Federated Identity Architectures Integrating With The Cloud


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Federated Identity Architectures Integrating With The Cloud

  1. 1. Ramnish Singh IT Advisor Microsoft Corporation Session Code:
  2. 2. Agenda • Microsoft’s Identity and Access Strategy • “Geneva” Claims Based Access User access challenges Identity Metasystem and claims solution Introducing “Geneva” claims based access platform
  3. 3. Identity & Access Customer Challenges • Compliance with regulatory • Reducing help desk burden for requirements end users • Auditable processes for • Managing the complexity of granting access to resources distributed identity information Operational Compliance Efficiency Business IT Security Agility • Integrated user • Enabling new high provisioning & business value scenarios credential management • Supporting mergers, acquisitions • Ensuring that only authorized & reorganizations users can access resources
  4. 4. Customers’ Identity & Access Requirements Identity & Access Management Compliance and Audit: Monitoring, reporting , auditing of identity-based access activity Policy Management: Identity policy, user/role-based access policy, federation policy, Delegation Access Management: Group Management, Federation/Trust Management, Entitlements, RBAC Identity & Credential Management: User provisioning, Certificate & Smartcard Management, User self-service Identity-Based Access Remote Access Network Access App Access Info Access Access resources remotely Identity-oriented edge SSO, Web/Ent/Host Drive Encryption, ILP, – e.g. SSL VPN access - e.g. NAP Access, Federation Rights Management Identity Infrastructure Identity & Credentials Infrastructure: Directory Identity/Credentials, InfoCards, Meta/Virtual Directory, Basic Policy
  5. 5. Microsoft’s Identity & Access Strategy Comprehensive User Centric Open & Best TCO Solutions Extensible Turnkey Offerings Rich Office Integration Service oriented Simplified Licensing On Premises and Cloud Consistent User Application Platform Easiest to Deploy Experience Integration Physical and Virtual Privacy Enabled Open and Interoperable Broadest Ecosystem
  6. 6. Introducing “ ”
  7. 7. Identity & Access Silos Block Business Needs Business Needs • Flexible Collaboration: Enable collaboration within the enterprise, across organizational boundaries, and on the Web while satisfying security requirements • Business Agility: Improve ability to react to changing business needs by enabling existing systems to interoperate with new systems such as cloud services and SOA User Access Challenges • Lack of System Interoperability: Difficult for users to gain access across diverse applications and systems to collaborate seamlessly with other users • Hard to Extend User Access: Complex to extend user access from existing applications and systems to new applications and systems, and cloud services and SOA could multiply these challenges What‟s Needed to Solve the Challenges • Single Identity Model: A single simplified user access model that works across different applications and systems to enable collaboration while helping to maintain security • Interoperability: An open and adaptable user access model that enables identities to interoperate with applications and systems regardless of location or architecture
  8. 8. Shared Industry Solution: Identity Metasystem and Claims The industry has created a vision and architecture to address the challenges of identity interoperability What is the A shared industry vision for interoperable identity Identity • Single identity model that works in enterprises, federation and consumer Web Metasystem? • Works with existing IT infrastructures • Interoperability based on open protocols • Architecture based on claims Claims describe identity attributes within the Identity Metasystem What are • Used to drive application behavior Claims? • Can disclose identity information selectively • Delivered inside security tokens produced by a security token service (STS) Learn more about the Identity Metasystem • Overview: http://www.identityblog.com/?p=355 • A public policy perspective: http://www.ipc.on.ca/images/Resources/up-7laws_whitepaper.pdf • OASIS standards body: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=imi • An industry association: http://informationcard.net/ • An open source project: http://www.eclipse.org/org/press-release/20080221_higgins.php
  9. 9. Introducing “Geneva” What is “Geneva”? What does “Geneva” include? • Microsoft‟s open platform for simplified and “Geneva” includes three components for enabling claims-based access: security-enhanced user access based on • For Developers: “Geneva” Framework for building .NET applications that use claims claims to make user access decisions • Based on the shared industry vision for an • For IT: “Geneva” Server security token service (STS) for issuing and transforming interoperable Identity Metasystem via claims claims and managing user access • For Users: Windows CardSpace “Geneva” helps users navigate access decisions Why should I adopt “Geneva”? • Simplifies application development by externalizing user access from applications via claims Simplifies User Access • Reduces development effort with pre-built security logic and .NET tools • Helps users navigate multiple logins, manage different personas, and control information sharing Streamlines Access • Helps speed deployment of applications and enhances security via reduced custom implementation work Management & • Simplifies user access management with authentication externalized from applications Security • Enables easier collaboration between organizations with automated federation tools Enhances • More quickly adapt user access control methods to meet changing business needs Interoperability & • Enables users, applications and systems to work better together regardless of location or architecture Adaptability • Includes built-in interoperability via open industry standards including WS-* and SAML
  10. 10. Illustration of the Full System One example of how “Geneva” components might be used together 1. A user wants User to access an application Windows CardSpace “Geneva” 2. Gets claims 3. Sends claims ? „Identity Provider‟ „Relying Party‟ App or Service Built with “Geneva” Trust “Geneva” Server Framework Interoperable via industry standard protocols
  11. 11. “Geneva” Interoperates with Other Claims Infrastructure 1. User wants to access User an application Browser or Windows Mix and match “Geneva” components CardSpace - OR - Third Party Identity with 3rd party claims-based STS‟s, “Geneva” Selector frameworks, and clients 2. Gets claims 3. Sends claims „Identity Provider‟ „Relying Party‟ App or Service Microsoft Services Connector (MSC) and “Geneva” Built with .NET Access Control Server, Third Party Third Party Service (ACS) are both - OR - Trust “Geneva” - OR - MSC, or STS Framework built on “Geneva” Framework ACS technology and claims architecture Interoperable via industry standard protocols
  12. 12. Example Scenarios Benefits Scenarios • Step-Up Authentication: Build an application that requires users to step up to a higher level Simplifies of authentication to approve sensitive transactions Application Access • Cloud SSO: Extend SSO from on-premises Active Directory to Microsoft cloud services with Microsoft Services Connector or .NET Access Control Service (built on “Geneva” technology) • Federated Document Collaboration: Enable employees and partners to collaborate with Office Streamlines Access documents and SharePoint via federation Management & Security • Managed Info Cards: Issue managed information cards to employees to reduce the need to remember multiple logins Enhances • Legacy Interoperability: Implement “Geneva” to help disparate existing applications achieve Interoperability & seamless user access while laying a foundation to add claims-based apps Adaptability • Flexible Authentication: Change authentication methods across multiple applications from username/password to smart cards
  13. 13. Features Features Details • Pre-built user access logic based on claims Developer • Developer framework and ASP.NET controls Experiences • Externalize authentication from applications and support multiple authentication types • Federation provider STS with simple administration tools to quickly set up federations Federation • Federation between on-premises directories and cloud services • Multi-protocol federation, including WS-* and SAML 2.0 protocols • Identity provider STS to issue claims and managed CardSpace identities Authentication • Applications can be built to prompt users for stronger credentials for scenarios requiring higher security Flexibility • Switch authentication types with minimal application re-coding • Built-in interoperability via open industry protocols including WS-* and SAML 2.0 Interoperability • STS translates between claims and other protocols to enable claims and non-claims interoperability • Implements the industry Identity Metasystem vision for interoperable identity via claims • Next generation CardSpace helps users navigate between multiple logons User • Streamlined download and installation delivers efficient Web and client experience with CardSpace Experiences • User control and transparency for how information is shared
  14. 14. “Geneva” Schedule RTM Beta 2 2nd Half Beta 1 1st Half 2009 October 2009 2008 • Licensing: All three components will be available under Windows license • Ship Vehicle: All three components will be available as separate web downloads • Version Support: Beta 1 supports Windows Server 2008 and Windows Vista. Support at RTM will be announced at a later date
  15. 15. Summary Single Simplified Identity Model • Externalizes user access from applications via claims • Reduces application development effort • Helps users make identity decisions Streamlines Access Management and Security • Speeds deployment of applications • Consolidates user access management in hands of IT • Automates federation Interoperable and Adaptable • Flexible to change authentication methods • Works independent of location or architecture • Interoperable via claims, WS-* and SAML 2.0 protocol
  16. 16. Developer Benefits What does “Geneva” offer developers? What can developers build with “Geneva”? • “Geneva” Framework: SDK to build claims based • Claims aware .NET applications applications • User authentication experience with CardSpace “Geneva” • Windows CardSpace “Geneva”: Identity client platform • Custom security token services (STS) Why should developers use “Geneva”? Improves • Simplifies application development by externalizing user access from applications via claims Developer • Enables developers to code to a single simplified identity model based on claims Productivity • Includes pre-built security logic with .NET tools to free up time for more value-added work • Helps provide consistent security with a single user access model externalized from applications Enhances Application • Enhances consistency of security with pre-built user access logic Security • Provides seamless user access to on-premises software and cloud services • Offers built-in interoperability via industry protocols including WS-* and SAML 2.0 Interoperable • Implements the industry Identity Metasystem vision for interoperable identity and Extensible • Enables interoperability between users, applications, systems and other resources via claims
  17. 17. IT Professional Benefits What does “Geneva” offer IT pros? What can IT pros do with “Geneva”? • “Geneva” Server: Security token service (STS) with • Deploy an STS to enable user access to applications via identity and federation provider roles plus user access claims management capabilities • Quickly establish federations with partners and customers • Windows CardSpace “Geneva”: Authentication client • Issue managed identity cards to users Why should developers use “Geneva”? Streamlines User • Implements a single user access model with native single sign on and easier federation Access • Builds on and interoperates with existing identity infrastructure investments Management • Works with identity management infrastructure such as Active Directory and Identity Lifecycle Manager • Helps provide consistent security with a single user access model externalized from applications Enhances Application • Vests more complete control over user access decisions with IT instead of developers Security • Provides seamless access between on-premises software and cloud services • Based on industry standard protocols including WS-* and SAML 2.0 for interoperability Interoperable & • Meet new business needs faster by allowing applications and infrastructure to evolve independently Adaptable • Integrates new authentication methods with fewer application code changes
  18. 18. Comparing AD FS, CardSpace1, WCF with Geneva “Geneva” Framework “Geneva” Server AD FS 1.1 CardSpace “Geneva” CardSpace 1.0 WCF • End to end claims support • Pre-built ASP.NET controls • Passive browser federation • WS-* protocols • Federate Office documents “Geneva” Adds • Self-issued information cards • SAML 2.0 protocol support • Federated SharePoint • Native SSO • Federated rights management • Active client federation • Automated trust management • Managed information cards • Streamlined client UI
  19. 19. “Geneva” Beta 1 vs. Future Features Component Beta 1 Features Features We Will Add by RTM • Externalize authentication from the app • SAML 2.0 IDP and SP protocol support for SSO • Multiple authentication types supported • Identity delegation • Step-up authentication “Geneva” • Write apps to accept managed CardSpace Framework identities • SAML 2.0 token format • Transform claims into Kerberos tokens • Provision an STS in relying party apps • Identity provider integrated with Active • Automated trust management Directory • SAML 2.0 protocol for SP for SSO • Issue managed CardSpace identities • Support for alternate identity attribute stores • SAML 2.0 protocol for IDP for SSO • Issue multiple CardSpace identities for multiple • SAML 2.0 token format user roles “Geneva” Server • Transform claims into Kerberos tokens • Extranet access support • Easy trust establishment • Powershell support • Identity delegation management • Interoperability of WS-Fed with mobile and other low-performance clients • Support for managed information card • User self-issued information cards issuance • Backward compatibility for Windows apps CardSpace • Small download (less than 5mb) • Challenge-response for authentication assurance • Streamlined UI • Secure desktop “Geneva” • Inline UI for websites
  20. 20. “Geneva” Beta 1 vs. Future Scenarios Beta 1 Scenarios Scenarios We Will Enable by Final Release Enable employees and partners to collaborate with Office documents Accept self-issued information cards on an e-commerce website and SharePoint via federation. to speed checkout and improve security. Extend single sign on from an on-premises directory such as Active Directory to cloud services such as those offered by Live. Build an application that asks users to step up to a higher level of authentication based on context Build an application that later allows IT to change authentication methods from username/password to smart cards without app code changes. Build a chain of applications and services that act on behalf of users while maintaining control of identity disclosure within claims. Issue managed information cards to employees to reduce the need to remember multiple logins. Implement “Geneva” to help an existing Kerberos application achieve seamless user access while laying a foundation to add claims-based apps. Implement federation with partners on heterogeneous infrastructures and maintain trusts automatically.
  21. 21. Demo Title Name Title Company
  22. 22. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.