Windows CardSpace
description
Transcript of Windows CardSpace
![Page 2: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/2.jpg)
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
![Page 3: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/3.jpg)
Identity: problems
Passwords too easy to crackOr too hard to remember
I want multiple identitiesResults in identity silos
Banks etc. would like to make sign-on data a lot more complex
Users’ ability to remember is the obstacle
Nobody trusts a single organization to store all identity information
![Page 4: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/4.jpg)
Identity: a new approach
Kim Cameron; www.identityblog.com
Seven laws of identity
We have interoperable WS-* specsAllow multiple identity systems to take part
We have a standard format for credentials
SAML tokens
The Identity Metasystem
![Page 5: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/5.jpg)
Security Tokens
SAMLSecurity Assertion Markup Language
Prevailing format for credentials today
What’s in a security token?Collection of claims (self-asserted or verifiable)
Token signed by issuer
Issuing a tokenUse WS-Security and WS-Trust
Consuming a tokenVerify signature, decide if issuer trusted
Read claims (for authZ decisions)
![Page 6: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/6.jpg)
Example Security Token
Given Name: Martin
Family Name: Parry
Email: [email protected]
MartinParrymartin.parry@...
MartinParrymartin.parry@...
![Page 7: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/7.jpg)
Security Token Service
Username/passwordX.509 CertificateAnother security tokenBiometricEtc...
Give it something...
MartinParrymartin.parry@...
MartinParrymartin.parry@...
![Page 8: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/8.jpg)
Federation
If users have accounts elsewhere and you trust the authN that takes place there
Don’t add user accounts to your systemAccept security tokens issued elsewhereEstablish trust between systems
WS-Federation
Think of B2B scenarios
![Page 9: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/9.jpg)
Federation: example
Instead of provisioning a new user account for a partner, I’ll let her organization authenticate her
Automate the trust relationship
Ask user to supply a SAML token issued by a partner org
SAML token contains claims about the userPartner org claims that this user’s name is Alice
Partner org claims that Alice is a Purchaser
Partner org claims that Alice is authorized to purchase bike parts
Reduces identity management burden and latency
![Page 10: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/10.jpg)
Information Cards
Identities represented as cardsUsers understand that they need to be careful when giving out credit card details
Self-issued “personal card”Created by user and held in local secure store
Private personal identifier
“Managed card”Issued by trusted Identity Provider
Visible locally but identity information is stored at IP
Cards do not contain security tokensThey represent my ability to supply a token
![Page 11: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/11.jpg)
How it works
Policy
2.
“I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*”
3. UI filters cards that can satisfy policy
4. User picks a card
5. Token is requested
1. Access resource
6. Token is created
7. Token is presented
Relying Party
Identity Provider
![Page 12: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/12.jpg)
Demo
Create a self-issued card
Sign on to a website using the card
![Page 13: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/13.jpg)
HTML
<form id="form1" method="post" action="login1.aspx"><div> <button type="submit">Click here to sign in</button> <object type="application/x-informationcard" name="xmlToken"> <param name="tokenType"
value="urn:oasis:names:tc:SAML:1.0:assertion"/> <param name="issuer"
value="http://schemas.xmlsoap.org/ws/2005/05/identity/issuer/self"/>
<param name="requiredClaims" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" />
</object></div></form>
![Page 14: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/14.jpg)
Server-side codeprotected void Page_Load(object sender, EventArgs e){ string xmlToken = Request.Params["xmlToken"]; if (xmlToken == null || xmlToken.Equals("")) ShowError("Token presented was null"); else { TokenHelper tokenHelper =
new TokenHelper(xmlToken, "www.fabrikam.com"); givenname.Text =
tokenHelper.GetClaim(ClaimTypes.GivenName); surname.Text = tokenHelper.GetClaim(ClaimTypes.Surname); email.Text = tokenHelper.GetClaim(ClaimTypes.Email); }}
Clearly all the work’s in TokenHelperGet it in the samples at www.netfx3.com
![Page 15: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/15.jpg)
How to implement a RP
Update user databaseTo include unique IDs from CardSpace
Create an association pageUsers can associate cards with their accounts
Update the sign-in pageTo allow the use of cardsCan still allow other credentials
Update registration pageTo allow the use of cards
![Page 16: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/16.jpg)
Event slides will be posted at:
http://www.microsoft.com/uk/msdnevents
![Page 17: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/17.jpg)
Get the latest technology previews, trial software, special offers
Get information tailored to your needs
Pick your RSS feeds
Sign up for MSDN Connection at:
http://www.msdn.co.uk
![Page 18: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/18.jpg)
Resources, tools and betas
Learn about development for Windows Live http://dev.live.com
Useful resource for .NET Framework 3.0, the development platform for Windows Vista
http://www.netfx3.com Get the latest betas for Windows Vista and Office 2007
http://www.microsoft.com/betaexperienceTry Visual Studio
http://www.microsoft.com/getthetrials Check out the free Express versions of Visual Studio
http://msdn.microsoft.com/expressLearn about and try the new Web and client designer tools
http://www.microsoft.com/expressionResources
http://www.gotdotnet.comhttp://www.asp.net
![Page 19: Windows CardSpace](https://reader035.fdocuments.net/reader035/viewer/2022081513/56813d58550346895da71f03/html5/thumbnails/19.jpg)
Additional Information
UK MSDN Events Post events page including slide decks
http://www.microsoft.com/uk/msdnevents
Upcoming eventshttp://www.microsoft.com/uk/msdn/events/upcoming.aspx
UK MSDN Site & Flash NewsletterLocal news, events, nuggets & webcasts
http://www.microsoft.com/uk/msdn
Register to receive the bi-weekly MSDN Flash by email
http://www.microsoft.com/uk/msdn/flash.aspx