protecting online identities
DESCRIPTION
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.TRANSCRIPT
Protecting Online IdentitiesLive Identity Services OverviewJorgen ThelinSenior Program ManagerMicrosoft Corporation
Session: MIX09-T27F
Web Developers• Customizable
identity UX• Single Sign On• Access to user
data
ISVs• Federation for
selling their applications to organizations
• Easy on-boarding of new customers
Organizations
• Turnkey federation for adopting services (Online, Live, ISVs)
• Works with existing identity infrastructure
AgendaWeb Developers Consuming Windows Live IDs on your siteAccessing user data on your site
ISVs• C
onsuming federated identities
• Rapid on-boarding for organizations
Live ID101
Live ID - Many components•Authentication: users, applications, devicesIdentities•Investing in 2FA such as Smartcard, StartKey
Strong Authentication
•User / IP reputation, Account abuse preventionAttacker Resistant
•Live ID is fully customizable UI Customization
•Delegated auth: user permission to access dataData Portability
•Embracing Open StandardsOpenID•Compatible with Microsoft Federation Gateway
Federated Authentication
Live Identity Services
Principal Acting for Self Acting for User
User User auth (Client or Web)
Application
App auth (AppID)
Delegation (Good)
Impersonation (BAD!)
Device DeviceID Linked DeviceID The Password
Anti-Pattern!
Principal TypesCredential Types• [Strong] Password,
Pin• eID / Smart card• CardSpace• Policy-driven
control
Types of Live ID Users• Live Mail / Hotmail accounts• EASI (“E-mail As Sign-In”)• Managed domains• Federated domains
Type of identity
Integrating Live ID into your application
Consume identities &
SSO• Web
Authentication• Client SDK• Preview: Open ID
Accessing user data
• Delegated Auth SDK
Options for Consuming User Identities
Be-your-own Identity Provider
Link with external Identity Provider
Identity aggregator service
Protocol-level integration
Live ID Web Authentication
demo
WebAuth Sign-in Control (Cross-platform HTML – URL decoded for readability)<iframe id="WebAuthControl"
src="http://login.live.com/controls/WebAuth.htm?appid=<%=AppId%>
&context=welcomepage&style=font-size=10pt;
+font-family=verdana;+font-style=normal;+font-weight=bold;+background=white;+color=black;"
width="80px" height="20px">
</iframe>
Existing: WebAuth.htm
New: WebAuthLogo.htm
New: WebAuthButton.htm
How Web Authentication works
Live ID WebAuth service
Relying Party Web Sitee.g., Contoso.com
3
5
4 2
1End User w/ web browser
Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=91762
What about the User Experience?
Customizing the Identity Experience
Recognizable & not jarring
Sign-in Sign-up Consent
Sign-in Screen Customizable ContentsElements that can be customized.Partner LogoTask statementProduct descriptionSign up sectionHeader background
Task integration statement
Sign-up section
Customizable ThemeElements cannot change. Customize look & feel.Font colorBackground colorButton colorUser tile colorLive ID description color
Sign-in / Sign-up UX Customization
demo
Another Example – LiveWIM.com
Identity AggregatorsExample: JanRain's RPX service
UI component for multiple Identity Providers
Embracing Open Standards
Live ID Open ID Provider
Microsoft is becoming an OpenID Provider (OP)
Try the Live ID – OpenID Provider CTP Now
1. Set up a Live ID INT account: https://login.Live-INT.com/2. Set up OpenID alias:
https://OpenID.Live-INT.com /beta/ManageOpenID.srf
3. Use OpenID 2.0 login URI: OpenID.Live-INT.com4. Send feedback: [email protected]
>> Production release of Live ID – OpenID Provider later this year
Consume identities &
SSO• Web
Authentication• Client SDK• Preview: Open ID
Accessing user data
• Delegated Auth SDK
Enabling data portability
Live ID Delegated Authentication
demo
Delegated Auth Protocol Overview
Application
Provider (web site)
Live ID Delegation
Service
“Using Consent” Phase (user can be
offline) Resource Provider (e.g.,
Windows Live Contacts)
Consent UI consent.live.co
m
“Granting Consent” phase (user must
be online)End User with
browser
Requesting Delegated Auth Consent
https://consent.live.com/delegation.aspx
?ru=http://mydomain.myapp.com/ReturnURL.aspx
&ps=Contacts.View,Contacts.Update&pl=http://mydomain.myapp.com/PrivacyPolicy.htm
&ttype=1
&mkt=en-US&app=appid%3d10000%26ts%3d1193445084%26ip%3d157.56.190.178%26sig%3d7HgcsIEheEVO30BuPAEJhJeB8Pz0xHBV%252f%252bQD27AOdmI%253d
&appctx=welcomepage
Don’t panic! The SDK libraries handle all this for you!
Application Verifier token:AppID, Timestamp, Client IP, SHA256 signature
1: Compact token, 2: SAML token
Sell more of your application by easing
on-boarding of identities
Federation Infrastructur
e• Standards based• WS-Trust/WS-Fed• Microsoft
Federation Gateway
Rapid on-boarding /
tools• Microsoft
Services Connector
A Federated EcosystemBenefits of federated identity
Open participation based on industry standardsLinking service providers and service consumersAccess to more services and applications:
Microsoft cloud applicationsDevelopers using Azure Services PlatformDevelopers using other hosting platforms
Access to more customers:
500m+ Live ID users Other organizations using federated identity
Microsoft is offering free solutions that greatly simplify service federation scenarios
MFG and the Federation Ecosystem
Web Site / Online App
Relying Party (RP) Identity Providers (IdP)
Microsoft Federation Gateway
(MFG)
Live IDIdentity Provider
Other federatedIdentity
Providers
Browser
Windows App Li
ve ID
C
lien
t SD
K
User Applications
Solution: Easy Federated IdentityMicrosoft Federation Gateway
Hub and spoke model simplified
trust management for enterprises & service providers
Production deployment since 2006Now supports self-service federation provisioning
Microsoft Services Connector
Connects Active Directory to Federation Gateway and Cloud services / applications Simple 1-time federation setup – auto-provisioning Flexible and customizable end -user experienceFree download
Objective: Connect to cloud services without changing existing identity infrastructure
Federation Infrastructur
e• Standards based• WS-Trust/WS-Fed• Microsoft
Federation Gateway
Rapid on-boarding /
tools• Microsoft
Services Connector
Microsoft Services Connector
demo
Accessing federated resourcesfrom inside corporate network
Accessing ServicesUsing Federation Gateway & MSC1. User clicks link -- taken to
Microsoft Services Connector for authentication
2. Services Connector validates credentials with Active Directory
Desktop
Browser
Office
Apps
EnterpriseMicrosoft ServicesConnecto
rActive
Directory
Microsoft Federatio
n Gateway
CloudApplication
s
Developer Services
3. Services Connector issues login token and redirects to Federation Gateway
4. Federation Gateway validates token and transforms claims
5. Federation Gateway issues service token and redirects to service
6. User accesses service
Web developers• Customizable
identity UX• Single Sign On• Access to user
data
ISVs• Federation for
selling their applications to organizations
• Easy on-boarding of new customers
Organizations
• Turnkey federation for adopting services (Online, Live, ISVs)
• Works with existing identity infrastructure
Q&A
Please Complete an Evaluation FormYour feedback is important!
Evaluation forms can be found on each chairTemp Staff at the back of the room have additional evaluation form copies
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.