Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204

Agenda Introducing Claims-Based Identity Claims-Based Identity Scenarios A Closer Look at ADFS 2.0, WIF, CardSpace 2.0

What was "Geneva"? Three related technologies: Active Directory Federation Services 2.0 Codename “Geneva” Server The next release of Active Directory Federation Services (AD FS) Windows CardSpace 2.0 Codename CardSpace “Geneva” The next release of CardSpace Windows Identity Foundation Codename “Geneva” Framework “Geneva” delivers on the claims-based identity - vision

What is Identity? An identity is a set of information about some entity, such as a user Most applications work with identity Identity information drives important aspects of an application’s behavior, such as: Determining what a user is allowed to do Controlling how the application interacts with the user

Defining the Problem Working with identity is too hard Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that can be used in all of these cases? Claims-based identity allows this It can make life simpler for developers

Tokens and Claims Representing identity on the wire A token is an artifact transporting identity information This information consists of one or more claims Claims are statements about an entity, asserted by the token issuer

Identity Providers and STSs An identity provider is an authority that makes claims about an entity Common identity providers today: On your company’s network: Your employer On the Internet: Most often, you An identity provider implements a security token service (STS) It’s software that issues tokens Requests for tokens are made via WS-Trust WS-Federation SAML Many token formats can be used The SAML format is increasingly popular

Getting a Token Illustrating an identity provider and its STS

Acquiring and Using a Token

Why Claims Are an Improvement In today’s world, an application typically gets only simple “identity” information Such as a user’s name To get more, the application must query: A remote database, e.g., a directory service A local database With claims-based identity, each application can ask for exactly the claims that it needs The STS puts these in the token it creates

How Applications Can Use Claims Some examples A claim can identify a user A claim can convey group or role membership A claim can convey personalization information Such as the user’s display name A claim can grant or deny the right to do something Such as access particular information or invoke specific methods A claim can constrain the right to do something Such as indicating the user’s purchasing limit

Supporting Multiple Identities Using an identity selector

ADFS2ADFS2 ADFS2.0 and WIF in an Enterprise WIFWIF

ADFS2ADFS2 WIFWIF Internet Allowing Internet Access

Using an External Identity Provider WIFWIF

Identity Across Organizations Describing the problem A user in one Windows forest must access an application in another Windows forest A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

Identity Across Organizations Possible solutions One option: duplicate accounts Requires separate login, extra administration A better approach: identity federation One organizations accepts identities provided by the other No duplicate accounts Single sign-on for users

ADFS2ADFS2 Organization XOrganization Y Identity Federation (1) WIFWIF

ADFS2ADFS2 Organization XOrganization Y Identity Federation (2) WIFWIF

ADFS2ADFS2 Delegation WIFWIFWIFWIF

Changes in ADFS 2.0 From AD FS 1.x AD FS 1.x supports only passive clients (i.e., browsers) using WS-Federation ADFS 2.0: Supports both active and passive clients Supports WS-Federation, WS-Trust and the SAML 2.0 protocol Improves management of trust relationships By automating some exchanges Issues Information Cards

Windows CardSpace 2.0 Selecting identities CardSpace 2.0 provides a consistent user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

Information Cards Behind each card a user sees is an information card It’s an XML file that describes the set of claims the user may obtain from an identity provider Information cards don’t contain: Claim values for the identity Whatever is required to authenticate to the identity provider’s STS

Information Cards An illustration

Creating Industry Agreement The Information Card Foundation is a multi- vendor group dedicated to making this technology successful Its board members include Google, Microsoft, Novell, Oracle, and PayPal A Web site can display a standard icon to indicate that it accepts card-based logins:

Changes in CardSpace 2.0 From the first CardSpace release CardSpace 2.0 is a complete rewrite in native code smaller and faster CardSpace 2.0 contains optimizations for applications that users visit repeatedly A Web site can display the card you last used to log in the site The CardSpace 2.0 prompt needn’t appear Self-issued cards have been dropped

Windows Identity Foundation The goal: Make it easier for developers to create claims-aware applications Originally known as “Zermatt” Current Beta 2 under the codename “Geneva” Framework WIF provides: Protocol & token handling Classes for working with claims Tooling & Visual Studio integration Support for creating a custom STS More

Conclusions Changing how applications (and people) work with identity is not a small thing Widespread adoption of claims-based identity will take time Yet all of the pieces required to make claims- based identity real on Windows are coming: ADFS 2.0 Windows CardSpace 2.0 Windows identity Foundation

References Introducing “Geneva”: An Overview of the “Geneva” Server, CardSpace “Geneva”, and the “Geneva” Framework [Link] Keith Brown’s “Geneva” Framework White Paper for Developers [Link] Entry page on Microsoft.com MSDN Forums Videos Blogs

Notes on Required Slides In addition to the Walk-in and Title slides, the following slides are required Please add your content and include these in your final presentation

Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources

Related Content Breakout Sessions SEC305 Developing Identity-aware & more secure applications: using MIcrosoft Windows Identity Foundation for fun and profit SEC305 Developing Identity-aware & more secure applications: using MIcrosoft Windows Identity Foundation for fun and profit

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.