Who are you?Who are you?

From Directories and From Directories and Identity Silos to Identity Silos to

Ubiquitous User-Centric Ubiquitous User-Centric IdentityIdentity

Mike Jones, Microsoft and Dale Olds, Mike Jones, Microsoft and Dale Olds, NovellNovell

Who are you?Who are you?

Question central toQuestion central toenabling you to do things you're entitled enabling you to do things you're entitled to do,to do,preventing you from doing things you’re preventing you from doing things you’re not.not.

True in bothTrue in bothphysical world,physical world,online world.online world.

Who are you (online)?Who are you (online)?

Past, present, and future:Past, present, and future:From directories,From directories,to identity silos,to identity silos,to ubiquitous, interoperable, user-centric to ubiquitous, interoperable, user-centric digital identity.digital identity.

The Bad Old DaysThe Bad Old Days

Username/password per applicationUsername/password per application

But that’s preposterous and But that’s preposterous and inconvenient!inconvenient!

The Bad Old PresentThe Bad Old Present

Username/password per web siteUsername/password per web site

But that’s preposterous and But that’s preposterous and inconvenient!inconvenient!

Enter Directory ServicesEnter Directory Services

Identity attributes for users in a Identity attributes for users in a central repositorycentral repositoryAllows multiple applications within a Allows multiple applications within a domain to share identitiesdomain to share identitiesAttributes can be retrieved by Attributes can be retrieved by applicationsapplicationsExamples:Examples:

LDAP implementationsLDAP implementationsNovell eDirectoryNovell eDirectoryMicrosoft Active DirectoryMicrosoft Active Directory

Directory Services Directory Services AdvantagesAdvantages

Applications within the domain can Applications within the domain can use the same identity attributesuse the same identity attributesAllows enterprise single-sign-on Allows enterprise single-sign-on within participating applicationswithin participating applicationsSome directory interoperation via Some directory interoperation via LDAP, virtual directories, meta-LDAP, virtual directories, meta-directoriesdirectoriesAnd, recently shown at Monday's And, recently shown at Monday's keynote, federationkeynote, federation

Directory Services Directory Services DisadvantagesDisadvantages

Several incompatible protocols – silosSeveral incompatible protocols – silosApplications know which directory Applications know which directory they usethey useIdentities only valid usable a single Identities only valid usable a single domaindomainDisjoint and overlapping domains are Disjoint and overlapping domains are inevitable as organizations evolveinevitable as organizations evolve

Directory Services, Meta Directory Services, Meta and Virtual Directoriesand Virtual Directories

Very useful systems which solve Very useful systems which solve some of silo problems of overlapping some of silo problems of overlapping identity domainsidentity domainsAccessed as a central repository of Accessed as a central repository of identity data by many other servicesidentity data by many other servicesServices and revisions of services Services and revisions of services accumulate over timeaccumulate over timeControl of repository schema and Control of repository schema and updates becomes politicalupdates becomes politicalThe central repository tends to The central repository tends to become an immovable political massbecome an immovable political mass

Identity SilosIdentity Silos

In the Web and within the enterprise, In the Web and within the enterprise, disjoint identity domains are commondisjoint identity domains are commonUsername/password per siteUsername/password per siteX.509, Kerberos, SAML have not X.509, Kerberos, SAML have not helpedhelpedEach with its own protocolEach with its own protocolEach operates only within its own siloEach operates only within its own silo

Enter FederationEnter FederationEnables use of identities at other sitesEnables use of identities at other sitesAdvantagesAdvantages

Extends login identities to other trust Extends login identities to other trust domainsdomainsStandards-based interoperationStandards-based interoperation

DisadvantagesDisadvantagesRequires establishing explicit trust Requires establishing explicit trust relationshipsrelationshipsNo user choice of which identity to No user choice of which identity to employ relative to each domainemploy relative to each domain

ExamplesExamplesSAML based federationSAML based federationWS-Federation based federationWS-Federation based federationOpenIDOpenID

What is a Digital Identity?What is a Digital Identity?

Set of Set of claims claims one one subject makes subject makes about anotherabout anotherMany identities for Many identities for many usesmany usesRequired for Required for transactions in real transactions in real world and onlineworld and onlineModel on which all Model on which all modern access modern access technology is technology is basedbased

The Laws of IdentityThe Laws of IdentityEstablished through Industry Established through Industry DialogDialog1.1. User control and consentUser control and consent

2.2. Minimal disclosure for a defined useMinimal disclosure for a defined use

3.3. Justifiable partiesJustifiable parties

4.4. Directional identityDirectional identity

5.5. Pluralism of operators and Pluralism of operators and

technologiestechnologies

6.6. Human integrationHuman integration

7.7. Consistent experience across Consistent experience across

contextscontexts

Join the discussion atJoin the discussion at www.identityblog.comwww.identityblog.com

Identity MetasystemIdentity Metasystem

We need a unifying “Identity We need a unifying “Identity Metasystem”Metasystem”

Protect applications from identity Protect applications from identity complexitiescomplexitiesAllow digital identity to be loosely Allow digital identity to be loosely coupled: multiple operators, technologies, coupled: multiple operators, technologies, and implementationsand implementations

Not first time we’ve seen this in Not first time we’ve seen this in computingcomputing

Emergence of TCP/IP unified Ethernet, Emergence of TCP/IP unified Ethernet, Token Ring, Frame Relay, X.25, even the Token Ring, Frame Relay, X.25, even the not-yet-invented wireless protocolsnot-yet-invented wireless protocols

Enter User-Centric IdentityEnter User-Centric IdentityEnables people to choose which of Enables people to choose which of their identities to use at which sitestheir identities to use at which sites

Analogously to how they choose which Analogously to how they choose which card to pull out of their wallet in different card to pull out of their wallet in different circumstancescircumstances

Used through Information Card Used through Information Card metaphormetaphor

Visual cards represent different identitiesVisual cards represent different identities

BenefitsBenefitsPeople in control of their identity People in control of their identity interactionsinteractionsEasy to use – no passwords to remember!Easy to use – no passwords to remember!Strong crypto – instead of shared secretsStrong crypto – instead of shared secretsPhishing-resistantPhishing-resistant

Identity RolesIdentity Roles

Relying PartiesRelying PartiesRequire identitiesRequire identities

SubjectsSubjectsIndividuals and other Individuals and other entities about whom entities about whom

claims are madeclaims are made

Identity Identity ProvidersProviders

Issue identitiesIssue identities

Contains self-asserted claims Contains self-asserted claims about meabout meStored locallyStored locallyEffective replacement for Effective replacement for username/passwordusername/passwordEliminates shared secretsEliminates shared secretsEasier than passwordsEasier than passwords

Provided by banks, stores, Provided by banks, stores, government, clubs, etc.government, clubs, etc.Cards contain metadata Cards contain metadata only!only!Claims stored at Identity Claims stored at Identity Provider and sent only when Provider and sent only when card submittedcard submitted

Information CardsInformation Cards

SELF - ISSUED MANAGED

CardSpace ExperienceCardSpace Experience

Information Card Information Card PropertiesProperties

Cards are references to identity providersCards are references to identity providersCards have:Cards have:

Address of identity providerAddress of identity providerNames of claimsNames of claimsRequired credentialRequired credential

Not claim valuesNot claim values

Information Card data not visible to Information Card data not visible to applicationsapplications

Stored in files encrypted under system keyStored in files encrypted under system keyUser interface runs on separate desktopUser interface runs on separate desktop

Self-issued information cardsSelf-issued information cardsStores name, address, email, telephone, age, Stores name, address, email, telephone, age, gendergenderNo high value informationNo high value informationEffective replacement for username/passwordEffective replacement for username/password

Open Identity ArchitectureOpen Identity Architecture

Microsoft worked with industry to Microsoft worked with industry to develop protocols that enable an develop protocols that enable an identity metasystem: WS-* Web identity metasystem: WS-* Web ServicesServices

Encapsulating protocol and claims Encapsulating protocol and claims transformation: WS-Trusttransformation: WS-TrustNegotiation: WS-MetadataExchange and Negotiation: WS-MetadataExchange and WS-SecurityPolicyWS-SecurityPolicy

Technology specifically designed to Technology specifically designed to satisfy requirements of an Identity satisfy requirements of an Identity MetasystemMetasystem

Not just a Microsoft Not just a Microsoft thing…thing…Based entirely on open protocolsBased entirely on open protocols

Identity Identity requires cooperationrequires cooperation – and – and you’re seeing it today!you’re seeing it today!Interoperable software being built byInteroperable software being built by

Novell, IBM, Sun, Ping, BMC, VeriSign, …Novell, IBM, Sun, Ping, BMC, VeriSign, …For UNIX/Linux, MacOS, mobile devices, For UNIX/Linux, MacOS, mobile devices, ……

With browser support under way forWith browser support under way forFirefox, Safari, …Firefox, Safari, …

Unprecedented things happeningUnprecedented things happeningMicrosoft part of JavaOne opening Microsoft part of JavaOne opening keynotekeynoteMicrosoft sponsoring BrainShareMicrosoft sponsoring BrainShare

LINUX Journal Sep ’05 LINUX Journal Sep ’05 CoverCover

By Doc SearlsBy Doc SearlsLinux Journal EditorLinux Journal EditorAuthor of the Author of the “cluetrain “cluetrain manifesto”manifesto”

Introducing “The Introducing “The Identity Identity Metasystem”Metasystem”

WIRED Magazine - Mar ’06WIRED Magazine - Mar ’06

By Lawrence LessigBy Lawrence LessigInfluential Internet Influential Internet & Public Policy & Public Policy LawyerLawyerSpecial Master in Special Master in antitrust case antitrust case against Microsoftagainst Microsoft

Quotation:Quotation:

Microsoft Open Microsoft Open Specification Promise Specification Promise (OSP)(OSP)

Perpetual legal promise that Microsoft Perpetual legal promise that Microsoft will never bring legal action against will never bring legal action against anyone for using the protocols listedanyone for using the protocols listed

Includes all the protocols underlying Includes all the protocols underlying CardSpaceCardSpace

Issued September 2006Issued September 2006

http://www.microsoft.com/interop/osp/

For More InformationFor More Information

http://cardspace.netfx3.com/http://www.bandit-project.org/

Mike Jones – Mike Jones – mbj@microsoft.comDale Olds – Dale Olds – dolds@novell.com

(Backup Slides)(Backup Slides)

Protocol Drill DownProtocol Drill Down

Identity Provider(IP)

Relying Party(RP)

ClientClient wants to access a resource

RP provides identity requirements

1

2

User

3 Which IPs can satisfy requirements?

User selects an IP4

5Request security token

6

Return security token based on RP’s requirements

7 User approves release of token

8 Token released to RP