Post on 04-Jan-2016
Identity: “Geneva” Server And Framework Overview
Stuart KwanGroup Program ManagerMicrosoft Corporation
Caleb BakerSenior SDETMicrosoft Corporation
BB42
Identity is essential, but not straightforward Lots of technologies and standards Complex decision tree, technology to scenario
Cloud computing adds new requirements Federated single sign on is a must Usually can’t read enterprise directory
Need a new approach Simplify programming model Cloud/on-premises agnostic
Challenges In Identity
PLACEHOLDER FOR ALL-UP IDENTITY SLIDE
Claims-based access model “Geneva” server and framework demo Roadmap
Agenda
Claim Statement by one party about other party May be an identifier, a characteristic
Security token Signed document containing claims Produced by Security Token Service (STS)
Identity Metasystem Protocols and architecture for exchange claims
Claims-aware application Claims delivered when user accesses app
Claims-Based Access Model
Application Server
Claims-Based Access Model
Security Token Service
End User
Claims Framework
Your App
3. Rea
d policy
5. Send claims
1. Establish relationship using metadata
2. Read policy
trust
4. Get
claim
s
Application Server
Claims-Based Access ModelIntroducing "Geneva"
“Geneva” Server
End User
“Geneva” Framework
Your App
3. Rea
d policy
5. Send claims
1. Establish relationship using metadata
Active Directory
2. Read policy
trust
4. Get
claim
s
Key to flexibility in model: Externalize authentication to an STS
STS takes care of How to authenticate user Where to source claim values about user Emitting specific types, formats and values of
claims to satisfy a specific application Application logic driven by claims
Role Of Security Token Services
Starting with an ASP.Net web application1. Wire it up to a Security Token Service2. Get user data without a lookup3. Enable access by federated users4. Access a back end service using logged-in
user’s identity5. Require user to use strong authentication
for access to specific resources
What You Are About To See
Contoso Hybrid
The Players
Auto PartsWeb Application
Terry Earls
Wire Up To An STS
Caleb BakerSenior SDETFederated Identity
Demo
Steps Create and exchange metadata to
establish relationship Switch to anonymous authentication User redirected, authenticated, returns claims
Benefit No code change: works with .Net
role-based security Flexibility: STS admin decides how to
authenticate user and retrieve role data
Checkpoint: Wire Up To STS
Many authentication systems only convey an identifier, not user attributes
Applications must do lookups in directories, databases for information about user Location of info not obvious – every org’s
information system is slightly different Not straightforward how to look up information
about a user from another org Applications residing in cloud may not be able
to read enterprise directory
Challenge: Get Information About User
Get Information About User
Caleb BakerSenior SDETFederated Identity
Demo
Steps Write code to read claims using IClaimsPrincipal, IClaimsIdentity
Benefits Easy to get user information No directory lookup necessary in application STS admin decides where to get information about user
Checkpoint: Get Information About User
Federation is essential for business to business applications, and when using cloud services Organizations don’t want to manage separate
user accounts at every cloud service or partner Want end users to have single sign
on experience
Challenge: Federation
Contoso Hybrid
The Players
Auto PartsWeb Application
Terry Earls
Fabrikam Motors
Frank Miller
Federation
Caleb BakerSenior SDETFederated Identity
Demo
Federation
“Geneva” Server “Geneva” Server
trust
trust
Application ServerFrank Miller
“Geneva” Framework
Auto Parts
1. Establish relationship using metadata
3. Redirect to STS
2. Attempt access
4. Home realm discovery
5. Redirect to
STS
6. A
uthe
ntica
te
Federation
“Geneva” Server “Geneva” Server
trust
trust
Application ServerFrank Miller
“Geneva” Framework
Auto Parts10. Post claims
8. Post c
laims
9. Get claims
7. G
et cl
aims
Steps Exchange metadata to establish relationship Write claims transform to translate inbound
claims to those needed by application New step for user: Home realm discovery
Benefits Easy to set up: Only need URL of partner STS No code changes in app: Claims transform
impedance matches partner to your application Single sign on by partner users Federate with any standards compliant STS:
WS-Federation and SAML 2.0 protocols
Checkpoint: Federation
Contoso Hybrid
The Players
Auto PartsWeb Application
Fabrikam Motors
Frank Miller
Windows CardSpace “Geneva” Caleb Baker
Senior SDETFederated Identity
Demo
Federation
“Geneva” Server “Geneva” Server
trust
trust
Application ServerFrank Miller
“Geneva” Framework
Auto Parts
5. Re
ad po
licy
8. Send claims
4. Read policy
6. Get
claim
s
7. Get claims
2. Redirect to STS
1. Attempt access
3. Click logon button
Steps Enable Information Card support on STS User downloads Information Card(s) Select card to log in
Benefits Cards make it easy to use federated application No code changes in application: setting up
Information Card support is easy Works with web and smart client applications Avoid phishing-prone redirect-based protocols
that prompt for passwords
Checkpoint: Windows CardSpace
Front end application wants to call back end service, “Acting As” logged in user
Today’s approaches Gather user’s credentials at front end – gives
front end app too much power Give front end full privileged to back end,
“Trusted subsystem” – takes control out of hands of back end app
Kerberos constrained delegation – only works with Kerberos
Challenge: Identity Delegation
Contoso Hybrid
The Players
Fabrikam Motors
Frank Miller
High Value InventoryWeb Service
Auto PartsWeb Application
Identity Delegation
Web Front End
“Geneva” Server
Frank Miller
“Geneva” Framework
Auto Parts
Web Service Back End
“Geneva” Framework
High Value Inventory
4. Post claims
5. Get claims
6. Send claims
trust trust
1. Enable delegation
Identity Delegation
Caleb BakerSenior SDETFederated Identity
Demo
Steps Configure delegation policy on STS Write WCF code to call back end service using
ActAs client credential Benefits
Familiar WCF programming model Fine grained control over delegation policy Back end gets claims it needs Back end can audit user access accurately App can turn claims back into mapped NT user
for access to Kerberos-protected resources
Checkpoint: Identity Delegation
Apps that need strong authentication get bound to particular mechanism
Some apps need to vary authentication strength based on endpoint or resource
Just to make things fun, authentication strength about more than just mechanism Also about credential provisioning process Knowing key is asymmetric isn’t enough to
declare something “strong”
Challenge: Strong Authentication
Contoso Hybrid
The Players
Terry Earls
Fabrikam Motors
Frank Miller
High Value InventoryWeb Service
Auto PartsWeb Application
Authentication Assurance
Caleb BakerSenior SDETFederated Identity
Demo
Steps Write application code to inspect
authentication strength claim Redirect user to STS if strength inadequate
Benefits Code to check authentication strength is simple App does not become bound to mechanism Mechanism determined by IT pro at STS
Future: make entirely config-driven
Checkpoint: Strong Authentication
Starting with an ASP.Net web application1. Wire it up to a Security Token Service2. Get user data without a lookup3. Enable access by federated users4. Access a back end service using logged-in
user’s identity5. Require user to use strong authentication
for access to specific resources
What You Just Saw
"Geneva" Schedule
Beta 1October
2008
Beta 21st Half
2009
RTM2nd Half
2009
“Geneva” components are Windows components
Supported platforms Beta: Windows Server 2008, Windows Vista RTM: To Be Determined
See us in Lounge, Pavilion, Hands On Lab Learn about Technology Adoption
Partner program
Details
“Geneva” framework Essential claims programming model Framework for custom STS Claims-to-NT Token service
“Geneva” server Metadata-driven trust setup Support for WS-Trust, WS-Federation Support for Information Cards SAML 2.0 protocol (IdPLite only)
Windows CardSpace “Geneva” Small download, streamlined user experience Managed cards only
What's In the Beta
Software (BB42) Identity: "Geneva" Server and
Framework Overview (BB43) Identity: "Geneva" Deep Dive (BB44) Identity: Windows CardSpace "Geneva"
Under the Hood Services
(BB22) Identity: Live Identity Services Drilldown (BB29) Identity: Connecting Active Directory to
Microsoft Services (BB28) .NET Services: Access Control Service Drilldown (BB55) .NET Services: Access Control In the
Cloud Services
Identity @ PDC
Claims-based identity model Simple programming model for identity Externalize identity to STS, managed by IT Pro Works for cloud and on-premises Builds on existing infrastructure Based on standard protocols
“Geneva” client, server, framework Claims-based programming model for .Net Builds on Active Directory In beta now
Summary
Evals & Recordings
Please fill
out your
evaluation for
this session at:
This session will be available as a recording at:
www.microsoftpdc.com
Please use the microphones provided
Q&A
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.