Prototyping User Experiences NYC Meetup by Francesco Bertocci
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
-
date post
19-Dec-2015 -
Category
Documents
-
view
218 -
download
2
Transcript of Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
![Page 1: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/1.jpg)
![Page 2: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/2.jpg)
Claims-Based Identity: An Overview
Vittorio BertocciSr. Architect EvangelistMicrosoft CorporationARC204
![Page 3: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/3.jpg)
Agenda
Introducing Claims-Based IdentityClaims-Based Identity ScenariosA Closer Look at ADFS 2.0, WIF, CardSpace 2.0
![Page 4: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/4.jpg)
Introducing Claims-Based Identity
![Page 5: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/5.jpg)
What was "Geneva"?
Three related technologies:Active Directory Federation Services 2.0
Codename “Geneva” ServerThe next release of Active Directory Federation Services (AD FS)
Windows CardSpace 2.0Codename CardSpace “Geneva”The next release of CardSpace
Windows Identity Foundation Codename “Geneva” Framework
“Geneva” delivers on the claims-based identity -vision
![Page 6: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/6.jpg)
What is Identity?
An identity is a set of information about some entity, such as a user
Most applications work with identityIdentity information drives important aspects of an application’s behavior, such as:
Determining what a user is allowed to doControlling how the application interacts with the user
![Page 7: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/7.jpg)
Defining the ProblemWorking with identity is too hard
Applications must use different identity technologies in different situations:
Active Directory (Kerberos) inside a Windows domainUsername/password on the InternetWS-Federation and the Security Assertion Markup Language (SAML) between organizations
Why not define one approach that can be used in all of these cases?
Claims-based identity allows thisIt can make life simpler for developers
![Page 8: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/8.jpg)
Tokens and Claims Representing identity on the wire
A token is an artifact transporting identity information
This information consists of one or more claimsClaims are statements about an entity, asserted by the token issuer
![Page 9: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/9.jpg)
Identity Providers and STSs
An identity provider is an authority that makes claims about an entity
Common identity providers today:On your company’s network: Your employerOn the Internet: Most often, you
An identity provider implements a security token service (STS)
It’s software that issues tokensRequests for tokens are made via
WS-TrustWS-FederationSAML
Many token formats can be usedThe SAML format is increasingly popular
![Page 10: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/10.jpg)
Getting a TokenIllustrating an identity provider and its STS
![Page 11: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/11.jpg)
Acquiring and Using a Token
![Page 12: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/12.jpg)
Why Claims Are an Improvement
In today’s world, an application typically gets only simple “identity” information
Such as a user’s nameTo get more, the application must query:
A remote database, e.g., a directory serviceA local database
With claims-based identity, each application can ask for exactly the claims that it needs
The STS puts these in the token it creates
![Page 13: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/13.jpg)
How Applications Can Use ClaimsSome examples
A claim can identify a userA claim can convey group or role membershipA claim can convey personalization information
Such as the user’s display nameA claim can grant or deny the right to do something
Such as access particular information or invoke specific methods
A claim can constrain the right to do something Such as indicating the user’s purchasing limit
![Page 14: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/14.jpg)
Supporting Multiple IdentitiesUsing an identity selector
![Page 15: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/15.jpg)
Scenarios
![Page 16: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/16.jpg)
ADFS2
ADFS2.0 and WIF in an Enterprise
WIF
![Page 17: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/17.jpg)
ADFS2WIF
Internet
Allowing Internet Access
![Page 18: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/18.jpg)
Using an External Identity Provider
WIF
![Page 19: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/19.jpg)
Identity Across OrganizationsDescribing the problem
A user in one Windows forest must access an application in another Windows forest
A user in a non-Windows world must access an application in a Windows forest (or vice-versa)
![Page 20: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/20.jpg)
Identity Across OrganizationsPossible solutions
One option: duplicate accountsRequires separate login, extra administration
A better approach: identity federation One organizations accepts identities provided by the other
No duplicate accountsSingle sign-on for users
![Page 21: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/21.jpg)
ADFS2
Organization X Organization Y
Identity Federation (1)
WIF
![Page 22: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/22.jpg)
ADFS2
Organization X Organization Y
Identity Federation (2)
WIF
![Page 23: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/23.jpg)
ADFS2
Delegation
WIFWIF
![Page 24: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/24.jpg)
A Closer Look at ADFS2.0, WIF and CardSpace 2.0
![Page 25: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/25.jpg)
Changes in ADFS 2.0From AD FS 1.x
AD FS 1.x supports only passive clients (i.e., browsers) using WS-FederationADFS 2.0:
Supports both active and passive clientsSupports WS-Federation, WS-Trust and the SAML 2.0 protocolImproves management of trust relationships
By automating some exchangesIssues Information Cards
![Page 26: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/26.jpg)
Windows CardSpace 2.0Selecting identities
CardSpace 2.0 provides a consistent user interface for choosing an identity
Using the metaphor of cardsChoosing a card selects an identity (i.e., a token)
![Page 27: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/27.jpg)
Information Cards
Behind each card a user sees is an information card
It’s an XML file that describes the set of claims the user may obtain from an identity provider
Information cards don’t contain:Claim values for the identityWhatever is required to authenticate to the identity provider’s STS
![Page 28: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/28.jpg)
Information CardsAn illustration
![Page 29: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/29.jpg)
Creating Industry Agreement
The Information Card Foundation is a multi-vendor group dedicated to making this technology successful
Its board members include Google, Microsoft, Novell, Oracle, and PayPal
A Web site can display a standard icon to indicate that it accepts card-based logins:
![Page 30: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/30.jpg)
Changes in CardSpace 2.0From the first CardSpace release
CardSpace 2.0 is a complete rewrite in native code
smaller and faster CardSpace 2.0 contains optimizations for applications that users visit repeatedly
A Web site can display the card you last used to log in the site The CardSpace 2.0 prompt needn’t appear
Self-issued cards have been dropped
![Page 31: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/31.jpg)
Windows Identity Foundation
The goal: Make it easier for developers to create claims-aware applications
Originally known as “Zermatt”Current Beta 2 under the codename “Geneva” Framework
WIF provides:Protocol & token handlingClasses for working with claimsTooling & Visual Studio integrationSupport for creating a custom STSMore
![Page 32: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/32.jpg)
Conclusions
Changing how applications (and people) work with identity is not a small thing
Widespread adoption of claims-based identity will take time
Yet all of the pieces required to make claims-based identity real on Windows are coming:
ADFS 2.0Windows CardSpace 2.0Windows identity Foundation
![Page 33: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/33.jpg)
ReferencesIntroducing “Geneva”: An Overview of the “Geneva” Server, CardSpace “Geneva”, and the “Geneva” Framework
[Link]Keith Brown’s “Geneva” Framework White Paper for Developers
[Link]
Entry page on Microsoft.comhttp://www.microsoft.com/forefront/geneva/en/us/
MSDN Forumshttp://social.msdn.microsoft.com/Forums/en-US/Geneva/threads/
Videoshttp://channel9.msdn.com/identity/
Blogshttp://blogs.msdn.com/cardhttp://blogs.msdn.com/vbertocci/
![Page 34: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/34.jpg)
question & answer
![Page 35: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/35.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 36: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/36.jpg)
Related ContentBreakout Sessions
•SEC305 Developing Identity-aware & more secure applications: using MIcrosoft Windows Identity Foundation for fun and profit
![Page 37: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/37.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 38: Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d385503460f94a117d3/html5/thumbnails/38.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.