Claim based AuthenticationPresented by: Sean Xiong
About me First Name: HuangTao (Since 16 years old), Tao is my real name. Surname: XIONG (pronouns similarly with “Sean” & means in Chinese). Research Engineer @ SSRG & work on Yuruware Monitor. Studied at UNSW between Mar 2008 and Nov 2009 for Master degree of Information Technology. Studied at Jilin University China from July 2003 to July 2007 for Bachelor degree of Engineering in Software Engineering.
Problems with current Authentication As application users • make several user accounts at several portals/websites. • Every time users have to remember the user credentials for the corresponding website. • If users do not remember username & passwd. As application developers have to develop a Authentication unit for each of your product. Waste time and $$$$$ May loss opportunities.
But web scenario is much more complicateChallenges. Who are the Identity Providers? Whats the data (Identity) needed for Relying Party? What data can be transferred from Identity provider and in which form? How does Relying Party (applications) trust Identity Provider?So, We need a mechanism.
Claim based AuthenticationWho is Identity Provider? There are a couple of Identity providers nowadays like Google, Facebook.... And even we can develop our own Identity Provider for our products.Whats the data (Identity) needed and in which form? Identity is a group of information that can uniquely identify anything. e.g. user credential. In digital era, Identity passed as a stream of bytes and that is known as “Token” which contains some set of “Claims”.How does Relying Party trust Identity Provider? Reply Party (applications) tells Client where to get the Identity and verify the Token by checking its Signature.
Complete scenarioIdentity Provider 3. Select Identity Provider & Authenticate to Identity Provider Selector 2. Invoke Selector & Request Claims Application Relying Party 4. Passes Token to application 5. Verifies Token & allow access 6. Provides service 1. Request Clients Service
Should we use it? Yes, we should. Just because it fixes current problems. Google, Apple, MS and many others are doing Authentication in the similar ways.