identity management as a service - capabilities attribute ... identity as a service.pdf · identity...
TRANSCRIPT
Identity Management as a Service - Capabilities
Customer & Partner
Identity
Management
Proofing Registration
Information
Protection
Attribute Verification Attribute
Management
…
Directory
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Protocol Purpose Details
REST/HTTP
directory access
Create, Read, Update, Delete directory
objects and relationships
Compatible with OData V3
Authenticate with OAuth 2.0
OAuth 2.0 Service to service authentication
Delegated access
JWT token format
Open ID Connect Web application authentication
Rich client authentication
Under investigation
JWT token format
SAML 2.0 Web application authentication SAML 2.0 token format
WS-Federation 1.3 Web application authentication SAML 1.1 token format
SAML 2.0 token format
JWT token format
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• http://blogs.msdn.com/b/windowsazure/archive/2012/07/12/announcing-the-developer-preview-of-windows-azure-active-directory.aspx
•
http://blogs.msdn.com/b/windowsazure/archive/2012/05/23/reimagining-active-directory-for-the-social-enterprise-part-1.aspx
•
http://www.identityblog.com/?p=1205
Identity Management as a Service - Capabilities
Proofing Registration
Information
Protection
Attribute Verification Attribute
Management
…
DirectoryCustomer & Partner
Identity
Management
Relying PartyIdentity Provider
Public/Private Institutions
• Relying Parties need verified claims delivered by private and public sector
– Reduce costs/fraud, increase trust in services, enable new businesses
– Different levels of assurance
• Integration of high-assurance verified claims are perceived costly and hard
– Specialized work
– No standardization
• Protect the privacy of the user in his Internet transactions
– Identity Provider does not learn where the claims are used
– Reveal Minimal set of claims
Public/PrivateServices
Browser
User
Verified Claims
•
•
•
•
•
•
•
•
•
•
•
•
•
UserRelying Party
Federation ServerFederation ServerAuthentication
Browse
Redirect
Browse
T
Trust
Trust
Identity Provider Relying Party
STS
There is an explicit trust between the Identity
Provider and other federation servers. The relying
party trust its STS
Insiders of the federation server can impersonate
anybody in the relying parties
If one of the federation servers go down it replicates
to all relying parties within the trust ecosystem
Federation Servers learn user claims and the user’s
relationship with the relying party
Current federation protocols:
Solve a host of important problems
Need to be completed with mechanisms that
offer better privacy and multi-lateral security.
We are creating Customer & Partner Identity
Management to give federation protocols these
broader capabilities.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cloud Identity & Privacy Services (CIPS)
Browser
User Agent
User
U-Prove Tokens
RPn
Simple Claims Agent
Relying Party
Simple Claims Agent
RPn trusts CPIM
Facebook or XXX as Identity Provider
ADFS (company X) as Identity Provider
CPIM
Trusts
CPIM
Trusts
ADFS
•
•
•
•
http://www.trustindigitallife.eu/documents-faq/tdl-publications.html
1.
2.
3.
4.
5.
6.
31
• http://greenrp1.cloudapp.net
• http://state1dmvweb.cloudapp.net
• http://sharepoint/sites/cips
• http://www.microsoft.com/uprove
• http://www.identityblog.com/claims/rp.php
•http://www.youtube.com/watch?v=i81ZMrRX6gI
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.