Advances in Digital Identity Steve Plank Identity Architect.
-
Upload
theodore-matson -
Category
Documents
-
view
219 -
download
2
Transcript of Advances in Digital Identity Steve Plank Identity Architect.
Advances in Digital Identity
Steve PlankIdentity Architect
Connectivity
Naming
IP
DNS
Identityno consistency
taught users
typeusernames &passwords
web page
what is identity?
attributes:givenNamesnpreferredName plankydateOfBirth 170685!over18 trueover21 trueover65 falseimage
steveplank
self asserted
verifiable
what claims i make about myself
what claims another party makes about me
elvis presley
only 1 of them is real
probably
trust
make these claims
SECURITY TOKEN
steveplankover 18over 21under 65image
security token service
give it somethingSECURITY TOKEN
StevePlankOver 18Over 21Under 65image
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
“Secret”
identity metasystem
participants
relying party (website)identity provider
subject
WS-*
securitytoken
service
SAML
WS-*
SAML
securitytoken
serviceWS-*
x509
identity provider
x509
identityprovider
subject
relying party relying party
identity selector
identity selector
human integration
consistent experience across contexts
• contains claims about my identity that I assert
• not corroborated• stored locally• signed and encrypted to prevent
replay attacks
• provided by banks, stores, government, clubs, etc
• locally stored cards contain metadata only!
• data stored by identity provider and obtained only when card submitted
cards
self-issued managed
object tag
login with self issued card
relying party (website)
user
login
select self issued card
relying party (website)
user
Planky
create token from card
relying party (website)
Planky
FN: SteveLN: PlankEmail: splankCO: UK
user
sign, encrypt & send token
relying party (website)
Planky
user
object tag
login with managed card
relying party (website)
user
login
identity provider
select managed card
relying party (website)
userWoodgroveBank
identity provider
WoodgroveBank
request security token
relying party (website)identity provider
user
authN:X509, kerb, SC, U/pwd…
WoodgroveBank
request security token response
relying party (website)identity provider
user
sign, encryptsend
<body> <form id="form1" method="post" action="login.aspx"> <div> <button type="submit"> Click here to sign in with your Information Card </button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="issuer
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> <param name="requiredClaims" value=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object> </div> </frm></body>
relying party (website)
token decrypter
claims extractor
first name
last name
phone
user database
123456789
456
xmlToken(signed &encrypted)
xmlToken(plaintext)
ppid
inde
x in
to D
B
demo
review• identity layer
• phishing, phraud
• human integration
• consistent experience across contexts
• ip
• rp
• user
• identity selector
Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt