a claims based identity system steve plank identity architect microsoft uk
TRANSCRIPT
A Claims Based Identity System
Steve PlankIdentity Architect
Microsoft UK
topics
• phishing, phraud
• identity layer• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem• ip
• rp
• user
• identity selector
• non-disclosure tokens
bad person’s database
web server
under thecontrol ofsomebody else
****************
www.identitytheft.comwww.mybank.com.net.iwill.take.over.your.life.com/dodgy.php
IIS
Credentials database
FormsAuthentication.SetLoginCookie()
www.newcorp.com
www.megacorp.com
Application Error:
Cross-domain cookie.A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator.
Custom Solution
Custom Solution
Custom Solution
Connectivity
Naming
IP
DNS
Identityno consistency
• user control and consent
• minimal disclosure for a defined use
• justifiable parties
• directional identity
• pluralism of operators and technologies
• human integration
• consistent experience across contexts
www.identityblog.com
• Human integration
• Consistent experience across contexts
Planky’s Card
Card Collection
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
Identity Selector
Subject
1:1 relationship between cards and identity providers
Locally installed software: not under somebody else’scontrol
Metadata:
URI of the Identity ProviderClaims you can get from the IP
givenname:lastname:
email:user-id:
etc:In
tent
iona
lly
left
bla
nk
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
digitalsignature
Identity Provider
digitalsignature
cryptographic binding between the card and the IP
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
There will be many Identity Providerseach running its
own technology stack
OR
Relying PartyIdentity Provider
Subject
Identity Metasystem
Microsoft IdentityMetaSystem
WS-* HTML
WS-*
Web Service
WS-*
Web Site
HTML
<sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> ... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/surname” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/email”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> ...</sp:IssuedToken>
<object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>
Relying Party
Identity Selector’s Built-in Identity
Provider
Subject
Identity Metasystem
2 degrees of store protection:
System Key
Password Key
Personal Cards: fixed schema
personal cards
managed cards
what claims i make about myself
what claims another party makes about me
fixed schema (protectthe users fromthemselves!)
flexible schema
elvis presley
only 1 of them is real
probably
SECURITY TOKEN
StevePlankOver 18Over 21Under 65image
SAML TokenXrML LicenseX.509 CertificateKerberos ticket......others
security token service
give it somethingSECURITY TOKEN
StevePlankOver 18Over 21Under 65image
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
web service: STS
• MEX (Metadata Exchange) endpoint• policy
• how to get tokens• token service endpoint
• responds to RST (Request Security Token)
• delivers tokens (wrapped in RSTR (RST Response))
relying partyidentity provider
subject
click login button
policy:uri of iprequired claimsoptional claimstoken type
get policyauthenticateRST
identity.provider.com requires username and password to validate this request. Enter the information below
policy:authn reqstoken types...
RSTR
[ ][ ]s e
relying partyidentity provider
subject
real token
display token
*givenname: Steve*surname: Plank*emailaddress: [email protected]*privatepersonalidentitifer: planky123
Do you want to send this card to: ip.sisa.com
ip.sisa.com
ip.sisa.com
[ ][ ]
token authentication
token decryption
... but the IP could tell lies!
subject
real token
display token
• real token might
be opaque
• how to inform
the subject?
Non-disclosure tokens
Steve Plank
DOB: 17-Jun-59Authenticity Signature
• stefan brands
• credentica u-prove
• acquired 6th march 2008
• privacy
review
• phishing, phraud
• identity layer• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem• ip
• rp
• user
• identity selector
• non-disclosure tokens
www.identityblog.com