David Chappell Chappell & Associates
www.davidchappell.com
Slide 3
Agenda Introducing Claims-Based Identity Using Claims-Based
Identity: Scenarios Microsoft Technologies for Claims-Based
Identity: A Closer Look
Slide 4
Slide 5
Claims-Based Identity The core Microsoft technologies Active
Directory Federation Services (AD FS) 2.0 The next release of AD FS
CardSpace 2.0 The next release of CardSpace Windows Identity
Foundation (WIF) 1.0 Pronounced Dub-I-F These three technologies
were previously code- named Geneva
Slide 6
What is Identity? An identity is a set of information about
some entity, such as a user Most applications work with identity
Identity information drives important aspects of an applications
behavior, such as: Determining what a user is allowed to do
Controlling how the application interacts with the user
Slide 7
Defining the Problem Working with identity is too hard
Applications must use different identity technologies in different
situations: Active Directory (Kerberos) inside a Windows domain
Username/password on the Internet WS-Federation and the Security
Assertion Markup Language (SAML) between organizations Why not
define one approach that applications can use in all of these
cases? Claims-based identity allows this It can make life simpler
for developers
Slide 8
Token Signature Example Claims NameGroupAge Claim 1 Claim 2...
Claim n Claim 3 Tokens and Claims Representing identity on the wire
A token is a set of bytes that expresses information about an
identity This information consists of one or more claims Each claim
contains some information about the entity to which this token
applies Indicates who created this token and guards against
changes
Slide 9
Identity Providers and STSs An identity provider (or issuer) is
an authority that makes claims about an entity Common identity
providers today: On your companys network: Your employer On the
Internet: Most often, you An identity provider implements a
security token service (STS) Its software that issues tokens
Requests for tokens are made via WS-Trust Many token formats can be
used The SAML format is popular
Slide 10
Identity Provider Account/ Attribute Store Security Token
Service (STS) 2) Get information 1) Authenticate user and request
token 3) Create and return token Token Browser or Client User
Getting a Token Illustrating an identity provider and an STS
Slide 11
4) Use claims in token Browser or Client User Identity Provider
Acquiring and Using a Token 1) Authenticate user and get token
Token 2) Submit token Token List of Trusted STSs Application 3)
Verify tokens signature and check whether this STS is trusted
Identity Library STS
Slide 12
Why Claims Are an Improvement In todays world, an application
typically gets only simple identity information Such as a users
name To get more, the application must query: A remote database,
e.g., a directory service A local database With claims-based
identity, each application can ask for exactly the claims that it
needs The STS puts these in the token it creates
Slide 13
How Applications Can Use Claims Some examples A claim can
identify a user A claim can convey group or role membership A claim
can convey personalization information Such as the users display
name A claim can grant or deny the right to do something Such as
access particular information or invoke specific methods A claim
can constrain the right to do something Such as indicating the
users purchasing limit
Slide 14
5) Use claims in token User Application Identity Providers STS
Identity Selector 1) Access application and learn token
requirements 2) Select an identity that matches those requirements
3) Authenticate user and get token for selected identity Token 4)
Submit token Token Supporting Multiple Identities Using an identity
selector Identity Library Browser or Client STS
Slide 15
5) Use claims in token User Application STS CardSpace 2.0 1)
Access application and learn token requirements 2) Select an
identity that matches those requirements 3) Authenticate user and
get token for selected identity Token 4) Submit token Token
Claims-Based Identity for Windows Windows Identity Foundation
Browser or Client STS AD FS 2.0 Identity Providers
Slide 16
Slide 17
AD FS 2.0 User 2) Access application and learn token
requirements Active Directory Domain Services 5) Find claims
required by application and create token 3) Select an identity that
matches those requirements STS 8) Use claims in token Application
WIF CardSpace 2.0 6) Receive token Token 7) Submit token Token An
Enterprise Scenario 1) Login to domain and get Kerberos ticket 4)
Present Kerberos ticket and request token for selected identity
Browser or Client
Slide 18
Internet User 2) Select an identity that matches those
requirements AD FS 2.0 Active Directory Domain Services 1) Access
application and learn token requirements 5) Use claims in token
Application WIF CardSpace 2.0 3) Authenticate user and get token
for selected identity Token 4) Submit token Allowing Internet
Access STS Browser or Client
Slide 19
5) Use claims in token Identity Providers STS Internet Windows
Live ID Other User 2) Select an identity that matches those
requirements 1) Access application and learn token requirements
CardSpace 2.0 Application WIF 4) Submit token Token 3) Authenticate
user and get token for selected identity Token Using an External
Identity Provider STS Browser or Client
Slide 20
Identity Across Organizations Describing the problem A user in
one Windows forest must access an application in another Windows
forest A user in a non-Windows world must access an application in
a Windows forest (or vice-versa)
Slide 21
Identity Across Organizations Possible solutions One option:
duplicate accounts Requires separate login, extra administration A
better approach: identity federation One organizations accepts
identities provided by the other No duplicate accounts Single
sign-on for users
Slide 22
2) Select an identity that matches those requirements AD FS 2.0
Organization X User Active Directory Domain Services Organization Y
STS Trusted STSs: -Organization Y -Organization X 1) Access
application and learn token requirements CardSpace 2.0 5) Use
claims in token Application WIF 3) Get token for selected identity
Token 4) Submit token Token Identity Federation (1) STS Browser or
Client
Slide 23
3) Select an identity that matches those requirements AD FS 2.0
User Active Directory Domain Services 1) Access application and
learn token requirements 2) Access Organization Y STS and learn
token requirements Trusted STSs: -Organization X Trusted STSs:
-Organization Y STS CardSpace 2.0 8) Use claims in token
Application WIF 6) Issue token for application Token 7) Submit
token Token 5) Request token for application Token for STS Y 4) Get
token for Organization Y STS Token for STS Y Identity Federation
(2) Organization XOrganization Y STS Browser or Client
Slide 24
8) Use claims in token AD FS 2.0 User Active Directory Domain
Services 3) Access application and learn token requirements 5)
Check policy for user, application X, and application Y Application
Y WIF 1) Get token for application X Token for X 4) Request token
for application Y Token for X 6) If policy allows, issue token for
application Y Token for Y 7) Submit token Token for Y 2) Submit
token Token for X Delegation STS Browser or Client Application X
WIF
Slide 25
Slide 26
Changes in AD FS 2.0 From the previous release AD FS 1.1
supports only passive clients (i.e., browsers) using WS-Federation
And it doesnt provide an STS AD FS 2.0: Supports both active and
passive clients Provides an STS Supports both WS-Federation and the
SAML 2.0 protocol Improves management of trust relationships By
automating some exchanges
Slide 27
CardSpace 2.0 Selecting identities CardSpace provides a
standard user interface for choosing an identity Using the metaphor
of cards Choosing a card selects an identity (i.e., a token)
Slide 28
Information Cards Behind each card a user sees is an
information card Its an XML file that represents a relationship
with an identity provider It contains whats needed to request a
token for a particular identity Information cards dont contain:
Claims for the identity Whatever is required to authenticate to the
identity providers STS
Slide 29
Identity Providers STS Browser or Client CardSpace 2.0 User
Information Card 1 Information Card 3 Information Card 2
Information Card 4 Information Cards An illustration
Slide 30
Creating Industry Agreement The Information Card Foundation is
a multi- vendor group dedicated to making this technology
successful Its board members include Google, Microsoft, Novell,
Oracle, and PayPal A Web site can display a standard icon to
indicate that it accepts card-based logins:
Slide 31
Changes in CardSpace 2.0 From the first CardSpace release
CardSpace 2.0 is available separately from the.NET Framework Its
smaller and faster CardSpace 2.0 contains optimizations for
applications that users visit repeatedly A Web site can display the
card you last used to log in the site The CardSpace screen neednt
appear Cards can be set using Group Policy The self-issued identity
provider has been dropped
Slide 32
Windows Identity Foundation The goal: Make it easier for
developers to create claims-aware applications WIF provides:
Support for verifying a tokens signature and extracting its claims
Classes for working with claims Support for creating a custom STS
Visual Studio project types An STS for development and testing
More
Slide 33
Conclusions Changing how applications (and people) work with
identity is not a small thing Widespread adoption of claims-based
identity will take time Yet all of the pieces required to make
claims- based identity real on Windows are here: AD FS 2.0
CardSpace 2.0 Windows Identity Framework
Slide 34
References Introducing Geneva: An Overview of the Geneva
Server, CardSpace Geneva, and the Geneva Framework
http://download.microsoft.com/download/7/d/0/7d0b5166
-6a8a-418a-addd- 95ee9b046994/GenevaBeta1_Whitepaper_Chappell.docx
Keith Browns Windows Identity Framework White Paper for Developers
http://download.microsoft.com/download/7/d/0/7d0b5166
-6a8a-418a-addd- 95ee9b046994/GenevaFrameworkWhitepaperForDeveloper
s.pdf
Slide 35
About the Speaker David Chappell is Principal of Chappell &
Associates (www.davidchappell.com) in San Francisco, California.
Through his speaking, writing, and consulting, he helps people
around the world understand, use, and make better decisions about
new technology. David has been the keynote speaker for many events
and conferences on five continents, and his seminars have been
attended by tens of thousands of IT decision makers, architects,
and developers in forty countries. His award-winning books have
been published in a dozen languages and used regularly in courses
at MIT, ETH Zurich, and other universities. In his consulting
practice, he has helped clients such as Hewlett-Packard, IBM,
Microsoft, Stanford University, and Target Corporation adopt new
technologies, market new products, train their sales staffs, and
create business plans. Earlier in his career, David wrote
networking software, chaired a U.S. national standards working
group, and played keyboards with the Peabody-award-winning
Childrens Radio Theater. He holds a B.S. in Economics and an M.S.
in Computer Science, both from the University of Wisconsin-
Madison.
Slide 36
Complete an evaluation on CommNet and enter to win an Xbox 360
Elite!
Slide 37
Slide 38
2009 Microsoft Corporation. All rights reserved. Microsoft,
Windows, Windows Vista and other product names are or may be
registered trademarks and/or trademarks in the U.S. and/or other
countries. The information herein is for informational purposes
only and represents the current view of Microsoft Corporation as of
the date of this presentation. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee
the accuracy of any information provided after the date of this
presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.