Jan Alexander Program Manager Microsoft Corporation BB43.
-
Upload
morgan-udall -
Category
Documents
-
view
217 -
download
0
Transcript of Jan Alexander Program Manager Microsoft Corporation BB43.
Identity: “Geneva” Deep Dive
Jan AlexanderProgram ManagerMicrosoft Corporation
BB43
Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities
“Geneva” Framework
Live Framework
Windows CardSpace “Geneva”
Active Directory
“Geneva” Server
Microsoft Services
Connector
Soft
war
eSe
rvic
es Claims-Based Access
Standards BasedEnhances Developer ProductivityFlexibility via Choice
Live Identity Services
Microsoft Federation Gateway
.Net Access Control Service
Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities
Live Framework
Standards BasedEnhances Developer Productivity
Live Identity Services
Microsoft Federation Gateway
.Net Access Control Service
Microsoft Services
ConnectorWindows
CardSpace “Geneva”
“Geneva” Framework
Active Directory
“Geneva” Server
Soft
war
eSe
rvic
es Claims-Based Access
Flexibility via Choice
Identity Meta-System & Claims Creating Claims-based Application Adding Custom Claims Federated Authentication Custom STS Claims & WCF Identity Delegation Futures
Agenda
Identity Meta-System & Claims
Identity Meta-System Introduction
Claims RequestorClient
(Web Browser, WCF Smart Client, SSP-based
application)
Claims ProducerSecurity Token Service
(Geneva Server, Custom STS)
Claims ConsumerRelying Party
(ASP.NET, WCF service, SSP-based service)
1.Trust
established2.Authenticate
and get claims in a token 3.
Send the issued token with claims to authenticate
with the service
Claim Statement made by an entity
(issuer) about an entity (subject) Security Token
Represents a collection of claims Usually asserted and cryptographically signed
by an issuing authority Security Token Service
Issues security tokens Relying Party
Accepts security tokens and uses claims contained in them
Terminology
Claims Model
IClaimsPrincipal
IClaimsIdentity
IClaimsIdentity
Sample FillSample FillClaim
ClaimType = “Name”Value = “Bob”
Issuer = “WLID”Subject
Creating Claims-Based Application
Federated Claims-Based Application
STS(Geneva Server)
Bob Relying Party(ASP.NET + Geneva FX)
Identity: Contoso\BobGoing to: Relying Party
SAML(Shoe Size = 41)
Claims Transformation
Policy forRelying Party
Name = Contoso\Bob->
ShoeSize = 41
SAML(Shoe Size = 41)
AuthorizationPolicy
secret.aspx ->Shoe Size = 41
HTTP GET /secret.aspx
Secret content
Original Application Without Claims
IIS + ASP.NET
Only Shoe Size 41
secret.aspx
Everyone
default.aspx
URL Authorization
Module
AuthorizationPolicy
default.aspx -> *secret.aspx ->
janalex
Windows Authentication
Module
Client
Kerberos
Infrastructure
Application Code
Making The Application Claim-BasedConverting authorization to use claims
IIS + ASP.NET
Only Shoe Size 41
secret.aspx
Everyone
default.aspx
Claims Authorization
Manager
AuthorizationPolicy
default.aspx -> Everyone
secret.aspx ->Claim Type =
“Name“Claim Value =
“janalex”
Windows Authentication
Module
Client
ClaimsAuthentication
ModuleKerberos
ClaimsAuthorization
Module
URL Authorization
Module
AuthorizationPolicy
default.aspx -> *secret.aspx ->
janalex
Infrastructure
Geneva Framework
Application Code
Securing a Web Page
demo
Adding Custom Claims
Geneva Framework Architecture
Hosting Layer
(WCF or ASP.NET)
Geneva FX integration
layer
Token Handling
Issuer Name Registry
Token Serialization
Token Validation
Claims Extraction
XML/Binary
Security Token
Security Token
Claims Identity
Issuer’s Token
Issuer’s Name
Claims Authentication Manager
Security Session Management
Claims Authorization Manager
Claims Principal
Claims Principal
Claims Principal
Session Token
Claims Principal
True/False
Application Code
Claims Principal
Request
Token Resolver
Token Reference
Security Token
Making The Application Claims-BasedAdding shoe size claim
IIS + ASP.NET
Only Shoe Size 41
secret.aspx
Everyone
default.aspx
AuthorizationPolicy
default.aspx -> Everyone
secret.aspx ->ShoeSize = 41
Windows Authentication
Module
Client
ClaimsAuthentication
Module
Claims Authentication
Manager
Claims Transformation
Policy
Name = REDMOND\janalex
->ShoeSize = 41
AuthorizationPolicy
default.aspx -> Everyone
secret.aspx ->Name =
REDMOND\janalex
Kerberos
Claims Authorization
Manager
ClaimsAuthorization
Module
Infrastructure
Geneva Framework
Application Code
Adding Shoe Size Claim
demo
Federated Authentication
Security Token Service for AD Identity and federation provider
Managed Card Provider for AD CardSpace and InfoCard Identity Selectors
Federation Trust Manager Automates trust management using metadata
Standards Based and Interoperable WS-* & SAML 2.0 protocol “Web SSO profile” SAML 1.1 & 2.0 tokens
What Is Geneva Server?
Geneva Server Architecture
HomeRealm
DiscoveryService
Client
CardSpace
MMC:Policy UX
Relying Party
Geneva Server Runtime
Policy Management
Service WMI Provider
Config File
Geneva FX API
Information Card Issuance
Service
Protocol Hosting (WS-Trust, Metadata, WS-Federation)
Issuance Engine
MMC:Service UX
{FileIO}{SQL}{LDAP}
AD/ADAMUser AttributeAuthN Store
SQLPolicy Store
{WS-FedPassive }
{WS-TrustWS-MEX}{InformationCard Issuance}
{WS-Fed Metadata}{PolicyManagement}
{WMI}
Identity Store Interface Policy Store Interface
LDAP Store
Geneva FX API
{WS-FedPassive }
{WS-Fed Metadata}
Geneva FX API
SQL Store
Making The Application Claims-BasedConverting to the federated authentication
IIS + ASP.NET
Only Shoe Size 41
secret.aspx
Everyone
default.aspx
AuthorizationPolicy
default.aspx -> Everyone
secret.aspx ->Shoe Size = 41
Windows Authentication
Module
Client
ClaimsAuthentication
Module
Claims Authentication
Manager
Claims Transformation
Policy
Name = REDMOND\janalex
->ShoeSize = 41
Geneva ServerSTS
Federated Authentication Module
Issuer Name Registry
EstablishTrust
Claims Authentication
Policy
Issuer = STS->
Can say Shoe Size
Kerberos
KerberosSAML Token
Claims Authorization
Manager
ClaimsAuthorization
Module
Converting to the Federated Authentication
demo
Making The Application Claims-BasedAdding a new identity provider
Windows Live ID UserRelying Party
Fabrikam STSWLID STS
Trust Established
WindowsLive ID
Fabrikam
Fabrikam User
Identity Delegation
Claims Model
IClaimsPrincipal
IClaimsIdentityIClaimsIdentity
Sample FillSample FillClaim
ClaimType = “Name”Value = “Bob”
Issuer = “WLID”Subject
Delegate
IClaimsIdentity
Sample FillSample FillClaim
ClaimType = “Name”Value = “Server1”Issuer = “MS STS”
Subject
Delegate
Identity Delegation
STS(Geneva Server)
Bob WFE(ASP.NET)
Backend(WCF)
HTTP/HTML SOAP
Issue Token{ Bob}
Issue Token{ WFE, ActAs(Bob)}
{ Bob } { Bob delegate WFE }
Futures
Authorization
Imagine this:
Turned into this:
foreach (IClaimsIdentity identity in subject.Identities){ if ((from c in identity.Claims where c.ClaimType == ClaimTypes.Name && c.Value == "REDMOND\janalex" select c).Count() > 0) { return true; }}
[AccessCheck(Resource="page1.aspx", Operation="GET")]
Geneva Server Issuance Policy
Accessing arbitrary Claim properties Today limited to claim type and claim value
Complex conditions Today only a single expression is supported
Custom attribute stores Today only LDAP
Policy analysis support Enhanced identity delegation policy
Today on-par with AD constraint delegation Support for custom issuance engines
"Geneva" Schedule
Beta 1October
2008
Beta 21st Half
2009
RTM2nd Half
2009
“Geneva” components are Windows components
Supported platforms Beta: Windows Server 2008, Windows Vista RTM: To Be Determined
See us in Lounge, Pavilion, Hands On Lab Learn about Technology
Adoption Partner program
Details
Claims are flexible and powerful. Security Token Service is here to
help you to get the right identity information to your applications
“Geneva” Framework gives you a consistent programming model for every situation
Summary
Software (BB42) Identity: "Geneva"
Server and Framework Overview (BB43) Identity: "Geneva" Deep Dive (BB44) Identity: Windows
CardSpace "Geneva" Under the Hood Services
(BB22) Identity: Live Identity Services Drilldown (BB29) Identity: Connecting Active
Directory to Microsoft Services (BB28) .NET Services: Access Control Service Drilldown (BB55) .NET Services: Access
Control In the Cloud Services
Identity @ PDC
Evals & Recordings
Please fill
out your
evaluation for
this session at:
This session will be available as a recording at:
www.microsoftpdc.com
Please use the microphones provided
Q&A
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.