Active or Passive Federation in the Enterprise Steve Plank – Microsoft.

Active or Passive Federation in the EnterpriseSteve Plank – Microsoft

Agenda

• Overview of Enterprise Active and Passive Federation

• Individual Group Discussions (led)

• Large Group “Debate”

Domain-based Identity Model

• In the beginning, identity providers created principals: users and services

User Service

IdentityProvider

Trust

The Importance of being… Open and Interoperable

• You can federate using proprietary software

• However, open standards give scale and reach• Open, standard protocols e.g. HTTP, WS-*

• Open, standard token formats e.g. SAML, XrML

• Let each system use the optimal identity system then connect through open standards

Microsoft Confidential

Fabrikam - ResourceContoso - Account

“FederationServer” A

Contoso\Lisa

The App

“FederationServer” R

“Do work for me!”

“Get an R token from resource server first!”

“Gimme an R token!”

“Identify yourself!”

“Gimme a token!”

“Identifyyourself!”

“Here’s the work you wanted!”

A token

A token

R tokenR token

Trust

Federation Flow


Active Directory Federation Services

Federates the Windows domain modelActive Directory or Active Directory Lightweight Directory Services

Open and interoperableWS-Federation Passive Requestor Profile protocol

SAML 1.1 security tokens

WithIBM Tivoli Federated Identity Manager, PingId,

BMC, CA eTrust SiteMinder, Shibboleth


ADFS Limitations

Browser only; no web services

Home realm discovery

Domain-centric viewpointAll trust decisions made centrally, one-by-one

Doesn’t scale; users not involved

Why not make it easy enough that users can do it themselves?

E.g. two business groups working together

Identity Metasystem Protocols

Identity Provider Relying Party

ClientClient wants to access an RP resource

RP provides identity requirements

1

2

User

3 Which IPs can satisfy requirements?

User selects an IP4

5Request security token

6

Return security token based on RP’s requirements

7 User approves release of token

8 Token released to RP


Shift of EmphasisThe user is in control

Home realm discovery is selecting an IP

Identity SelectorAllows the user to select an identity provider

Coordinates protocol flow and user experience


ImplementationX.509, Web and Web Service Protocols

Encapsulation of tokensSOAP messages, WS-Security, X.509 v3 certificates

Retrieval of requirements and capabilitiesWS-SecurityPolicy + WS-MetadataExchange

Token issuance and claims transformationSecurity Token Services, WS-Trust

Browser-based applicationsMessages encoded in HTTP

www.microsoft.com/interop/osp


Windows CardSpace Identity Selector Software

Easily and safely manage your digital identities

Authenticate with web sites and web services

Safer

Built on WS-* Web Service Protocols

No usernames and passwordsConsistent login and registration

Avoid phishesMulti-factor authentication

Easier


Information CardsSigned XML metadata describing an identity provider, for use by identity selectors

Includes:An image to render as a “card” in a UI

STS endpoint reference(s)

STS authentication method(s)

STS token type(s)

STS claim(s)


CardSpace and the Enterprise

User-centric Federation

Information CardsStandardized and ubiquitous

Flexible, agile user-driven relationships

Anti-phishing and information minimalization

Security Token ServicesIdentity service which connects systems


Fabrikam - resource

Flow with an Identity Selector

Contoso - account

AD/STS

Contoso\LisaThe App

Linux STS

“Do work for me!”

“Policy: Get R token from my STS!”

“Gimme an R token!”

“Identify yourself!”

“Gimme a token!”

“Identifyyourself!”

“Here’s the work you wanted!”

SAML

SAML

R tokenR token

Trust


Key: Trust is LocalRelying Party decides who accesses a resource

This is a business decision not an IT decision But it has been too hard to do

Relationships are often personalWe want Enterprise policy and relative autonomy of business units

Chief role of Information Cards in the Enterprise: Devolve access control to the true resource owners


When to use Cards?Integrated authentication

Nothing gets in the way; no username and password; just use the app

Perfect inside the firewall

Information CardsJust select a card; no username and password

User in control, manages privacy and consent

Cards represent contexts and rolesYour work information card is the digital equivalent of your employee badge

Explicit security boundaries; multi-factor authentication


Future: Dual architectures?

Suppose Information Cards become progressively more ubiquitous

E.g. if large internet sites enable billions of users

There will be increasing pressure to adopt Information Cards for external relationships

Is it desirable to have one architecture inside the Enterprise and one outside – in the age of “de-perimeterization”?


ADFS "2"ADFS “2” makes federation easy

Create and manage federation partnerships

Security Token Service with WS-Trust and WS-Fed

Policy-driven authentication and token issuance

Helper classes to build claims-aware applications

Information Card provisioning


ConclusionInformation Card architecture provides benefits to the federated enterprise

However “User” is in control

Simplification and visualization allow IT to devolve control to resource owners

Setting access control policy for relying parties becomes simple

Ultimately, we reap the benefits of a single user experience at home and in the enterprise

Review

• Overview of Enterprise Identity Challenges/Solutions

• Individual Group Discussions (led)

• Large Group “Debate”

Active or Passive Federation in the Enterprise Steve Plank – Microsoft.

Documents

Transcript of Active or Passive Federation in the Enterprise Steve Plank – Microsoft.