Web2.0
                                   OpenID




           November 15 2007




                                     ...
Web2.0

               •
               •
               •

               •
               •
               •

          ...
5
                                                                    Copyright © 2007 Sun Microsystems K.K.




         ...
ID /



                                                                                                    ID /




     ...
9
                                                                    Copyright © 2007 Sun Microsystems K.K.




         ...
11
                                                                    Copyright © 2007 Sun Microsystems K.K.




        ...
ID = identification
               •
               •

               •
               •

               •
               ...
Web                                                     ID


                                                             ...
blog

                                                                      ID
                •




                     ...
Sun

                                                                                                             SSO
    ...
Amazon




                                                                                                               ...
jyte                                      :ProtectNetwork                                  SAML ID /
                  Ope...
SSOCircle




                                                                                                            ...
• Identification:
                      >
                      >
                • Authentication:
                      ...
Identity                                                Relying party
                                                 pro...
SSO
                                                                 Identity
                                            ...
CoT (Circle of Trust :                                                                )
                                  ...
SSO                                                 :
                                                IdP / RP )
         ...
•
                                                   RP
                 >
                                          RP
  ...
2:“Trust no one”
                                                                            IdP                          ...
41
                                                                    Copyright © 2007 Sun Microsystems K.K.




        ...
SAML


                                                                                                              43
  ...
•
                                                                            (SSO)
                     >
               ...
SAML
               Operational modes for                                                                                 ...
<saml:Assertion
                                          MajorVersion=“1” MinorVersion=“0”
                              ...
:
               web browser SSO
                                                                                  SSO
   ...
:IdP-initiated/POST

                                                      Service Provider                               ...
ECP
                                                      Service Provider                                                ...
SP      IDP                ID
                                                                                     ●

    ...
:
                                                                                    • Mon.Service-Public.fr
            ...
SAML
                • Federated identity                                             :
                                  ...
63
                                                                    Copyright © 2007 Sun Microsystems K.K.




        ...
OpenID
                • OpenID
                      >
                                      ID
                      > O...
OpenID –                                                     (part 1)


                                                  ...
Project concordia
                                                                                                  projec...
OpenID

                 • “ digerati”
                 •
                 •




            Sources : USA Today (March, 2...
OpenID                         SSO

               • RP
                     +

                                          ...
OpenID
               •                                                            ID
                     > ProtectNetwor...
OpenID
               •
                     > http://wiki.openid.net/OpenID_Phishing_Brainstorm
               •
        ...
SAML OpenID
             • OpenID                     Web
                   > URL

                                      ...
CardSpace


                                                                                                              ...
CardSpace
                                        identity selector
                •
                                    ...
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
T2
Upcoming SlideShare
Loading in …5
×

T2

4,843 views

Published on

Web 2.0 Expo Tokyo http://www.cmptech.jp/web2expo/

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,843
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

T2

  1. 1. Web2.0 OpenID November 15 2007 Web2.0 • ID • • 2 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 1
  2. 2. Web2.0 • • • • • • • • 3 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • • Web ID • SAML • OpenID • CardSpace • Liberty Alliance Project Concorida • OpenSSO 4 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 2
  3. 3. 5 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. 2004 ( ) 6 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 3
  4. 4. ID / ID / 7 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. / USB IC 8 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 4
  5. 5. 9 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • OASIS SAML (Security Assertion Markup Language) • Liberty Alliance b ● ● a ● @ A Web 10 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 5
  6. 6. 11 Copyright © 2007 Sun Microsystems K.K. Web Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Web • Web • Web 12 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 6
  7. 7. ID = identification • • • • • > > > > 13 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • XML > > • > • > > > > 14 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 7
  8. 8. Web ID 15 Copyright © 2007 Sun Microsystems K.K. web Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Web ID Web > : • : • Web : • • 16 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 8
  9. 9. blog ID • 17 Copyright © 2007 Sun Microsystems K.K. TypePad blog Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. ID TypePad • 18 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 9
  10. 10. Sun SSO • > > • My Sun ID 19 Copyright © 2007 Sun Microsystems K.K. Blogspot blog (Google Account ) Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Check out http://TrayTable.blogspot.com! 20 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 10
  11. 11. Amazon 21 Copyright © 2007 Sun Microsystems K.K. jyte.com ProoveMe OpenID Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. 22 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 11
  12. 12. jyte :ProtectNetwork SAML ID / OpenID 23 Copyright © 2007 Sun Microsystems K.K. CardSpace Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. 24 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 12
  13. 13. SSOCircle 25 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • > > > > • Web > > > • > 26 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 13
  14. 14. • Identification: > > • Authentication: > > RP • Authorization: ID ID Authz > Identity Relying party (web application provider or community) (login site) Authn Browser (or other interface) User 27 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Identity Relying party provider (web application or community) (login site) Browser (or other interface) User 28 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 14
  15. 15. Identity Relying party provider (web application or community) (login site) Rrelying Party Browser (or other interface) User 29 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Identity Relying party provider (web application or community) (login site) . .. Browser (or other interface) User 30 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 15
  16. 16. SSO Identity Identity Provider Provider Authenticate when asked Authenticate 2 1 1 2 Attempt Access Service access Service successfully Provider 3 Provider Succeed in attempt IdP-vs-SP-init • Lois Idp • Lois SP(RP) • Lois SP(RP) • SP(RP) IdP 31 Copyright © 2007 Sun Microsystems K.K. SSO Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • SSO + > IdP RP • IP > RP – • SSO > IdP – • Circle of Trust (CoT) • > 32 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 16
  17. 17. CoT (Circle of Trust : ) (IdP) A B H C G D F SP E • CoT • • •SLA • 33 Copyright © 2007 Sun Microsystems K.K. Idp discover) Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • SSO RP (RP-initiate) IdP > > Identity Relying party provider (web application IdP – or community) (login site) GUI – IdP – – RP IdP (CoT) – – IdP – 34 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 17
  18. 18. SSO : IdP / RP ) • • > – 70-80% • SLA > > > > quot;How long has THAT been there?quot; 35 Copyright © 2007 Sun Microsystems K.K. : Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • ID(Identifier) (personally identifiable > information (PII)) > • > Email , . > RP – 36 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 18
  19. 19. • RP > RP – • • Identity 2.0 Web 2.0 Web (Lightweight identity) > ID ( publishable ID) • 37 Copyright © 2007 Sun Microsystems K.K. :“me generation” Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. ID • > > wiki > Web2.0 ID > • Web > > RP > Web 38 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 19
  20. 20. 2:“Trust no one” IdP RP • IdP RP • Identity Relying party provider (web application or community) (login site) Browser (or other interface) User 39 Copyright © 2007 Sun Microsystems K.K. 3: “Do What I mean” Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • ... > > > • > > SSO • > > 40 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 20
  21. 21. 41 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. SAML OpenID Comprehensive use Simple use case ● ● “Me generation” case coverage coverage ● Comprehensive Strong on IdP ● challenge solutions, discovery but weak except IdP discovery on other challenges ● Can be deployed to ● The very definition do any user “Do what I mean” of “me generation” philosophy centricity type Consistent user “Trust no one”, experience, XML message “me generation” formats in part CardSpace “Smart client” component ● ● Addresses web authentication challenges ● The very definition of “trust no one” 42 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 21
  22. 22. SAML 43 Copyright © 2007 Sun Microsystems K.K. SAML ? Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • “an XML-based framework for marshaling security and identity information and exchanging it across domain boundaries” • > SAML V2.0 Liberty ID-FF > • > B2B, B2C, G2C... • Google Search Appliance... > 44 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 22
  23. 23. • (SSO) > > Distributed transaction > Authorization Service • SAML 1.x SSO • SAML = Security Assertion Markup Language 45 Copyright © 2007 Sun Microsystems K.K. SAML Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • • SAML subject” statement” : > Authentication > Attribute > Authorization decision • SAML • • • XML 46 46 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 23
  24. 24. SAML Operational modes for Metadata to IdP SP Enhanced IdP SP ... use in conformance describe provider Lite Lite client testing and RFPs abilities and needs Profiles combining binding, Web browser Enhanced IdP Single ... Custom assertion, and protocol use SSO client SSO discovery logout to support defined use cases Protocols to get Assertion Authentication Name ID Single ... Custom assertions and query/request request management logout do identity mgmt Authentication Attribute context classes profiles to describe types of for interpreting authentication attrib semantics performed/desired Authentication Attribute Authz decision Assertions of authn, attribute, Custom statement statement statement and entitlement information HTTP HTTP HTTP SAML SOAP over Bindings onto standard PAOS Custom HTTP redirect POST artifact URI communications protocols 47 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Issuer ID timestamp • Assertion ID • Subject > Name security domain > Conditions” • > SAML conditions condition: > • “advice” > • 48 48 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 24
  25. 25. <saml:Assertion MajorVersion=“1” MinorVersion=“0” AssertionID=“128.9.167.32.12345678” Issuer=“Smith Corporation“ IssueInstant=“2001-12-03T10:02:00Z”> <saml:Conditions NotBefore=“2001-12-03T10:00:00Z” NotOnOrAfter=“2001-12-03T10:05:00Z”> <saml:AudienceRestrictionCondition> <saml:Audience>…URI…</saml:Audience> </saml:AudienceRestrictionCondition> </saml:Conditions> <saml:Advice> …a variety of elements can go here… </saml:Advice> …statements go here… </saml:Assertion> 49 49 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Public Key – XML Signature • Smartcard • Internet Protocol • Smartcard PKI • Internet Protocol Password • Software PKI • Kerberos • Telephony • Mobile One Factor Unregistered • Nomadic Telephony • Mobile Two Factor Unregistered • Personalized Telephony • Mobile One Factor Contract • Authenticated Telephony • Mobile Two Factor Contract • Secure Remote Password • Password • SSL/TLS Cert-Based Client Authentication • Password Protected Transport • Time Sync Token • Previous Session • Unspecified • Public Key – X.509 • Your own customised classes... • Public Key – PGP • Public Key – SPKI 50 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 25
  26. 26. : web browser SSO SSO • federation • Profiles combining binding, Web browser assertion, and protocol use SSO to support defined use cases Protocols to get Authentication assertions and request do identity mgmt Assertions of authn, attribute, Authentication and entitlement information statement Bindings onto standard HTTP HTTP HTTP communications protocols redirect POST artifact 51 Copyright © 2007 Sun Microsystems K.K. SAML :SP-initiated/redirect/POST Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Service Provider Identity Provider sp.example.com idp.example.org Resource Assertion Single Access Consumer Sign-On check Service Service 2 3 7 5 IdP discovery can be by special cookie, Challenge Access or any other means Redirect with GET using for resource? <AuthnRequest> <AuthnRequest> credentials Signed POST signed User Supply <Response> <Response> login resource in HTML form 6 1 4 User or UA action Browser User or UA action 52 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 26
  27. 27. :IdP-initiated/POST Service Provider Identity Provider sp.example.com idp.example.org Resource Single Assertion Access Sign-On Consumer check Service Service 1 4 6 Select Challenge remote for resource credentials Signed User POST signed <Response> Supply login <Response> in HTML form resource 2 3 5 User or UA action Browser 53 Copyright © 2007 Sun Microsystems K.K. : enhanced client / proxy SSO Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Profiles combining binding, Enhanced assertion, and protocol use client SSO to support defined use cases Protocols to get Authentication assertions and request do identity mgmt Assertions of authn, attribute, Authentication and entitlement information statement Bindings onto standard SOAP over PAOS communications protocols HTTP 54 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 27
  28. 28. ECP Service Provider Identity Provider sp.example.com idp.example.org Resource Assertion Single Access Consumer Sign-On check Service Service 2 6 4 Signed <AuthnRequest> <Response> in SOAP request in PAOS Access response resource Signed <Response> Supply <AuthnRequest> in SOAP resource in PAOS request response 1 3 5 EnhancedClient SOAP intermediary or Enhanced Proxy 55 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. SSO + Prepare to book hotel logged in Prepare to rent car logged in Book flight logged in as johnd; accept offer of as jdoe; accept offer of as johndoe federation with AirlineInc.com federation with AirlineInc.com AirlineInc.com CarRental.com HotelBooking.com Agree on azqu3H7 for referring to Joe (neither knows the ID used on other side) Agree on f78q9c0 for referring to Joe (neither knows the ID used on the other side) 56 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 28
  29. 29. SP IDP ID ● ● ● Opaque Handle User ● Browser Identity Authentication Service Provider Service UserID = Jsmith App Provider Password = Rigol3tt0! UserID = Joe OpaqueHandle = XYZ Password = CaRm3N OpaqueHandle = XYZ Liberty Federation (Linking of Accounts) 57 Copyright © 2007 Sun Microsystems K.K. Local ID IdP Linked ID Linked ID SP Local ID jdoe Airline 61611 61611 Cars john jdoe Bank 71711 61612 Hotels john mlamb Airline 81811 61621 Cars mary Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Persistent pseudonym Identity Identity (NameID=”61611”) and attributes store store Service Provider Identity Provider cars.example.com airline.example.com Resource Assertion Single Access Consumer Sign-On check Service Service 2 6 10 8 4 Pass along User User Access signed login login Pass resource <Response> as jdoe along as john Convey <AuthnRequest> <AuthnRequest> asking for Convey signed Challenge Challenge Supply persistent <Response> for credentials; for resource pseudonym about 61611 opt-in? credentials 1 3 7 9 5 Browser User with local ID john at airline.example.com and local ID jdoe at cars.example.com 58 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 29
  30. 30. : • Mon.Service-Public.fr • • 59 Copyright © 2007 Sun Microsystems K.K. Google Apps Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Google Apps Education Edition 2.5 Google Google Provisioning API SAML Single Sign-On(SSO) API Provisioning API Google Apps SSO IT Google Web 2.0 API Google Apps Education Edition http://www.google.co.jp/a/help/intl/ja/edu/customers/nihon_university.html 60 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 30
  31. 31. SAML • Federated identity : IdP RP • • • Web ECP • • IdP discovery: cookie : IdP IdP • : • : (Liberty Alliance • ) 61 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. OpenID 62 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 31
  32. 32. 63 Copyright © 2007 Sun Microsystems K.K. OpenID ? Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • “an open, decentralized, free framework for user-centric digital identity” • Web URL (or XRI) namespace > Web > • > • “Web 2.0” wiki SNS > 64 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 32
  33. 33. OpenID • OpenID > ID > OpenID comsumer) (RP) OpenID ID (IdP) URL XRI Web Page URL XRI > ID • > Simple Registration extension email > 65 Copyright © 2007 Sun Microsystems K.K. OpenID (V1.1) Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Sign up ID • <link rel=“...”> magic Web RP URL OpenID • sign on OpenID RP • RP • OP (OpenID Provider) confirmation ( RP OpenID RP • • See http://simonwillison.net/2006/openid-screencast/ 66 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 33
  34. 34. OpenID – (part 1) jyte.com claimid.com (my IdP) 67 Copyright © 2007 Sun Microsystems K.K. OpenID – (part 2) Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. claimid.com jyte.com transparent 68 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 34
  35. 35. Project concordia projectconcordia.org OpenID openid.sun.com openid.sun.com URL openid.sun.com projectconcordia.org 69 Copyright © 2007 Sun Microsystems K.K. SP-initiated simplified sign-on with OpenID Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. OpenID Consumer RP OpenID Provider (OP) Optionally (e.g. projectconcordia.org) (e.g. prooveme.com) set up symmetric session 5 4 key (can be remembered Discovers for future OP thru interactions) OpenID resolution 7 10 2 6 9 User login POST OpenID Access Authentication site? response Display (and maybe Challenge Redirect OpenID Simple Reg Allow for to OP prompt attributes) access credentials page sent with 8 3 1 GET or POST User or UA action Browser User or UA action 70 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 35
  36. 36. OpenID • “ digerati” • • Sources : USA Today (March, 2007), GoogleTrends (April, 2007), Technorati (April, 2007) 71 Copyright © 2007 Sun Microsystems K.K. OpenID ( ) Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. prooveme.co m http://openiddirectory.com/ 72 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 36
  37. 37. OpenID SSO • RP + ID) Web • + IdP IdP – ( IdP ) – SSO 73 Copyright © 2007 Sun Microsystems K.K. OpenID Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • OpenID SSO > – OpenID (identity federation) > OpenID • SSO OpenID > OpenID ID > > Web E-Mail 74 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 37
  38. 38. OpenID • ID > ProtectNetwork.com (also gives “SAML IDs”), MyOpenID.com, ProoveMe.com... > AOL http://openid.aol.com/screenname > Sun openid.sun.com Web • shita.com > • OpenID 75 Copyright © 2007 Sun Microsystems K.K. OpenID2.0 1.X Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • OpenID 2.0 ( 1.1 ): > XRI XRDS > IdP-initiated ( RP ) ( OpenID > ) One-time OpenID > • > > > > 76 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 38
  39. 39. OpenID • > http://wiki.openid.net/OpenID_Phishing_Brainstorm • URL URL > Consumer > http://wiki.openid.net//Replay_Attack_Prevention • reputation 77 Copyright © 2007 Sun Microsystems K.K. AOL reputation Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • AOL OpenID (10/30/2007): > 1. myopenid.com > 2. claimid.com > 3. livejournal.com > 4. verisignlabs.com > 5. myvauthid.com > 6. openid.sun.com > 7. myvidoop.com > 8. signon.com > 9. idtail.com > 10. xlogon.net > 11. idproxy.net > 12. typekey.com > 13. sxipper.com 14. alwaysknownas.com > > 15. myID.net 78 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 39
  40. 40. SAML OpenID • OpenID Web > URL UI > > • SAML OpenID * IdP discovery > > FOSS ( wrapper hard cording ) • SAML circles of trust” SLA > • * http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml, http://www.protectnetwork.com, and http://www.ssocircle.com 79 Copyright © 2007 Sun Microsystems K.K. OpenID Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • Federated identity : simplified sign-on ID me generation” OpenID • do what I mean” (not “trust no one”) • Diffie-Hellman • Web • • IdP discovery: IdP : • : • : IdP,RP • 80 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 40
  41. 41. CardSpace 81 Copyright © 2007 Sun Microsystems K.K. Windows CardSpace ? Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. • “a Microsoft .NET Framework version 3.0 component that provides the consistent user experience required by the identity metasystem” • – Card selector trust no one” IdP/RP – claim • Web – – OS – 82 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 41
  42. 42. CardSpace identity selector • IdP STS) > managed cards Idp claim – CoT namespace claim self-asserted card > IdP identity selector – RP • > RP IdP RP 83 Copyright © 2007 Sun Microsystems K.K. CardSpace RP-initiated simplified Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. sign-on Information card-accepting RP STS that is a managed-card identity provider (IP) for particular card 6 2 9 Authn and Access Convey request resource? claims to RP claims from appropriate IP based on Send card selection RP Supply policy resource Send claims reqmts 8 5 1 Match RP policy requirements 7 Optionally encrypt claims for RP 3 to available IP policy capabilities Card 1 Card 2 ... CardSpace identity 4 Select one card out of those available that match policy selector intersection and select any optional claims asked for User action 84 Copyright © 2007 Sun Microsystems K.K. Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 42

×