Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | dania-ammon |
View: | 219 times |
Download: | 4 times |
Identity: Windows CardSpace "Geneva" Under the Hood Rich Randall
Development LeadMicrosoft Corporation
BB44
PLACHOLDER FOR ALL UP IDENTITY SLIDE
Overview of claims-based access What’s new in CardSpace Protocol and architecture Why CardSpace Future plans
What Will Be Covered
The claims-based access client Protocol client
Application inputs policy, gets back token User interface
Relationships manifested as information cards Personas
Credential collection interface
What is CardSpace
Claim Statement by one party about other party May be an identifier, a characteristic
Security token Signed document containing claims Produced by Security Token Service (STS)
Identity Metasystem Protocols and architecture for exchange claims
Claims-aware application Claims delivered when user accesses app
Claims-Based Access Model
Application Server
Claims-Based Access Model
Security Token Service
End User
Claims Framework
Your App
3. Rea
d policy
5. Send claims
1. Establish relationship using metadata
2. Read policy
trust
4. Get
claim
s
Identity Selector Cl
ient
Faster Smaller Lighter
What Did V1 Teach Us
Demo
User friendly metaphor Token issuer reference Issuer capabilities
At The Center Is The Information Card
Policy retrieval Filter and selection Token retrieval
Protocol Flow
Policy Retrieval
FabrikamContoso Application
Contoso STSFabrikam STS
Established Trust
FabrikamContoso
Filter And Selection
Token Retrieval
FabrikamContoso Application
Contoso STSFabrikam STS
Established Trust
FabrikamContoso
Add CardSpace Support
Demo
Object Tag
<html><form method="post" action="TokenProcessingPage.aspx“> <OBJECT classid=“CLSID:19916E01-B44E-4e31-94A4-4696DF46157B" name="CardSpaceToken“ CODEBASE=“http://microsoft.com/CSV2.exe#Version=10,10,1,12"> <PARAM NAME="issuer" VALUE="http://contoso.com/issue" > <PARAM NAME="tokenType" VALUE="urn:oasis:names:tc:SAML:1.0:assertion" > <PARAM NAME="requiredClaims" VALUE=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier " > </OBJECT></form></html>
CardSpace “Geneva” Architecture
Internet Explorer 7+
Federated Identity Client Service
Native Client API (infocardapi2.dll)
ObjectTagExtension
(ActiveX Control)
Identity Manager
Card Store ClientSTSLocalStore
SapphireWin32
GetToken() [native]
Managed Application
Native Client API (infocardapi2.dll)
Managed Wrapper Class ?
GetToken() [native]
IdentitySelector.GetToken()
WS-Trust and WS-Mex Client
Control Panel
Card and Ledger Management
Federation Manager
App code
Credential Provider
Home realm discovery Persona’s and other card tricks Credential agility
Why You Want CardSpace
Home Realm Discovery
App UserFederated App
PDC ExhibitorGame World
Policy
Claim: Email
Persona Selection
Claim: Admin
Claim: UserGenevaIdentityServer Claims Store
Claims Aware
App
Claim: Admin
App does not handle credentials CardSpace handles credential collection STS handles Credential validation Credential type can vary
without affecting the app
Credential Agility
In The Future
Windows Integration (SSP)
Sharepoint ServerSharepoint Client
CardSpace Service
LSASS
IE
Credential Provider
WinInet
IIS
Sharepoint
LSASS
FedSSPFedSSP
XML Token to Windows Token
Translator
Windows SSP Integration
Demo
U-Prove: “Minimal Disclosure Tokens”
Cryptographic technology for strong authentication with enhanced privacy characteristics Tokens that cannot be correlated Like coins:
You know issuer (central bank) can’t forge them and can’t tell two apart
Tokens can be obtained in advance for “offline” presentation Single use tokens
Users can prove properties of claims without disclosing the claims Derived claim: Over-21 proof instead of disclosing DoB Prove claim not equal to certain value: my name is not on deny list
Roaming
Cloud and Device Roaming
Wireframe – Connect to Store
Login
Windows Security
Choose a card to submitThe card will be used to authenticate to <computer>
CancelCancelOKOK
SanDisk USB drive (E:)
Password
Enter password to unlock you cards
Remember this location
Find your other cardsClick here to select and connect to a web service that holds your cards.
Wireframe – Select Roamed Card
www.aaa.comWebsite requests a personal card
Login
Windows Security
Choose a card to submitThe card will be used to authenticate to <computer>
CancelCancelOKOK
Real Me
Card location: SanDisk USB drive (E:)Personal card
Funny Me
Card location: SanDisk USB drive (E:)Personal card
Find your other cardsClick here to select and connect to a web service that holds your cards.
This card was previously used at www.aaa.com
Other Future Directions
Windows secure desktop Even smoother installation Admin policy for card use Richer policy alternatives
"Geneva" Schedule
Beta 1October
2008
Beta 21st Half
2009
RTM2nd Half
2009
“Geneva” components are Windows components
Supported platforms Beta: Windows Server 2008, Windows Vista RTM: To Be Determined
See us in Lounge, Pavilion, Hands On Lab Learn about Technology Adoption Partner program
Details
Software (BB42) Identity: "Geneva" Server and Framework Overview (BB43) Identity: "Geneva" Deep Dive (BB44) Identity: Windows CardSpace
"Geneva" Under the Hood Services
(BB22) Identity: Live Identity Services Drilldown (BB29) Identity: Connecting
Active Directory to Microsoft Services (BB28) .NET Services: Access Control Service Drilldown (BB55) .NET Services: Access Control In the Cloud Services
Identity @ PDC
Evals & Recordings
Please fill
out your
evaluation for
this session at:
This session will be available as a recording at:
www.microsoftpdc.com
Please use the microphones provided
Q&A
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.