Protecting Online IdentitiesLive Identity Services OverviewJorgen ThelinSenior Program ManagerMicrosoft Corporation

Session: MIX09-T27F

Web Developers• Customizable

identity UX• Single Sign On• Access to user

data

ISVs• Federation for

selling their applications to organizations

• Easy on-boarding of new customers

Organizations

• Turnkey federation for adopting services (Online, Live, ISVs)

• Works with existing identity infrastructure

AgendaWeb Developers Consuming Windows Live IDs on your siteAccessing user data on your site

ISVs• C

onsuming federated identities

• Rapid on-boarding for organizations

Live ID101

Live ID - Many components•Authentication: users, applications, devicesIdentities•Investing in 2FA such as Smartcard, StartKey

Strong Authentication

•User / IP reputation, Account abuse preventionAttacker Resistant

•Live ID is fully customizable UI Customization

•Delegated auth: user permission to access dataData Portability

•Embracing Open StandardsOpenID•Compatible with Microsoft Federation Gateway

Federated Authentication

Live Identity Services

Principal Acting for Self Acting for User

User User auth (Client or Web)

Application

App auth (AppID)

Delegation (Good)

Impersonation (BAD!)

Device DeviceID Linked DeviceID The Password

Anti-Pattern!

Principal TypesCredential Types• [Strong] Password,

Pin• eID / Smart card• CardSpace• Policy-driven

control

Types of Live ID Users• Live Mail / Hotmail accounts• EASI (“E-mail As Sign-In”)• Managed domains• Federated domains

Type of identity

Integrating Live ID into your application

Consume identities &

SSO• Web

Authentication• Client SDK• Preview: Open ID

Accessing user data

• Delegated Auth SDK

Options for Consuming User Identities

Be-your-own Identity Provider

Link with external Identity Provider

Identity aggregator service

Protocol-level integration

Live ID Web Authentication

demo

WebAuth Sign-in Control (Cross-platform HTML – URL decoded for readability)<iframe id="WebAuthControl"

src="http://login.live.com/controls/WebAuth.htm?appid=<%=AppId%>

&context=welcomepage&style=font-size=10pt;

+font-family=verdana;+font-style=normal;+font-weight=bold;+background=white;+color=black;"

width="80px" height="20px">

</iframe>

Existing: WebAuth.htm

New: WebAuthLogo.htm

New: WebAuthButton.htm

How Web Authentication works

Live ID WebAuth service

Relying Party Web Sitee.g., Contoso.com

3

5

4 2

1End User w/ web browser

Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=91762

What about the User Experience?

Customizing the Identity Experience

Recognizable & not jarring

Sign-in Sign-up Consent

Sign-in Screen Customizable ContentsElements that can be customized.Partner LogoTask statementProduct descriptionSign up sectionHeader background

Task integration statement

Sign-up section

Customizable ThemeElements cannot change. Customize look & feel.Font colorBackground colorButton colorUser tile colorLive ID description color

Sign-in / Sign-up UX Customization

demo

Another Example – LiveWIM.com

Identity AggregatorsExample: JanRain's RPX service

UI component for multiple Identity Providers

Embracing Open Standards

Live ID Open ID Provider

Microsoft is becoming an OpenID Provider (OP)

Try the Live ID – OpenID Provider CTP Now

1. Set up a Live ID INT account: https://login.Live-INT.com/2. Set up OpenID alias:

https://OpenID.Live-INT.com /beta/ManageOpenID.srf

3. Use OpenID 2.0 login URI: OpenID.Live-INT.com4. Send feedback: openidfb@microsoft.com

>> Production release of Live ID – OpenID Provider later this year

Consume identities &

SSO• Web

Authentication• Client SDK• Preview: Open ID

Accessing user data

• Delegated Auth SDK

Enabling data portability

Live ID Delegated Authentication

demo

Delegated Auth Protocol Overview

Application

Provider (web site)

Live ID Delegation

Service

“Using Consent” Phase (user can be

offline) Resource Provider (e.g.,

Windows Live Contacts)

Consent UI consent.live.co

m

“Granting Consent” phase (user must

be online)End User with

browser

Requesting Delegated Auth Consent

https://consent.live.com/delegation.aspx

?ru=http://mydomain.myapp.com/ReturnURL.aspx

&ps=Contacts.View,Contacts.Update&pl=http://mydomain.myapp.com/PrivacyPolicy.htm

&ttype=1

&mkt=en-US&app=appid%3d10000%26ts%3d1193445084%26ip%3d157.56.190.178%26sig%3d7HgcsIEheEVO30BuPAEJhJeB8Pz0xHBV%252f%252bQD27AOdmI%253d

&appctx=welcomepage

Don’t panic! The SDK libraries handle all this for you!

Application Verifier token:AppID, Timestamp, Client IP, SHA256 signature

1: Compact token, 2: SAML token

Sell more of your application by easing

on-boarding of identities

Federation Infrastructur

e• Standards based• WS-Trust/WS-Fed• Microsoft

Federation Gateway

Rapid on-boarding /

tools• Microsoft

Services Connector

A Federated EcosystemBenefits of federated identity

Open participation based on industry standardsLinking service providers and service consumersAccess to more services and applications:

Microsoft cloud applicationsDevelopers using Azure Services PlatformDevelopers using other hosting platforms

Access to more customers:

500m+ Live ID users Other organizations using federated identity

Microsoft is offering free solutions that greatly simplify service federation scenarios

MFG and the Federation Ecosystem

Web Site / Online App

Relying Party (RP) Identity Providers (IdP)

Microsoft Federation Gateway

(MFG)

Live IDIdentity Provider

Other federatedIdentity

Providers

Browser

Windows App Li

ve ID

C

lien

t SD

K

User Applications

Solution: Easy Federated IdentityMicrosoft Federation Gateway

Hub and spoke model simplified

trust management for enterprises & service providers

Production deployment since 2006Now supports self-service federation provisioning

Microsoft Services Connector

Connects Active Directory to Federation Gateway and Cloud services / applications Simple 1-time federation setup – auto-provisioning Flexible and customizable end -user experienceFree download

Objective: Connect to cloud services without changing existing identity infrastructure

Federation Infrastructur

e• Standards based• WS-Trust/WS-Fed• Microsoft

Federation Gateway

Rapid on-boarding /

tools• Microsoft

Services Connector

Microsoft Services Connector

demo

Accessing federated resourcesfrom inside corporate network

Accessing ServicesUsing Federation Gateway & MSC1. User clicks link -- taken to

Microsoft Services Connector for authentication

2. Services Connector validates credentials with Active Directory

Desktop

Browser

Office

Apps

EnterpriseMicrosoft ServicesConnecto

rActive

Directory

Microsoft Federatio

n Gateway

CloudApplication

s

Developer Services

3. Services Connector issues login token and redirects to Federation Gateway

4. Federation Gateway validates token and transforms claims

5. Federation Gateway issues service token and redirects to service

6. User accesses service

Web developers• Customizable

identity UX• Single Sign On• Access to user

data

ISVs• Federation for

selling their applications to organizations

• Easy on-boarding of new customers

Organizations

• Turnkey federation for adopting services (Online, Live, ISVs)

• Works with existing identity infrastructure

Q&A

Please Complete an Evaluation FormYour feedback is important!

Evaluation forms can be found on each chairTemp Staff at the back of the room have additional evaluation form copies

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.