An Identity on the Internet
description
Transcript of An Identity on the Internet
![Page 1: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/1.jpg)
An Identity on the Internet
Steve PlankIdentity Architect
Microsoft UK
![Page 2: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/2.jpg)
topics
• phishing, phraud
• identity layer
• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem
• ip
• rp
• user
• identity selector
![Page 3: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/3.jpg)
bad person’s database
web server
under thecontrol ofsomebody else
****************
www.identitytheft.comwww.mybank.com.net.iwill.take.over.your.life.com/dodgy.php
![Page 4: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/4.jpg)
IIS
Credentials database
FormsAuthentication.SetLoginCookie()
www.newcorp.com
www.megacorp.com
Application Error:
Cross-domain cookie.A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator.
Custom Solution
Custom Solution
Custom Solution
![Page 5: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/5.jpg)
Connectivity
Naming
IP
DNS
Identityno consistency
![Page 6: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/6.jpg)
• User control and consent
• Minimal disclosure for a defined use
• Justifiable parties
• Directional identity
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
![Page 7: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/7.jpg)
• Human integration
• Consistent experience across contexts
Planky’s Card
Card Collection
![Page 8: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/8.jpg)
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
Identity Selector
Subject
1:1 relationship between cards and identity providers
Locally installed software: not under somebody else’scontrol
![Page 9: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/9.jpg)
Metadata:
URI of the Identity ProviderClaims you can get from the IP
givenname:lastname:
email:user-id:
etc:
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
digitalsignature
![Page 10: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/10.jpg)
Identity Provider
digitalsignature
cryptographic binding between the card and the IP
![Page 11: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/11.jpg)
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
There will be many Identity Providerseach running its
own technology stack
OR
![Page 12: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/12.jpg)
Relying PartyIdentity Provider
Subject
Identity Metasystem
Microsoft IdentityMetaSystem
WS-* HTML
WS-*
Web Service
WS-*
Web Site
HTML
<sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> ... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/surname” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/email”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> ...</sp:IssuedToken>
<object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>
![Page 13: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/13.jpg)
Relying Party
Identity Selector’s Built-in Identity
Provider
Subject
Identity Metasystem
2 degrees of store protection:
System Key
Password Key
Personal Cards: fixed schema
![Page 14: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/14.jpg)
personal cardspersonal cards
managed cardsmanaged cards
what claims i make about myself
what claims another party makes about me
fixed schema (protectfixed schema (protectthe users fromthe users fromthemselves!)themselves!)
flexible schemaflexible schema
![Page 15: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/15.jpg)
elvis presley
only 1 of them is real
probably
![Page 16: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/16.jpg)
SECURITY TOKEN
StevePlankOver 18Over 21Under 65image
SAML TokenXrML LicenseX.509 CertificateKerberos ticket......others
![Page 17: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/17.jpg)
security token servicesecurity token service
give it somethinggive it something
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
![Page 18: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/18.jpg)
relying partyidentity provider
subject
click login button
policy:uri of iprequired claimsoptional claimstoken type
get policyauthenticateRST
identity.provider.com requires username and password to validate this request. Enter the information below
policy:authn reqstoken types...
RSTR
[ ][ ]s e
![Page 19: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/19.jpg)
relying partyidentity provider
subject
real token
display token
*givenname: Steve*surname: Plank*emailaddress: [email protected]*privatepersonalidentitifer: planky123
Do you want to send this card to: ip.sisa.com
ip.sisa.com
ip.sisa.com
[ ][ ]
token authentication
token decryption
![Page 20: An Identity on the Internet](https://reader035.fdocuments.us/reader035/viewer/2022062309/568157c2550346895dc54592/html5/thumbnails/20.jpg)
topics
• phishing, phraud
• identity layer
• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem
• ip
• rp
• user
• identity selector