Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Claims Based Identity System Steve Plank Identity Architect Microsoft UK.

Published byKimberly Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "A Claims Based Identity System Steve Plank Identity Architect Microsoft UK."— Presentation transcript:

1

2 A Claims Based Identity System Steve Plank Identity Architect Microsoft UK

3 topics phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector non-disclosure tokens

4 bad person’s database web server under the control of somebody else gullible@hotmail.com **************** www.identitytheft.com www.mybank.com.net.iwill.take.over.your.life.com/dodgy.php

5 IIS Credentials database FormsAuthentication.SetLoginCookie() www.newcorp.com www.megacorp.com Application Error: Cross-domain cookie. A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator. Custom Solution

6 Connectivity Naming IP DNS Identity no consistency

7 user control and consent minimal disclosure for a defined use justifiable parties directional identity pluralism of operators and technologies human integration consistent experience across contexts www.identityblog.com

8 Human integration Consistent experience across contexts Planky’s Card Card Collection

9 Identity Provider First nameLast nameEmail....... StevePlankplanky@a.com...... BobSmithBsmith@a.com...... Identity Selector Subject 1:1 relationship between cards and identity providers Locally installed software: not under somebody else’s control

10 Metadata: URI of the Identity Provider Claims you can get from the IP givenname: lastname: email: user-id: etc: Identity Provider First nameLast nameEmail....... StevePlankplanky@a.com...... BobSmithBsmith@a.com...... digital signature

11 Identity Provider digital signature cryptographic binding between the card and the IP

12 Pluralism of operators and technologies Human integration Consistent experience across contexts There will be many Identity Providers each running its own technology stack OR

13 Relying Party Identity Provider Subject Identity Metasystem Microsoft Identity MetaSystem WS-* HTML WS-* Web Service WS-* Web Site HTML...... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/ givenname ”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/ surname ” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/ email ”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/ privatepersonalidentifier ”... <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier " />

14 Relying Party Identity Selector’s Built-in Identity Provider Subject Identity Metasystem 2 degrees of store protection: System Key Password Key Personal Cards : fixed schema

15 personal cards managed cards what claims i make about myself what claims another party makes about me fixed schema (protect the users from themselves!) flexible schema

16 elvis presley only 1 of them is real probably

17 SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image SAML Token XrML License X.509 Certificate Kerberos ticket....others

18 security token service give it something SECURITY TOKEN Steve Plank Over 18 Over 21 Under 65 image DIFFERENT SECURITY TOKEN Username Password Biometric Signature Certificate web service: STS MEX (Metadata Exchange) endpoint policy how to get tokens token service endpoint responds to RST (Request Security Token) delivers tokens (wrapped in RSTR (RST Response))

19 relying party identity provider subject click login button policy: uri of ip required claims optional claims token type get policy authenticate RST identity.provider.com requires username and password to validate this request. Enter the information below policy: authn reqs token types... RSTR [ ] s e

20 relying party identity provider subject real token display token *givenname: Steve *surname: Plank *emailaddress: planky@plankytronixx.com *privatepersonalidentitifer: planky123 Do you want to send this card to: ip.sisa.com ip.sisa.com [ ] token authentication token decryption

21 ... but the IP could tell lies! subject real token display token real token might be opaque how to inform the subject?

22 Non-disclosure tokens Steve Plank splank@microsoft.com DOB: 17-Jun-59 Authenticity Signature stefan brands credentica u-prove acquired 6th march 2008 privacy

23 review phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector non-disclosure tokens www.identityblog.com

Download ppt "A Claims Based Identity System Steve Plank Identity Architect Microsoft UK."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.

Seven Perspectives on CardSpace Ronny Bjones Security Strategist Microsoft Corporation.
Advances in Digital Identity

Advances in Digital Identity
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.

InfoCard and the Identity Metasystem Kim Cameron, Chief Architect of Identity Microsoft.
2 3 Who are you? What are you allowed to do? How should your experience be personalized? How do I get apps that are provably securable and manageable?

2 3 Who are you? What are you allowed to do? How should your experience be personalized? How do I get apps that are provably securable and manageable?
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
11 steve plank (“planky”) identity architect microsoft uk.

11 steve plank (“planky”) identity architect microsoft uk.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.

10/20/2011Pomcor 1 Deployment and Usability of Cryptographic Credentials Francisco Corella Karen Lewison Pomcor.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…

1 Higgins 1: a species of Tasmanian long-tailed mouse 2: the name of an open source collaboration of IBM, Novell, Oracle, Parity…
The Laws of Identity and Cardspace Charles Young Solidsoft.

The Laws of Identity and Cardspace Charles Young Solidsoft.

Similar presentations

Ads by Google