Identity: Windows CardSpace "Geneva" Under the Hood Rich Randall

Development LeadMicrosoft Corporation

BB44

PLACHOLDER FOR ALL UP IDENTITY SLIDE

Overview of claims-based access What’s new in CardSpace Protocol and architecture Why CardSpace Future plans

What Will Be Covered

The claims-based access client Protocol client

Application inputs policy, gets back token User interface

Relationships manifested as information cards Personas

Credential collection interface

What is CardSpace

Claim Statement by one party about other party May be an identifier, a characteristic

Security token Signed document containing claims Produced by Security Token Service (STS)

Identity Metasystem Protocols and architecture for exchange claims

Claims-aware application Claims delivered when user accesses app

Claims-Based Access Model

Application Server

Claims-Based Access Model

Security Token Service

End User

Claims Framework

Your App

3. Rea

d policy

5. Send claims

1. Establish relationship using metadata

2. Read policy

trust

4. Get

claim

s

Identity Selector Cl

ient

Faster Smaller Lighter

What Did V1 Teach Us

Demo

User friendly metaphor Token issuer reference Issuer capabilities

At The Center Is The Information Card

Policy retrieval Filter and selection Token retrieval

Protocol Flow

Policy Retrieval

FabrikamContoso Application

Contoso STSFabrikam STS

Established Trust

FabrikamContoso

Filter And Selection

Token Retrieval

FabrikamContoso Application

Contoso STSFabrikam STS

Established Trust

FabrikamContoso

Add CardSpace Support

Demo

Object Tag

<html><form method="post" action="TokenProcessingPage.aspx“> <OBJECT classid=“CLSID:19916E01-B44E-4e31-94A4-4696DF46157B" name="CardSpaceToken“ CODEBASE=“http://microsoft.com/CSV2.exe#Version=10,10,1,12"> <PARAM NAME="issuer" VALUE="http://contoso.com/issue" > <PARAM NAME="tokenType" VALUE="urn:oasis:names:tc:SAML:1.0:assertion" > <PARAM NAME="requiredClaims" VALUE=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier " > </OBJECT></form></html>

CardSpace “Geneva” Architecture

Internet Explorer 7+

Federated Identity Client Service

Native Client API (infocardapi2.dll)

ObjectTagExtension

(ActiveX Control)

Identity Manager

Card Store ClientSTSLocalStore

SapphireWin32

GetToken() [native]

Managed Application

Native Client API (infocardapi2.dll)

Managed Wrapper Class ?

GetToken() [native]

IdentitySelector.GetToken()

WS-Trust and WS-Mex Client

Control Panel

Card and Ledger Management

Federation Manager

App code

Credential Provider

Home realm discovery Persona’s and other card tricks Credential agility

Why You Want CardSpace

Home Realm Discovery

App UserFederated App

PDC ExhibitorGame World

Policy

Claim: Email

Persona Selection

Claim: Admin

Claim: UserGenevaIdentityServer Claims Store

Claims Aware

App

Claim: Admin

App does not handle credentials CardSpace handles credential collection STS handles Credential validation Credential type can vary

without affecting the app

Credential Agility

In The Future

Windows Integration (SSP)

Sharepoint ServerSharepoint Client

CardSpace Service

LSASS

IE

Credential Provider

WinInet

IIS

Sharepoint

LSASS

FedSSPFedSSP

XML Token to Windows Token

Translator

Windows SSP Integration

Demo

U-Prove: “Minimal Disclosure Tokens”

Cryptographic technology for strong authentication with enhanced privacy characteristics Tokens that cannot be correlated Like coins:

You know issuer (central bank) can’t forge them and can’t tell two apart

Tokens can be obtained in advance for “offline” presentation Single use tokens

Users can prove properties of claims without disclosing the claims Derived claim: Over-21 proof instead of disclosing DoB Prove claim not equal to certain value: my name is not on deny list

Roaming

Cloud and Device Roaming

Wireframe – Connect to Store

Login

Windows Security

Choose a card to submitThe card will be used to authenticate to <computer>

CancelCancelOKOK

SanDisk USB drive (E:)

Password

Enter password to unlock you cards

Remember this location

Find your other cardsClick here to select and connect to a web service that holds your cards.

Wireframe – Select Roamed Card

www.aaa.comWebsite requests a personal card

Login

Windows Security

Choose a card to submitThe card will be used to authenticate to <computer>

CancelCancelOKOK

Real Me

Card location: SanDisk USB drive (E:)Personal card

Funny Me

Card location: SanDisk USB drive (E:)Personal card

Find your other cardsClick here to select and connect to a web service that holds your cards.

This card was previously used at www.aaa.com

Other Future Directions

Windows secure desktop Even smoother installation Admin policy for card use Richer policy alternatives

"Geneva" Schedule

Beta 1October

2008

Beta 21st Half

2009

RTM2nd Half

2009

“Geneva” components are Windows components

Supported platforms Beta: Windows Server 2008, Windows Vista RTM: To Be Determined

See us in Lounge, Pavilion, Hands On Lab Learn about Technology Adoption Partner program

Details

Software (BB42) Identity: "Geneva" Server and Framework Overview (BB43) Identity: "Geneva" Deep Dive (BB44) Identity: Windows CardSpace

"Geneva" Under the Hood Services

(BB22) Identity: Live Identity Services Drilldown (BB29) Identity: Connecting

Active Directory to Microsoft Services (BB28) .NET Services: Access Control Service Drilldown (BB55) .NET Services: Access Control In the Cloud Services

Identity @ PDC

Evals & Recordings

Please fill

out your

evaluation for

this session at:

This session will be available as a recording at:

www.microsoftpdc.com

Please use the microphones provided

Q&A

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.