A Claims Based Identity System

Steve PlankIdentity Architect

Microsoft UK

topics

• phishing, phraud

• identity layer• 7 laws

• human integration

• consistent experience across contexts

• Identity metasystem• ip

• rp

• user

• identity selector

• non-disclosure tokens

bad person’s database

web server

under thecontrol ofsomebody else

gullible@hotmail.com

****************

www.identitytheft.comwww.mybank.com.net.iwill.take.over.your.life.com/dodgy.php

IIS

Credentials database

FormsAuthentication.SetLoginCookie()

www.newcorp.com

www.megacorp.com

Application Error:

Cross-domain cookie.A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator.

Custom Solution

Custom Solution

Custom Solution

Connectivity

Naming

IP

DNS

Identityno consistency

• user control and consent

• minimal disclosure for a defined use

• justifiable parties

• directional identity

• pluralism of operators and technologies

• human integration

• consistent experience across contexts

www.identityblog.com

• Human integration

• Consistent experience across contexts

Planky’s Card

Card Collection

Identity Provider

First name Last name Email .......

Steve Plank planky@a.com ......

Bob Smith Bsmith@a.com ......

Identity Selector

Subject

1:1 relationship between cards and identity providers

Locally installed software: not under somebody else’scontrol

Metadata:

URI of the Identity ProviderClaims you can get from the IP

givenname:lastname:

email:user-id:

etc:In

tent

iona

lly

left

bla

nk

Identity Provider

First name Last name Email .......

Steve Plank planky@a.com ......

Bob Smith Bsmith@a.com ......

digitalsignature

Identity Provider

digitalsignature

cryptographic binding between the card and the IP

• Pluralism of operators and technologies

• Human integration

• Consistent experience across contexts

There will be many Identity Providerseach running its

own technology stack

OR

Relying PartyIdentity Provider

Subject

Identity Metasystem

Microsoft IdentityMetaSystem

WS-* HTML

WS-*

Web Service

WS-*

Web Site

HTML

<sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> ... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/surname” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/email”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> ...</sp:IssuedToken>

<object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>

Relying Party

Identity Selector’s Built-in Identity

Provider

Subject

Identity Metasystem

2 degrees of store protection:

System Key

Password Key

Personal Cards: fixed schema

personal cards

managed cards

what claims i make about myself

what claims another party makes about me

fixed schema (protectthe users fromthemselves!)

flexible schema

elvis presley

only 1 of them is real

probably

SECURITY TOKEN

StevePlankOver 18Over 21Under 65image

SAML TokenXrML LicenseX.509 CertificateKerberos ticket......others

security token service

give it somethingSECURITY TOKEN

StevePlankOver 18Over 21Under 65image

DIFFERENTSECURITYTOKEN

UsernamePassword

BiometricSignature

Certificate

web service: STS

• MEX (Metadata Exchange) endpoint• policy

• how to get tokens• token service endpoint

• responds to RST (Request Security Token)

• delivers tokens (wrapped in RSTR (RST Response))

relying partyidentity provider

subject

click login button

policy:uri of iprequired claimsoptional claimstoken type

get policyauthenticateRST

identity.provider.com requires username and password to validate this request. Enter the information below

policy:authn reqstoken types...

RSTR

[ ][ ]s e

relying partyidentity provider

subject

real token

display token

*givenname: Steve*surname: Plank*emailaddress: planky@plankytronixx.com*privatepersonalidentitifer: planky123

Do you want to send this card to: ip.sisa.com

ip.sisa.com

ip.sisa.com

[ ][ ]

token authentication

token decryption

... but the IP could tell lies!

subject

real token

display token

• real token might

be opaque

• how to inform

the subject?

Non-disclosure tokens

Steve Plank

splank@microsoft.com

DOB: 17-Jun-59Authenticity Signature

• stefan brands

• credentica u-prove

• acquired 6th march 2008

• privacy

review

• phishing, phraud

• identity layer• 7 laws

• human integration

• consistent experience across contexts

• Identity metasystem• ip

• rp

• user

• identity selector

• non-disclosure tokens

www.identityblog.com