Microsoftin Geneva ja muita uutuuksia

Transcription

1 Microsoftin Geneva ja muita uutuuksia Kimmo Bergius Microsoft Oy Antti Alila Microsoft Oy

2 Sisältö Pikakatsaus Microsoftin olemassa oleviin tuotteisiin hakemistopuolella Pikakatsaus koodinimi Genevaan Keskustelua ja kysymyksiä

3 AD-perhe Active Directory Domain Service Verkon perushakemisto Käyttäjätunnukset - autentikointi Kokoonpanotietoa Group Policy Active Directory LDS Entinen AD AM AD:n kevytversio Pelkkä LDAP-hakemisto, ei replikointia, ei autentikontia, ei tiedostoja, ei Group Policyjä Identity Lifecycle Manager Hakemistojen integrointi metahakemisto Käyttäjäsertifikaattien elinkaaren hallinta AD Federation Service Hakemistojen federointi AD Rights Management Service Käyttöoikeuksien hallintaan

4 Single-Sign-On AD:n käyttö myös muissa ympäristöissä Linux/Unix/Mac OSX Autentikointi Kokoonpanotietojen välitys Vaatii kolmannen osapuolen lisäkomponentteja Näennäinen SSO Hakemistojen integraatio esim. MIISin välityksellä Federaatio Aiemmin ADFS, tulevaisuudessa Geneva

5 Introducing "Geneva" and Claims- Based Identity

6 Tietolähteitä Esityksen lähde on suurelta osin David Chappellin pitämä Geneva-luento TechEd-konferenssissa marraskuussa 2008 Samat asiat sisältyvät myös whitepaperiin: Introducing : An Overview of the Server, CardSpace, and the Framework Kehittäjille lisätietoja whitepaperissa Keith Brown s Framework White Paper for Developers Molemmat edellä mainituista, muuta lisätietoa Genevasta sekä beta 1 versiot löytyvät osoitteesta

7 What is "Geneva"? Three related technologies: The Server The next release of Active Directory Federation Services (AD FS) CardSpace The next release of CardSpace The Framework The goal of is to help make claimsbased identity real

8 Defining the Problem Working with identity is too hard Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that can be used in all of these cases? Claims-based identity allows this It can make life simpler for developers

9 Supporting Multiple Identities Using an identity selector 5) Use claims in token Identity Providers Application Identity Library Token 3) Get token for selected identity 2) Select an identity that matches those requirements Browser or Client Identity Selector User 1) Access application and learn token requirements Token 4) Submit token

10 The "Geneva" Technologies Identity Providers Server Application 5) Use claims in token Token 1) Access application and learn token requirements Framework 4) Submit token 3) Get token for selected identity Browser or Client CardSpace Token 2) Select an identity that matches those requirements User

11 Using "Geneva": Scenarios

12 Using "Geneva" in an Enterprise Active Directory Domain Services 5) Find claims required by application and create token Server 6) Receive token 8) Use claims in token 7) Submit token Application Framework 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity Token Token 2) Access application and learn token requirements Browser or Client 3) Select an identity that matches those requirements CardSpace User

13 Allowing Internet Access Active Directory Domain Services Server 5) Use claims in token Application 4) Submit token Framework Token Internet Token 3) Get token for selected identity Browser or Client CardSpace 1) Access application and learn token requirements 2) Select an identity that matches those requirements User

14 Using an External Identity Provider Identity Providers Windows Live ID Other 5) Use claims in token Application 4) Submit token Framework Token Internet Token 3) Get token for selected identity Browser or Client CardSpace 1) Access application and learn token requirements 2) Select an identity that matches those requirements User

15 Identity Across Organizations Describing the problem A user in one Windows forest must access an application in another Windows forest A user in a non-windows world must access an application in a Windows forest (or vice-versa)

16 Identity Across Organizations Possible solutions One option: duplicate accounts Requires separate login, extra administration A better approach: identity federation One organizations accepts identities provided by the other No duplicate accounts Single sign-on for users

17 Identity Federation (1) Organization X Organization Y Active Directory Domain Services Server Token 5) Use claims in token 3) Get token for selected identity 2) Select an identity that matches those requirements Browser or Client CardSpace User 4) Submit token Token 1) Access application and learn token requirements Application Framework Trusted s: -Organization Y -Organization X

18 Identity Federation (2) Organization X Active Directory Domain Services Server 2) Access Organization Y and learn token requirements 5) Request token for application Token for Y Token Organization Y Trusted s: -Organization X Token for Y 6) Issue token for application 8) Use claims in token 4) Get token for Organization Y 3) Select an identity that matches those requirements Browser or Client CardSpace User 7) Submit token Token 1) Access application and learn token requirements Application Framework Trusted s: -Organization Y

19 Delegation Active Directory Domain Services Server 5) Check policy for user, application X, and application Y Token for X Token for X Token for Y 1) Get token for application X 4) Request token for application Y 6) If policy allows, issue token for application Y 7) Submit token 8) Use claims in token Browser or Client User Token for X 2) Submit token Application X Framework Token for Y 3) Access application and learn token requirements Application Y Framework

20 A Closer Look at the "Geneva" Technologies

21 Changes in the "Geneva" Server From AD FS AD FS today supports only passive clients (i.e., browsers) using WS-Federation And it doesn t provide an The Server: Supports both active and passive clients Provides an Supports both WS-Federation and the SAML 2.0 protocol Improves management of trust relationships By automating some exchanges

22 CardSpace "Geneva" Selecting identities CardSpace provides a standard user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

23 Information Cards Behind each card a user sees is an information card It s an XML file that represents a relationship with an identity provider It contains what s needed to request a token for a particular identity Information cards don t contain: Claims for the identity Whatever is required to authenticate to the identity provider s

24 Information Cards An illustration Identity Providers Browser or Client CardSpace Information Card 1 Information Card 2 Information Card 3 Information Card 4 User

25 Creating Industry Agreement The Information Card Foundation ( is a multi-vendor group dedicated to making this technology successful Its board members include Google, Microsoft, Novell, Oracle, and PayPal A Web site can display a standard icon to indicate that it accepts card-based logins:

26 The Self-Issued Identity Provider Acting as your own identity provider Identity Providers Browser or Client CardSpace Information Card 1 Information Card 2 Self-Issued Identity Provider Information Card 3 Information Card 4 User

27 The Self-Issued Identity Provider Why it's useful The self-issued identity provider issues SAML tokens with a fixed set of claims They re digitally signed by this user These tokens can potentially be used in place of username/password They allow a Web site to recognize you as the same user on repeated visits They re much less useful to a phisher than username/password, because they re hard to reuse

28 Changes in CardSpace "Geneva" From the first CardSpace release CardSpace is available separately from the.net Framework It s smaller and faster CardSpace contains optimizations for applications that users visit repeatedly A Web site can display the card you last used to log in the site The CardSpace screen needn t appear

29 The "Geneva" Framework The goal: Make it easier for developers to create claims-aware applications Originally known as Zermatt The Framework provides: Support for verifying a token s signature and extracting its claims Classes for working with claims Support for creating a custom More

30 Microsoft Federation Gateway Microsoft Microsoft Services Services Identity Identity Backbone Backbone Microsoft Federation Gateway Cloud Applications and Developer Services Server Active Directory Third Party User Database

31 Live ID Consumers Microsoft Microsoft Services Services Identity Identity Backbone Backbone Live ID Managed Domains Microsoft Federation Gateway Cloud Applications and Developer Services Server Active Directory Third Party User Database

32 Microsoft Services Connector Consumers Microsoft Microsoft Services Services Identity Identity Backbone Backbone Live ID Managed Domains Microsoft Federation Gateway Cloud Applications and Developer Services Microsoft Services Connector Server Third Party Active Directory Active Directory User Database

33 Your Application Consumers Microsoft Microsoft Services Services Identity Identity Backbone Backbone Live ID Managed Domains Microsoft Federation Gateway YOUR Application Framework Microsoft Services Connector Active Directory Server Active Directory Third Party User Database

34 Your Application Microsoft Microsoft Services Services Identity Identity Backbone Backbone Live ID Consumers Managed Domains Microsoft Federation Gateway Microsoft Services Connector Active Directory Active Directory YOUR Application Framework

35 Your Application Microsoft Microsoft Services Services Identity Identity Backbone Backbone Live ID Consumers Managed Domains Microsoft Federation Gateway Third Party User Database Server Active Directory YOUR Application Framework

36 Roadmap Software Server Now H2 CY 2008 H1 CY 2009 H2 CY 2009 Beta 1 Beta 2 RTM Microsoft Service Connector CTP Beta RTM Framework, CardSpace Beta 1 Beta 2 RTM Live Framework In Production Services Live Identity Services Microsoft Federation Gateway OpenID Beta In Production OpenID RTM.Net Access Control Service CTP Refresh Beta 1

37 44

38 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.