0
From Username & Password to "InfoCard" Richard Turner "InfoCard"  Product Manager Microsoft Corporatio...
Agenda <ul><li>Internet Identity Crisis </li></ul><ul><li>&quot;InfoCard&quot; Overview </li></ul><ul><li>Implementation  ...
The Imperative to Connect Suppliers &  Partners Businesses Employees Friends &  Family Consumers
Who Are You?
The Internet Identity Crisis <ul><li>Phishing & Phraud </li></ul><ul><li>Password fatigue </li></ul><ul><li>Inconsistent, ...
Phishing & Phraud <ul><li>New Phishing Sites by Month </li></ul><ul><li>December 2004 – December 2005 </li></ul>Source:  h...
Password Fatigue
&quot;InfoCard&quot; <ul><li>Consistent user experience </li></ul><ul><li>Helps eliminate unames and passwords </li></ul><...
&quot;InfoCard&quot; cards <ul><li>Stored locally </li></ul><ul><li>Assertions about me </li></ul><ul><li>Not corroborated...
Private Desktop <ul><li>Runs under separate desktop and restricted account </li></ul><ul><li>Isolates &quot;InfoCard&quot;...
Contoso Car Rental
Participants Relying Party (website) User Identity Provider
Login with Self Issued Card Relying Party (website) User Object Tag Login
Select Self Issued Card Relying Party (website) User
Create Token from Card Relying Party (website) User
Sign, Encrypt & Send Token Relying Party (website) User
Login with Managed Card Relying Party (website) User Object Tag Identity Provider Login
Select Managed Card Relying Party (website) User Identity Provider
Request Security Token Relying Party (website) User Auth’: X509, Kerb, SIC, U/PWD … Identity Provider
Create Token from Card Relying Party (website) User Identity Provider
Sign, Encrypt & Send Token Relying Party (website) User Identity Provider
The Identity Metasystem <ul><li>Identity layer for the Internet </li></ul>Open, inclusive, standards-based model Built upo...
Building A Relying Party
Integrating with “InfoCard” <ul><li>Four key tasks: </li></ul><ul><ul><li>Update the database </li></ul></ul><ul><ul><li>C...
1. Associate a user with a card CREATE PROCEDURE   aspnet_infocard_associate  (@UserId nvarchar(256), @card  nvarchar (50)...
2a. Create an association page <!-- ... --> < button   onclick =&quot;javascript:return infocardlogin.submit();&quot;> Upd...
2b. Create an association page public   partial   class   Associate_aspx  : System.Web.UI. Page { protected   void  Page_L...
3a. Update the sign in page <!-- ... --> < button   onclick =&quot;javascript:return infocardlogin.submit();&quot;> Sign i...
3b. Update the sign in page public   partial   class   Login_aspx  : System.Web.UI. Page { protected   void  Page_Load( ob...
4a. Update the registration page <!-- ... --> < button   onclick =&quot;javascript:return infocardlogin.submit();&quot;> R...
4b. Update the registration page // ... string  xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper  tokenHelper =  ne...
Summary
WinFX: .NET to the core
Getting WinFX & &quot;InfoCard&quot; <ul><li>Built in to Windows Vista </li></ul><ul><li>Also available for Windows XP & W...
&quot;InfoCard&quot; Summary Labs available in the MIX Sandbox! Consistent authentication for digital identities Reduces c...
© 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes n...
Upcoming SlideShare
Loading in...5
×

From "Username and Password" to InfoCard

817

Published on

InfoCard can bring a new level of security to authenticating users to your site. In this session, take a deep developer look at how this can be achieved. A traditional forms-based authentication implementation is converted to use InfoCard, along with explanations of the Web services, protocols, and security considerations that one needs to understand.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
817
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "From "Username and Password" to InfoCard"

  1. 1. From Username & Password to &quot;InfoCard&quot; Richard Turner &quot;InfoCard&quot; Product Manager Microsoft Corporation Garrett Serack Program Manager Microsoft Corporation
  2. 2. Agenda <ul><li>Internet Identity Crisis </li></ul><ul><li>&quot;InfoCard&quot; Overview </li></ul><ul><li>Implementation </li></ul><ul><li>The Identity Metasystem </li></ul><ul><li>Getting &quot;InfoCard&quot; </li></ul>
  3. 3. The Imperative to Connect Suppliers & Partners Businesses Employees Friends & Family Consumers
  4. 4. Who Are You?
  5. 5. The Internet Identity Crisis <ul><li>Phishing & Phraud </li></ul><ul><li>Password fatigue </li></ul><ul><li>Inconsistent, proprietary identification mechanisms </li></ul>Lack of Identity Online
  6. 6. Phishing & Phraud <ul><li>New Phishing Sites by Month </li></ul><ul><li>December 2004 – December 2005 </li></ul>Source: http://www.antiphishing.org Dec 04 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 05 7,197 4,630 4,367 5,242 5,259 4,564 4,280 3,326 2,854 2,870 2,625 2,560 1,707
  7. 7. Password Fatigue
  8. 8. &quot;InfoCard&quot; <ul><li>Consistent user experience </li></ul><ul><li>Helps eliminate unames and passwords </li></ul><ul><li>Helps protect users from many forms of phishing & phraud attack </li></ul><ul><li>Support for two-factor authentication </li></ul>Easier Safer Built on WS-* Web Services Protocols
  9. 9. &quot;InfoCard&quot; cards <ul><li>Stored locally </li></ul><ul><li>Assertions about me </li></ul><ul><li>Not corroborated </li></ul><ul><li>Provided by banks, government, clubs, etc </li></ul><ul><li>Stored at STS </li></ul><ul><li>Metadata only </li></ul>Richard’s Card Woodgrove Bank
  10. 10. Private Desktop <ul><li>Runs under separate desktop and restricted account </li></ul><ul><li>Isolates &quot;InfoCard&quot; from Windows desktop </li></ul><ul><li>Deters hacking attempts by user-mode processes </li></ul>
  11. 11. Contoso Car Rental
  12. 12. Participants Relying Party (website) User Identity Provider
  13. 13. Login with Self Issued Card Relying Party (website) User Object Tag Login
  14. 14. Select Self Issued Card Relying Party (website) User
  15. 15. Create Token from Card Relying Party (website) User
  16. 16. Sign, Encrypt & Send Token Relying Party (website) User
  17. 17. Login with Managed Card Relying Party (website) User Object Tag Identity Provider Login
  18. 18. Select Managed Card Relying Party (website) User Identity Provider
  19. 19. Request Security Token Relying Party (website) User Auth’: X509, Kerb, SIC, U/PWD … Identity Provider
  20. 20. Create Token from Card Relying Party (website) User Identity Provider
  21. 21. Sign, Encrypt & Send Token Relying Party (website) User Identity Provider
  22. 22. The Identity Metasystem <ul><li>Identity layer for the Internet </li></ul>Open, inclusive, standards-based model Built upon “The Laws of Identity” &quot;InfoCard&quot; is a client agent within the IDMS
  23. 23. Building A Relying Party
  24. 24. Integrating with “InfoCard” <ul><li>Four key tasks: </li></ul><ul><ul><li>Update the database </li></ul></ul><ul><ul><li>Create an association page </li></ul></ul><ul><ul><li>Update the sign in page </li></ul></ul><ul><ul><li>Update the registration page </li></ul></ul>
  25. 25. 1. Associate a user with a card CREATE PROCEDURE aspnet_infocard_associate (@UserId nvarchar(256), @card nvarchar (50) ) AS ... CREATE PROCEDURE aspnet_infocard_lookup (@card nvarchar (50) ) AS ...
  26. 26. 2a. Create an association page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Update account with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->
  27. 27. 2b. Create an association page public partial class Associate_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { // check if an xmlToken is posted string xmlToken = Request[ &quot;xmlToken&quot; ]; if (xmlToken != null ) { TokenHelper tokenHelper = new TokenHelper (xmlToken); // get the unique id string uniqueID = tokenHelper.getUniqueID(); if (uniqueID != null && uniqueID != &quot;&quot; ) { //store it with the account. MembershipUser user = Membership .GetUser(); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } } } }
  28. 28. 3a. Update the sign in page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Sign in with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->
  29. 29. 3b. Update the sign in page public partial class Login_aspx : System.Web.UI. Page { protected void Page_Load( object sender, EventArgs e) { string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); // Lookup the account using the uniqueId string username = MembershipHelper .GetUser( tokenHelper.getUniqueID()); if (username != null ) { MembershipUser user = Membership .GetUser(username); // give the cookie back to the browser. FormsAuthentication .SetLoginCookie(user.UserName, false ); } } }
  30. 30. 4a. Update the registration page <!-- ... --> < button onclick =&quot;javascript:return infocardlogin.submit();&quot;> Register with your Information Card </ button > < form name =&quot;infocardlogin&quot; target =&quot;_self&quot; method =&quot;post&quot;> < object type =&quot;application/x-informationcard&quot; name =&quot;xmlToken&quot;> < param name =&quot;tokenType&quot; value =&quot;urn:oasis:names:tc:SAML:1.0:assertion&quot;> < param name =&quot;issuer“ value =&quot;http://schemas..../identity/issuer/self&quot;> < param name =&quot;requiredClaims&quot; value =&quot;http://.../claims/givenname, http://.../claims/surname, http://../claims/emailaddress, http://.../claims/privatepersonalidentifier&quot;> </ object > </ form > <!-- ... -->
  31. 31. 4b. Update the registration page // ... string xmlToken = Request[ &quot;xmlToken&quot; ]; TokenHelper tokenHelper = new TokenHelper (xmlToken); string uniqueId = tokenHelper.getUniqueID(); string emailAddress = tokenHelper.GetClaim( “ http://schemas.../emailaddress ”); string username = tokenHelper.GetClaim( “ http://schemas.../givenname ”); if (username != null ) { MembershipUser user = CreateUser( name , emailAddress ,... ); MembershipHelper .AssociateUser( user.UserName, uniqueID ); } // ...
  32. 32. Summary
  33. 33. WinFX: .NET to the core
  34. 34. Getting WinFX & &quot;InfoCard&quot; <ul><li>Built in to Windows Vista </li></ul><ul><li>Also available for Windows XP & Windows Server 2003 </li></ul><ul><li>CTPs available today </li></ul><ul><li>Beta 2 coming </li></ul><ul><li>RTM 2nd half 2006 </li></ul>Q2 Q3 Q1 2006 Q2 Q4 Q1 2005 Q3 Q4 B1 CTP V1 RTM
  35. 35. &quot;InfoCard&quot; Summary Labs available in the MIX Sandbox! Consistent authentication for digital identities Reduces chances of being phished Adopting takes little developer effort
  36. 36. © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×