Selector (2) { WS-MEX } { WS-SecurityPolicy} Relying Party Realm (4) { WS-Trust } { WS-Federation} ClaimStore (1) { WS-MetadataExchange } { WS-SecurityPolicy } PolicyServicePolicyServicePolicyStore Policy Service PolicyStore (6) { WS-Security } { Application Request } (5) { WS-Trust } { WS-Federation } (3) { WS-MEX } { WS-SecurityPolicy} Pseudonym Token Service Pseudonym Service (7) { WS-Trust } “OnBehalfOf” AgentAgent ClaimStore Attribute Token Service Authorization Service Attribute Service Authorization Token Service ClaimStore (8) { WS-Security } { Application Response }
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Microsoft Open Specification Promise (OSP) Perpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listedPerpetual legal promise that Microsoft will never bring legal action against anyone for using the protocols listed –Includes all the protocols underlying CardSpace Issued September 2006Issued September
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Please visit Microsoft Exhibition Area Microsoft & Partner Identity & Access Solutions TopicVendor CardSpaceA.T.E. Software ( windowscardspace.de) Certificate ManagementMicrosoft (microsoft.com/ILM) Federated IdentityMicrosoft (microsoft.com/FederatedIdentity) Password ManagementFastPassCorp.com Unix/AD IntegrationCentrify.com User & Role Management / Provisioning OxfordComputerGroup.de Omada.net IDA Topics represented by Microsoft & partners at the 1st European Identity Conference, May 2007, Munich, Germany. Active Directory Federation Services Identity Lifecycle Manager 2007
Copyright © 2007 Microsoft Corporation. All Rights Reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.