Advances in Digital Identity Steve Plank Identity Architect.
-
Upload
theodore-matson -
Category
Documents
-
view
227 -
download
2
Transcript of Advances in Digital Identity Steve Plank Identity Architect.
![Page 1: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/1.jpg)
Advances in Digital Identity
Steve PlankIdentity Architect
![Page 2: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/2.jpg)
Connectivity
Naming
IP
DNS
Identityno consistency
![Page 3: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/3.jpg)
taught users
typeusernames &passwords
web page
![Page 4: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/4.jpg)
what is identity?
![Page 5: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/5.jpg)
attributes:givenNamesnpreferredName plankydateOfBirth 170685!over18 trueover21 trueover65 falseimage
steveplank
![Page 6: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/6.jpg)
self asserted
verifiable
what claims i make about myself
what claims another party makes about me
![Page 7: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/7.jpg)
elvis presley
only 1 of them is real
probably
![Page 8: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/8.jpg)
trust
make these claims
![Page 9: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/9.jpg)
SECURITY TOKEN
steveplankover 18over 21under 65image
![Page 10: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/10.jpg)
security token service
give it somethingSECURITY TOKEN
StevePlankOver 18Over 21Under 65image
DIFFERENTSECURITYTOKEN
UsernamePassword
BiometricSignature
Certificate
“Secret”
![Page 11: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/11.jpg)
identity metasystem
![Page 12: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/12.jpg)
participants
relying party (website)identity provider
subject
![Page 13: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/13.jpg)
WS-*
securitytoken
service
SAML
WS-*
SAML
securitytoken
serviceWS-*
x509
identity provider
x509
identityprovider
subject
relying party relying party
identity selector
![Page 14: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/14.jpg)
identity selector
![Page 15: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/15.jpg)
human integration
consistent experience across contexts
![Page 16: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/16.jpg)
![Page 17: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/17.jpg)
• contains claims about my identity that I assert
• not corroborated• stored locally• signed and encrypted to prevent
replay attacks
• provided by banks, stores, government, clubs, etc
• locally stored cards contain metadata only!
• data stored by identity provider and obtained only when card submitted
cards
self-issued managed
![Page 18: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/18.jpg)
object tag
login with self issued card
relying party (website)
user
login
![Page 19: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/19.jpg)
select self issued card
relying party (website)
user
Planky
![Page 20: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/20.jpg)
create token from card
relying party (website)
Planky
FN: SteveLN: PlankEmail: splankCO: UK
user
![Page 21: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/21.jpg)
sign, encrypt & send token
relying party (website)
Planky
user
![Page 22: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/22.jpg)
object tag
login with managed card
relying party (website)
user
login
identity provider
![Page 23: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/23.jpg)
select managed card
relying party (website)
userWoodgroveBank
identity provider
![Page 24: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/24.jpg)
WoodgroveBank
request security token
relying party (website)identity provider
user
authN:X509, kerb, SC, U/pwd…
![Page 25: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/25.jpg)
WoodgroveBank
request security token response
relying party (website)identity provider
user
sign, encryptsend
![Page 26: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/26.jpg)
<body> <form id="form1" method="post" action="login.aspx"> <div> <button type="submit"> Click here to sign in with your Information Card </button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion" /> <param name="issuer
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self" /> <param name="requiredClaims" value=" http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ privatepersonalidentifier /> </object> </div> </frm></body>
![Page 27: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/27.jpg)
relying party (website)
token decrypter
claims extractor
first name
last name
phone
user database
123456789
456
xmlToken(signed &encrypted)
xmlToken(plaintext)
ppid
inde
x in
to D
B
![Page 28: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/28.jpg)
demo
![Page 29: Advances in Digital Identity Steve Plank Identity Architect.](https://reader036.fdocuments.net/reader036/viewer/2022062417/551758ad550346176e8b46ec/html5/thumbnails/29.jpg)
review• identity layer
• phishing, phraud
• human integration
• consistent experience across contexts
• ip
• rp
• user
• identity selector
Presentation style mercilessly stolen off Lawrence Lessig, BBC News 24 and Dick Hardt