ramnish singh microsoft corporation session...
TRANSCRIPT
Agenda
• Microsoft’s Identity and Access Strategy
• “Geneva” Claims Based Access
User access challenges
Identity Metasystem and claims solution
Introducing “Geneva” claims based access platform
Identity & Access Customer Challenges
ComplianceOperational
Efficiency
IT SecurityBusiness
Agility
• Compliance with regulatory
requirements
• Auditable processes for
granting access to resources
• Reducing help desk burden for
end users
• Managing the complexity of
distributed identity
information
• Enabling new high
business value scenarios
• Supporting mergers, acquisitions
& reorganizations
• Integrated user
provisioning &
credential management
• Ensuring that only authorized
users can access resources
Customers’ Identity & Access Requirements
Identity Infrastructure
Identity & Credentials Infrastructure: Directory Identity/Credentials, InfoCards, Meta/Virtual Directory, Basic Policy
Network Access
Identity-oriented edge
access - e.g. NAP
Remote Access
Access resources remotely
– e.g. SSL VPN
App Access
SSO, Web/Ent/Host
Access, Federation
Info Access
Drive Encryption, ILP,
Rights Management
Identity-Based Access
Identity & Access Management
Compliance and Audit: Monitoring, reporting , auditing of identity-based access activity
Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service
Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation
Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC
Microsoft’s Identity & Access Strategy
Comprehensive
SolutionsUser Centric Open &
Extensible
Best TCO
Easiest to Deploy
Broadest Ecosystem
Simplified LicensingService oriented
Application Platform Integration
Open and Interoperable
On Premises and Cloud
Physical and Virtual
Turnkey Offerings Rich Office Integration
Privacy Enabled
Consistent User Experience
Introducing
“ ”
Identity & Access Silos Block Business Needs
User Access Challenges• Lack of System Interoperability: Difficult for users to gain access across diverse
applications and systems to collaborate seamlessly with other users
• Hard to Extend User Access: Complex to extend user access from existing
applications and systems to new applications and systems, and cloud services and
SOA could multiply these challenges
Business Needs• Flexible Collaboration: Enable collaboration within the enterprise, across
organizational boundaries, and on the Web while satisfying security requirements
• Business Agility: Improve ability to react to changing business needs by enabling
existing systems to interoperate with new systems such as cloud services and SOA
What‟s Needed to Solve the Challenges• Single Identity Model: A single simplified user access model that works across different
applications and systems to enable collaboration while helping to maintain security
• Interoperability: An open and adaptable user access model that enables identities to
interoperate with applications and systems regardless of location or architecture
Shared Industry Solution: Identity Metasystem and Claims
The industry has created a vision and architecture to address the challenges of
identity interoperability
What is the
Identity
Metasystem?
What are
Claims?
A shared industry vision for interoperable identity• Single identity model that works in enterprises, federation and consumer Web
• Works with existing IT infrastructures
• Interoperability based on open protocols
• Architecture based on claims
Claims describe identity attributes within the Identity Metasystem• Used to drive application behavior
• Can disclose identity information selectively
• Delivered inside security tokens produced by a security token service (STS)
Learn more about the Identity Metasystem
• Overview: http://www.identityblog.com/?p=355
• A public policy perspective: http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf
• OASIS standards body: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=imi
• An industry association: http://informationcard.net/
• An open source project: http://www.eclipse.org/org/press-release/20080221_higgins.php
What does “Geneva” include?
“Geneva” includes three components for enabling claims-based access:
• For Developers: “Geneva” Framework for building .NET applications that use
claims to make user access decisions
• For IT: “Geneva” Server security token service (STS) for issuing and transforming
claims and managing user access
• For Users: Windows CardSpace “Geneva” helps users navigate access decisions
Introducing “Geneva”What is “Geneva”?
• Microsoft‟s open platform for simplified and
security-enhanced user access based on
claims
• Based on the shared industry vision for an
interoperable Identity Metasystem via claims
Why should I adopt “Geneva”?
Simplifies
User Access
• Simplifies application development by externalizing user access from applications via claims
• Reduces development effort with pre-built security logic and .NET tools
• Helps users navigate multiple logins, manage different personas, and control information sharing
Streamlines Access
Management &
Security
• Helps speed deployment of applications and enhances security via reduced custom implementation work
• Simplifies user access management with authentication externalized from applications
• Enables easier collaboration between organizations with automated federation tools
Enhances
Interoperability &
Adaptability
• More quickly adapt user access control methods to meet changing business needs
• Enables users, applications and systems to work better together regardless of location or architecture
• Includes built-in interoperability via open industry standards including WS-* and SAML
?
„Relying Party‟
App or Service
User
Illustration of the Full System
2. Gets claims
Interoperable via industry standard protocols
Windows
CardSpace
“Geneva”
Built with
“Geneva”
FrameworkTrust
„Identity Provider‟
“Geneva”
Server
3. Sends claims
1. A user wants
to access an
application
One example of how “Geneva” components might be used together
“Geneva” Interoperates with Other Claims Infrastructure
User
„Relying Party‟
App or Service
2. Gets claims
Interoperable via industry standard protocols
Trust
„Identity Provider‟
3. Sends claims
1. User wants to access
an application
Windows
CardSpace
“Geneva”
Browser or
Third Party
Identity
Selector
- OR -
“Geneva”
Server,
MSC, or
ACS
Third Party
STS- OR -
Built with
“Geneva”
Framework
Third Party
Framework- OR -
Mix and match “Geneva” components
with 3rd party claims-based STS‟s,
frameworks, and clients
Microsoft Services
Connector (MSC) and
.NET Access Control
Service (ACS) are both
built on “Geneva”
technology and claims
architecture
Example Scenarios
Simplifies
Application Access
• Step-Up Authentication: Build an application that requires users to step up to a higher level
of authentication to approve sensitive transactions
• Cloud SSO: Extend SSO from on-premises Active Directory to Microsoft cloud services with
Microsoft Services Connector or .NET Access Control Service (built on “Geneva” technology)
Streamlines Access
Management &
Security
• Federated Document Collaboration: Enable employees and partners to collaborate with Office
documents and SharePoint via federation
• Managed Info Cards: Issue managed information cards to employees to reduce the need to
remember multiple logins
Enhances
Interoperability &
Adaptability
• Legacy Interoperability: Implement “Geneva” to help disparate existing applications achieve
seamless user access while laying a foundation to add claims-based apps
• Flexible Authentication: Change authentication methods across multiple applications from
username/password to smart cards
Benefits Scenarios
FeaturesFeatures Details
Federation
• Federation provider STS with simple administration tools to quickly set up federations
• Federation between on-premises directories and cloud services
• Multi-protocol federation, including WS-* and SAML 2.0 protocols
Authentication
Flexibility
• Identity provider STS to issue claims and managed CardSpace identities
• Applications can be built to prompt users for stronger credentials for scenarios requiring higher security
• Switch authentication types with minimal application re-coding
Interoperability
• Built-in interoperability via open industry protocols including WS-* and SAML 2.0
• STS translates between claims and other protocols to enable claims and non-claims interoperability
• Implements the industry Identity Metasystem vision for interoperable identity via claims
Developer
Experiences
• Pre-built user access logic based on claims
• Developer framework and ASP.NET controls
• Externalize authentication from applications and support multiple authentication types
User
Experiences
• Next generation CardSpace helps users navigate between multiple logons
• Streamlined download and installation delivers efficient Web and client experience with CardSpace
• User control and transparency for how information is shared
“Geneva” Schedule
RTM
2nd Half
2009
Beta 2
1st Half
2009Beta 1
October
2008
• Licensing: All three components will be available under Windows license
• Ship Vehicle: All three components will be available as separate web downloads
• Version Support: Beta 1 supports Windows Server 2008 and Windows Vista. Support at RTM
will be announced at a later date
SummarySingle Simplified Identity Model
• Externalizes user access from applications via claims
• Reduces application development effort
• Helps users make identity decisions
Streamlines Access Management and Security
• Speeds deployment of applications
• Consolidates user access management in hands of IT
• Automates federation
Interoperable and Adaptable
• Flexible to change authentication methods
• Works independent of location or architecture
• Interoperable via claims, WS-* and SAML 2.0 protocol
What can developers build with “Geneva”?
• Claims aware .NET applications
• User authentication experience with CardSpace “Geneva”
• Custom security token services (STS)
Developer BenefitsWhat does “Geneva” offer developers?
• “Geneva” Framework: SDK to build claims based
applications
• Windows CardSpace “Geneva”: Identity client platform
Why should developers use “Geneva”?
Improves
Developer
Productivity
• Simplifies application development by externalizing user access from applications via claims
• Enables developers to code to a single simplified identity model based on claims
• Includes pre-built security logic with .NET tools to free up time for more value-added work
Enhances
Application
Security
• Helps provide consistent security with a single user access model externalized from applications
• Enhances consistency of security with pre-built user access logic
• Provides seamless user access to on-premises software and cloud services
Interoperable
and Extensible
• Offers built-in interoperability via industry protocols including WS-* and SAML 2.0
• Implements the industry Identity Metasystem vision for interoperable identity
• Enables interoperability between users, applications, systems and other resources via claims
What can IT pros do with “Geneva”?
• Deploy an STS to enable user access to applications via
claims
• Quickly establish federations with partners and customers
• Issue managed identity cards to users
IT Professional BenefitsWhat does “Geneva” offer IT pros?
• “Geneva” Server: Security token service (STS) with
identity and federation provider roles plus user access
management capabilities
• Windows CardSpace “Geneva”: Authentication client
Why should developers use “Geneva”?
Streamlines User
Access
Management
• Implements a single user access model with native single sign on and easier federation
• Builds on and interoperates with existing identity infrastructure investments
• Works with identity management infrastructure such as Active Directory and Identity Lifecycle Manager
Enhances
Application
Security
• Helps provide consistent security with a single user access model externalized from applications
• Vests more complete control over user access decisions with IT instead of developers
• Provides seamless access between on-premises software and cloud services
Interoperable &
Adaptable
• Based on industry standard protocols including WS-* and SAML 2.0 for interoperability
• Meet new business needs faster by allowing applications and infrastructure to evolve independently
• Integrates new authentication methods with fewer application code changes
Comparing AD FS, CardSpace1, WCF with Geneva
• Passive browser federation
• WS-* protocols
• Self-issued information cards
• Federated SharePoint
• Federated rights management
• End to end claims support
• Pre-built ASP.NET controls
• Federate Office documents
• SAML 2.0 protocol support
• Native SSO
• Active client federation
• Automated trust management
• Managed information cards
• Streamlined client UI
“Geneva” Framework“Geneva” Server
CardSpace “Geneva”AD FS 1.1CardSpace 1.0
WCF
“Geneva” Adds
“Geneva” Beta 1 vs. Future FeaturesComponent
“Geneva”
Framework
“Geneva” Server
CardSpace
“Geneva”
Beta 1 Features Features We Will Add by RTM
• Externalize authentication from the app
• Multiple authentication types supported
• Identity delegation
• Step-up authentication
• Write apps to accept managed CardSpace
identities
• SAML 2.0 token format
• Transform claims into Kerberos tokens
• Provision an STS in relying party apps
• Identity provider integrated with Active
Directory
• Issue managed CardSpace identities
• SAML 2.0 protocol for IDP for SSO
• SAML 2.0 token format
• Transform claims into Kerberos tokens
• Easy trust establishment
• Identity delegation management
• Support for managed information card
issuance
• Small download (less than 5mb)
• Streamlined UI
• Inline UI for websites
• SAML 2.0 IDP and SP protocol support for SSO
• Automated trust management
• SAML 2.0 protocol for SP for SSO
• Support for alternate identity attribute stores
• Issue multiple CardSpace identities for multiple
user roles
• Extranet access support
• Powershell support
• Interoperability of WS-Fed with mobile and other
low-performance clients
• User self-issued information cards
• Backward compatibility for Windows apps
• Challenge-response for authentication assurance
• Secure desktop
“Geneva” Beta 1 vs. Future ScenariosBeta 1 Scenarios Scenarios We Will Enable by Final Release
Enable employees and partners to collaborate with Office documents
and SharePoint via federation.
Accept self-issued information cards on an e-commerce website
to speed checkout and improve security.
Extend single sign on from an on-premises directory such as Active
Directory to cloud services such as those offered by Live.
Build an application that asks users to step up to a higher level of
authentication based on context
Build an application that later allows IT to change authentication methods
from username/password to smart cards without app code changes.
Build a chain of applications and services that act on behalf of users
while maintaining control of identity disclosure within claims.
Issue managed information cards to employees to reduce the need to
remember multiple logins.
Implement “Geneva” to help an existing Kerberos application achieve
seamless user access while laying a foundation to add claims-based apps.
Implement federation with partners on heterogeneous infrastructures
and maintain trusts automatically.
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.