Active or Passive Federation in the Enterprise Steve Plank – Microsoft.
-
Upload
jayden-holland -
Category
Documents
-
view
215 -
download
1
Transcript of Active or Passive Federation in the Enterprise Steve Plank – Microsoft.
Active or Passive Federation in the EnterpriseSteve Plank – Microsoft
Agenda
• Overview of Enterprise Active and Passive Federation
• Individual Group Discussions (led)
• Large Group “Debate”
Domain-based Identity Model
• In the beginning, identity providers created principals: users and services
User Service
IdentityProvider
Trust
The Importance of being… Open and Interoperable
• You can federate using proprietary software
• However, open standards give scale and reach• Open, standard protocols e.g. HTTP, WS-*
• Open, standard token formats e.g. SAML, XrML
• Let each system use the optimal identity system then connect through open standards
Microsoft Confidential
Fabrikam - ResourceContoso - Account
“FederationServer” A
Contoso\Lisa
The App
“FederationServer” R
“Do work for me!”
“Get an R token from resource server first!”
“Gimme an R token!”
“Identify yourself!”
“Gimme a token!”
“Identifyyourself!”
“Here’s the work you wanted!”
A token
A token
R tokenR token
Trust
Federation Flow
Microsoft Confidential
Active Directory Federation Services
Federates the Windows domain modelActive Directory or Active Directory Lightweight Directory Services
Open and interoperableWS-Federation Passive Requestor Profile protocol
SAML 1.1 security tokens
WithIBM Tivoli Federated Identity Manager, PingId,
BMC, CA eTrust SiteMinder, Shibboleth
Microsoft Confidential
ADFS Limitations
Browser only; no web services
Home realm discovery
Domain-centric viewpointAll trust decisions made centrally, one-by-one
Doesn’t scale; users not involved
Why not make it easy enough that users can do it themselves?
E.g. two business groups working together
Identity Metasystem Protocols
Identity Provider Relying Party
ClientClient wants to access an RP resource
RP provides identity requirements
1
2
User
3 Which IPs can satisfy requirements?
User selects an IP4
5Request security token
6
Return security token based on RP’s requirements
7 User approves release of token
8 Token released to RP
Microsoft Confidential
Shift of EmphasisThe user is in control
Home realm discovery is selecting an IP
Identity SelectorAllows the user to select an identity provider
Coordinates protocol flow and user experience
Microsoft Confidential
ImplementationX.509, Web and Web Service Protocols
Encapsulation of tokensSOAP messages, WS-Security, X.509 v3 certificates
Retrieval of requirements and capabilitiesWS-SecurityPolicy + WS-MetadataExchange
Token issuance and claims transformationSecurity Token Services, WS-Trust
Browser-based applicationsMessages encoded in HTTP
www.microsoft.com/interop/osp
Microsoft Confidential
Windows CardSpace Identity Selector Software
Easily and safely manage your digital identities
Authenticate with web sites and web services
Safer
Built on WS-* Web Service Protocols
No usernames and passwordsConsistent login and registration
Avoid phishesMulti-factor authentication
Easier
Microsoft Confidential
Information CardsSigned XML metadata describing an identity provider, for use by identity selectors
Includes:An image to render as a “card” in a UI
STS endpoint reference(s)
STS authentication method(s)
STS token type(s)
STS claim(s)
Microsoft Confidential
CardSpace and the Enterprise
User-centric Federation
Information CardsStandardized and ubiquitous
Flexible, agile user-driven relationships
Anti-phishing and information minimalization
Security Token ServicesIdentity service which connects systems
Microsoft Confidential
Fabrikam - resource
Flow with an Identity Selector
Contoso - account
AD/STS
Contoso\LisaThe App
Linux STS
“Do work for me!”
“Policy: Get R token from my STS!”
“Gimme an R token!”
“Identify yourself!”
“Gimme a token!”
“Identifyyourself!”
“Here’s the work you wanted!”
SAML
SAML
R tokenR token
Trust
Microsoft Confidential
Key: Trust is LocalRelying Party decides who accesses a resource
This is a business decision not an IT decision But it has been too hard to do
Relationships are often personalWe want Enterprise policy and relative autonomy of business units
Chief role of Information Cards in the Enterprise: Devolve access control to the true resource owners
Microsoft Confidential
When to use Cards?Integrated authentication
Nothing gets in the way; no username and password; just use the app
Perfect inside the firewall
Information CardsJust select a card; no username and password
User in control, manages privacy and consent
Cards represent contexts and rolesYour work information card is the digital equivalent of your employee badge
Explicit security boundaries; multi-factor authentication
Microsoft Confidential
Future: Dual architectures?
Suppose Information Cards become progressively more ubiquitous
E.g. if large internet sites enable billions of users
There will be increasing pressure to adopt Information Cards for external relationships
Is it desirable to have one architecture inside the Enterprise and one outside – in the age of “de-perimeterization”?
Microsoft Confidential
ADFS "2"ADFS “2” makes federation easy
Create and manage federation partnerships
Security Token Service with WS-Trust and WS-Fed
Policy-driven authentication and token issuance
Helper classes to build claims-aware applications
Information Card provisioning
Microsoft Confidential
ConclusionInformation Card architecture provides benefits to the federated enterprise
However “User” is in control
Simplification and visualization allow IT to devolve control to resource owners
Setting access control policy for relying parties becomes simple
Ultimately, we reap the benefits of a single user experience at home and in the enterprise
Review
• Overview of Enterprise Identity Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”