An Identity on the Internet
20
An Identity on the Internet Steve Plank Identity Architect Microsoft UK
description
An Identity on the Internet. Steve Plank Identity Architect Microsoft UK. topics. phishing, phraud identity layer 7 laws human integration consistent experience across contexts Identity metasystem ip rp user identity selector. web server. www.identitytheft.com. - PowerPoint PPT Presentation
Transcript of An Identity on the Internet
An Identity on the Internet
Steve PlankIdentity Architect
Microsoft UK
topics
• phishing, phraud
• identity layer
• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem
• ip
• rp
• user
• identity selector
bad person’s database
web server
under thecontrol ofsomebody else
****************
www.identitytheft.comwww.mybank.com.net.iwill.take.over.your.life.com/dodgy.php
IIS
Credentials database
FormsAuthentication.SetLoginCookie()
www.newcorp.com
www.megacorp.com
Application Error:
Cross-domain cookie.A cookie has been received from a security domain other than the one to which this web server is a member. This is a potential security breach. Please consult the application or web server administrator.
Custom Solution
Custom Solution
Custom Solution
Connectivity
Naming
IP
DNS
Identityno consistency
• User control and consent
• Minimal disclosure for a defined use
• Justifiable parties
• Directional identity
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
• Human integration
• Consistent experience across contexts
Planky’s Card
Card Collection
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
Identity Selector
Subject
1:1 relationship between cards and identity providers
Locally installed software: not under somebody else’scontrol
Metadata:
URI of the Identity ProviderClaims you can get from the IP
givenname:lastname:
email:user-id:
etc:
Identity Provider
First name Last name Email .......
Steve Plank [email protected] ......
Bob Smith [email protected] ......
digitalsignature
Identity Provider
digitalsignature
cryptographic binding between the card and the IP
• Pluralism of operators and technologies
• Human integration
• Consistent experience across contexts
There will be many Identity Providerseach running its
own technology stack
OR
Relying PartyIdentity Provider
Subject
Identity Metasystem
Microsoft IdentityMetaSystem
WS-* HTML
WS-*
Web Service
WS-*
Web Site
HTML
<sp:IssuedToken ...> ... <sp:RequestSecurityTokenTemplate> ... <wst:Claims wst:Dialect=”http://schemas.microsoft.com/ws/2005/05/identity”> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/givenname”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/surname” <ic:Claim URI=”http://.../ws/2005/05/identity/claims/email”/> <ic:Claim URI=”http://.../ws/2005/05/identity/claims/privatepersonalidentifier” </wst:Claims> </sp:RequestSecurityTokenTemplate> ...</sp:IssuedToken>
<object type="application/x-informationcard" name="_xmlToken"> <param name="tokenType" value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" /></object>
Relying Party
Identity Selector’s Built-in Identity
Provider
Subject
Identity Metasystem
2 degrees of store protection:
System Key
Password Key
Personal Cards: fixed schema
personal cardspersonal cards
managed cardsmanaged cards
what claims i make about myself
what claims another party makes about me
fixed schema (protectfixed schema (protectthe users fromthe users fromthemselves!)themselves!)
flexible schemaflexible schema
elvis presley
only 1 of them is real
probably
SECURITY TOKEN
StevePlankOver 18Over 21Under 65image
SAML TokenXrML LicenseX.509 CertificateKerberos ticket......others
security token servicesecurity token service
give it somethinggive it something
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
relying partyidentity provider
subject
click login button
policy:uri of iprequired claimsoptional claimstoken type
get policyauthenticateRST
identity.provider.com requires username and password to validate this request. Enter the information below
policy:authn reqstoken types...
RSTR
[ ][ ]s e
relying partyidentity provider
subject
real token
display token
*givenname: Steve*surname: Plank*emailaddress: [email protected]*privatepersonalidentitifer: planky123
Do you want to send this card to: ip.sisa.com
ip.sisa.com
ip.sisa.com
[ ][ ]
token authentication
token decryption
topics
• phishing, phraud
• identity layer
• 7 laws
• human integration
• consistent experience across contexts
• Identity metasystem
• ip
• rp
• user
• identity selector
