windows cardspace
Post on 07-Jan-2016
40 Views
Preview:
DESCRIPTION
TRANSCRIPT
Windows CardSpace
Martin ParryDeveloper EvangelistMicrosoftmartin.parry@microsoft.com
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
Identity: problems
Passwords too easy to crackOr too hard to remember
I want multiple identitiesResults in identity silos
Banks etc. would like to make sign-on data a lot more complex
Users’ ability to remember is the obstacle
Nobody trusts a single organization to store all identity information
Identity: a new approach
Kim Cameron; www.identityblog.com
Seven laws of identity
We have interoperable WS-* specsAllow multiple identity systems to take part
We have a standard format for credentials
SAML tokens
The Identity Metasystem
Security Tokens
SAMLSecurity Assertion Markup Language
Prevailing format for credentials today
What’s in a security token?Collection of claims (self-asserted or verifiable)
Token signed by issuer
Issuing a tokenUse WS-Security and WS-Trust
Consuming a tokenVerify signature, decide if issuer trusted
Read claims (for authZ decisions)
Example Security Token
Given Name: Martin
Family Name: Parry
Email: martin.parry@microsoft.com
MartinParrymartin.parry@...
MartinParrymartin.parry@...
Security Token Service
Username/passwordX.509 CertificateAnother security tokenBiometricEtc...
Give it something...
MartinParrymartin.parry@...
MartinParrymartin.parry@...
Federation
If users have accounts elsewhere and you trust the authN that takes place there
Don’t add user accounts to your systemAccept security tokens issued elsewhereEstablish trust between systems
WS-Federation
Think of B2B scenarios
Federation: example
Instead of provisioning a new user account for a partner, I’ll let her organization authenticate her
Automate the trust relationship
Ask user to supply a SAML token issued by a partner org
SAML token contains claims about the userPartner org claims that this user’s name is Alice
Partner org claims that Alice is a Purchaser
Partner org claims that Alice is authorized to purchase bike parts
Reduces identity management burden and latency
Information Cards
Identities represented as cardsUsers understand that they need to be careful when giving out credit card details
Self-issued “personal card”Created by user and held in local secure store
Private personal identifier
“Managed card”Issued by trusted Identity Provider
Visible locally but identity information is stored at IP
Cards do not contain security tokensThey represent my ability to supply a token
How it works
Policy
2.
“I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*”
3. UI filters cards that can satisfy policy
4. User picks a card
5. Token is requested
1. Access resource
6. Token is created
7. Token is presented
Relying Party
Identity Provider
Demo
Create a self-issued card
Sign on to a website using the card
HTML
<form id="form1" method="post" action="login1.aspx"><div> <button type="submit">Click here to sign in</button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"/> <param name="issuer"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/>
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />
</object></div></form>
Server-side codeprotected void Page_Load(object sender, EventArgs e){ string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper =
new TokenHelper(xmlToken, "www.fabrikam.com"); givenname.Text =
tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); email.Text = tokenHelper.GetClaim(ClaimTypes.Email); }}
Clearly all the work’s in TokenHelperGet it in the samples at www.netfx3.com
How to implement a RP
Update user databaseTo include unique IDs from CardSpace
Create an association pageUsers can associate cards with their accounts
Update the sign-in pageTo allow the use of cardsCan still allow other credentials
Update registration pageTo allow the use of cards
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
Get the latest technology previews, trial software, special offers
Get information tailored to your needs
Pick your RSS feeds
Sign up for MSDN Connection at:
http://www.msdn.co.uk
Resources, tools and betas
Learn about development for Windows Live http://dev.live.com
Useful resource for .NET Framework 3.0, the development platform for Windows Vista
http://www.netfx3.com Get the latest betas for Windows Vista and Office 2007
http://www.microsoft.com/betaexperienceTry Visual Studio
http://www.microsoft.com/getthetrials Check out the free Express versions of Visual Studio
http://msdn.microsoft.com/expressLearn about and try the new Web and client designer tools
http://www.microsoft.com/expressionResources
http://www.gotdotnet.comhttp://www.asp.net
Additional Information
UK MSDN Events Post events page including slide decks
http://www.microsoft.com/uk/msdnevents
Upcoming eventshttp://www.microsoft.com/uk/msdn/events/upcoming.aspx
UK MSDN Site & Flash NewsletterLocal news, events, nuggets & webcasts
http://www.microsoft.com/uk/msdn
Register to receive the bi-weekly MSDN Flash by email
http://www.microsoft.com/uk/msdn/flash.aspx
top related