Claims-Based Identity: An Overview

Vittorio BertocciSr. Architect EvangelistMicrosoft CorporationARC204

Agenda

Introducing Claims-Based IdentityClaims-Based Identity ScenariosA Closer Look at ADFS 2.0, WIF, CardSpace 2.0

Introducing Claims-Based Identity

What was "Geneva"?

Three related technologies:Active Directory Federation Services 2.0

Codename “Geneva” ServerThe next release of Active Directory Federation Services (AD FS)

Windows CardSpace 2.0Codename CardSpace “Geneva”The next release of CardSpace

Windows Identity Foundation Codename “Geneva” Framework

“Geneva” delivers on the claims-based identity -vision

What is Identity?

An identity is a set of information about some entity, such as a user

Most applications work with identityIdentity information drives important aspects of an application’s behavior, such as:

Determining what a user is allowed to doControlling how the application interacts with the user

Defining the ProblemWorking with identity is too hard

Applications must use different identity technologies in different situations:

Active Directory (Kerberos) inside a Windows domainUsername/password on the InternetWS-Federation and the Security Assertion Markup Language (SAML) between organizations

Why not define one approach that can be used in all of these cases?

Claims-based identity allows thisIt can make life simpler for developers

Tokens and Claims Representing identity on the wire

A token is an artifact transporting identity information

This information consists of one or more claimsClaims are statements about an entity, asserted by the token issuer

Identity Providers and STSs

An identity provider is an authority that makes claims about an entity

Common identity providers today:On your company’s network: Your employerOn the Internet: Most often, you

An identity provider implements a security token service (STS)

It’s software that issues tokensRequests for tokens are made via

WS-TrustWS-FederationSAML

Many token formats can be usedThe SAML format is increasingly popular

Getting a TokenIllustrating an identity provider and its STS

Acquiring and Using a Token

Why Claims Are an Improvement

In today’s world, an application typically gets only simple “identity” information

Such as a user’s nameTo get more, the application must query:

A remote database, e.g., a directory serviceA local database

With claims-based identity, each application can ask for exactly the claims that it needs

The STS puts these in the token it creates

How Applications Can Use ClaimsSome examples

A claim can identify a userA claim can convey group or role membershipA claim can convey personalization information

Such as the user’s display nameA claim can grant or deny the right to do something

Such as access particular information or invoke specific methods

A claim can constrain the right to do something Such as indicating the user’s purchasing limit

Supporting Multiple IdentitiesUsing an identity selector

Scenarios

ADFS2

ADFS2.0 and WIF in an Enterprise

WIF

ADFS2WIF

Internet

Allowing Internet Access

Using an External Identity Provider

WIF

Identity Across OrganizationsDescribing the problem

A user in one Windows forest must access an application in another Windows forest

A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

Identity Across OrganizationsPossible solutions

One option: duplicate accountsRequires separate login, extra administration

A better approach: identity federation One organizations accepts identities provided by the other

No duplicate accountsSingle sign-on for users

ADFS2

Organization X Organization Y

Identity Federation (1)

WIF

ADFS2

Organization X Organization Y

Identity Federation (2)

WIF

ADFS2

Delegation

WIFWIF

A Closer Look at ADFS2.0, WIF and CardSpace 2.0

Changes in ADFS 2.0From AD FS 1.x

AD FS 1.x supports only passive clients (i.e., browsers) using WS-FederationADFS 2.0:

Supports both active and passive clientsSupports WS-Federation, WS-Trust and the SAML 2.0 protocolImproves management of trust relationships

By automating some exchangesIssues Information Cards

Windows CardSpace 2.0Selecting identities

CardSpace 2.0 provides a consistent user interface for choosing an identity

Using the metaphor of cardsChoosing a card selects an identity (i.e., a token)

Information Cards

Behind each card a user sees is an information card

It’s an XML file that describes the set of claims the user may obtain from an identity provider

Information cards don’t contain:Claim values for the identityWhatever is required to authenticate to the identity provider’s STS

Information CardsAn illustration

Creating Industry Agreement

The Information Card Foundation is a multi-vendor group dedicated to making this technology successful

Its board members include Google, Microsoft, Novell, Oracle, and PayPal

A Web site can display a standard icon to indicate that it accepts card-based logins:

Changes in CardSpace 2.0From the first CardSpace release

CardSpace 2.0 is a complete rewrite in native code

smaller and faster CardSpace 2.0 contains optimizations for applications that users visit repeatedly

A Web site can display the card you last used to log in the site The CardSpace 2.0 prompt needn’t appear

Self-issued cards have been dropped

Windows Identity Foundation

The goal: Make it easier for developers to create claims-aware applications

Originally known as “Zermatt”Current Beta 2 under the codename “Geneva” Framework

WIF provides:Protocol & token handlingClasses for working with claimsTooling & Visual Studio integrationSupport for creating a custom STSMore

Conclusions

Changing how applications (and people) work with identity is not a small thing

Widespread adoption of claims-based identity will take time

Yet all of the pieces required to make claims-based identity real on Windows are coming:

ADFS 2.0Windows CardSpace 2.0Windows identity Foundation

ReferencesIntroducing “Geneva”: An Overview of the “Geneva” Server, CardSpace “Geneva”, and the “Geneva” Framework

[Link]Keith Brown’s “Geneva” Framework White Paper for Developers

[Link]

Entry page on Microsoft.comhttp://www.microsoft.com/forefront/geneva/en/us/

MSDN Forumshttp://social.msdn.microsoft.com/Forums/en-US/Geneva/threads/

Videoshttp://channel9.msdn.com/identity/

Blogshttp://blogs.msdn.com/cardhttp://blogs.msdn.com/vbertocci/

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related ContentBreakout Sessions

•SEC305 Developing Identity-aware & more secure applications: using MIcrosoft Windows Identity Foundation for fun and profit

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.