3. Agenda
S Application Security
S Federated Identity
S What problem are we trying to solve?
S Case study
S Current state of affairs
S Identity in Real Life
S Terminology
S The Federated Auth dance
S Code demo
S Q&A
4. Application Security
S Not Sexy
S Requires specialized knowledge
S Often times, depends on the environment
S Never hear about it, unless it fails
5. Federated Identity
S Organization for the Advancement of Structured
Information Standards (OASIS)
S WS-Federation
S WS-Trust
S SAML
S OpenID, Oauth, Facebook Connect
6. The Face of WIF
(Expert) Vittorio Bertocci | Microsoft | Vibro.NET (Not an Expert) NOT Vittorio
8. What problem are we solving?
S How many accounts/passwords do you currently
have?
“Various Gartner studies have estimated
that 25% to 35% of calls made to help
desks are related to password resets”
“Analysts’ estimate costs at
approximately $25 to $40 per call with four
password reset calls per user per
year ”
9. Case Study | Health Care
• Clinicians use an average of 6.4 passwords per day
• SSO solution can save an average of 9.51 minutes per day per clinician
• $2,675 per year, per clinician1
• 700 full-time equivalent clinicians can save
more than $1.88 million per year with an SSO
solution in place.
• 1,051 patient beds
• More than 1,710 full-time attending physicians
$4,574,250
$2,675 lost productivity per clinician*1,710 physicians=
1 Based on a $135K/Year Salary, and 250 working days. Source: The Gartner Group, 2002 & The Ponemon Institute, 2010
13. Terminology
S Claim
S Anything that can be said about a user
S Name, email, age, role, gender, Sports Team Affiliation, etc
S Security Token
S Serialized collection of claims
S Crypto-signed by issuer
S Identity Provider (IdP)
S The issuer responsible for authenticating the user
S Relaying Party
S An application configured to trust an IdP for authentication (Your
application)
Windows Identity Foundation is a .NET library that enables Developers to externalize Identity logic from their application - Improves developer productivity - enhances security- Enables Interoperability
Twitter is an awesome way of finding out very quickly if your talk stinks.
----- Meeting Notes (11/12/11 04:32) ------Vittorio, literally wrote "the" book on Windows Identity Foundation.- I, on the other hand, am still learning the many aspects of WIF
----- Meeting Notes (11/12/11 04:03) -----Clinicians use multiple applications during the course of a day
----- Meeting Notes (11/12/11 04:03) -----Today, our applications are chained to the particular APIs or their security layer