330 likes | 503 Vues
SVC10. Software + Services Identity Roadmap. Kim Cameron Distinguished Engineer Microsoft Corporation http://www.identityblog.com. Agenda. Review of the claims-based architecture and status report on Microsoft’s progress. Agenda.
E N D
SVC10 Software + Services Identity Roadmap Kim Cameron Distinguished Engineer Microsoft Corporation http://www.identityblog.com
Agenda • Review of the claims-based architecture and status report on Microsoft’s progress
Agenda • Review of the claims-based architecture and status report on Microsoft’s progress • Beyond promises to reality • Three Architect-Engineers who bet on claims to produce their products talk about the Good, the Bad and the Ugly • Directions • Progress on authorization • OpenID identity selector • ‘M’ Model: System.Identity
Problem Statement • The first two lines of any application • Who are you? • What are you allowed to do? • Identity is an input • The “mouse” or “keyboard” of collaboration and social networking • Big architectural problem • The Internet was built without any way of knowing who you are connecting to • Many scenarios and requirements • Internet, intranet, cloud, federation, thin client, rich client, … • Many technology choices • Kerberos, SAML, X.509, OpenID, … • No single technology satisfies all requirements
The Claims-Based Model • Claims-based model • Abstraction layer for authenticating, authorizing, obtaining information about users, devices and services • Claim: statement made by one subject about another subject that is in doubt • Email = kcameron@microsoft.com • Age > 21 • Manager = John Doe • Role= Architect • Identity Metasystem: open standards-based architecture for exchange of claims under user control • “Claims transformers” that match impedance • Write to model, let infrastructure adapt to environment
Claims Architecture 2. Look up claims, transform for application trust Claims Provider 1. Authenticate 3. Return claims Federation Client Your App 4. Send claims Claims Framework Client Relying Party
Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities Improved Productivity Improved Security • Interoperability Windows Live ID Microsoft Federation Gateway .Net Access Control Service Services Claims-Based Access Active Directory Federation Services 2.0 Windows CardSpace2.0 Windows Identity Foundation Software
What We’re Announcing Today • Windows Identity Foundation RTW • Extension to .Net for claims-based identity • http://www.microsoft.com/wif
Claims Based Access and Microsoft Dynamics CRM “5” partner Andrew Bybee Principal Program Manager Microsoft Dynamics CRM
Microsoft Dynamics CRM “5” • Identity challenges • Custom authentication code • Grant access to users at partner organizations • Mash up: single sign on across applications across companies • Support browser, rich, and mobile clients
Partner User Access to CRM trust • Public sector and large organizations • Browser, mobile, Office, and third party clients AD FS 2.0 AD FS 2.0 Partner or Supplier Enterprise Partner access CRM “5”
Claims Based Identity in Microsoft SharePoint 2010 partner Venky Veeraraghavan Program Manager SharePoint Server
Seamless Identity FlowIn, Through and Out of SharePoint • Use customer Identity Providers • Automatic & secure identity delegation • Authorization over application specific roles • “No-credential” access to web services SharePoint Content Hop 1 Hop 2 Hop ‘n’ Client Web Server App Server Web Services
Quest Recovery Manager for AD OnDemand partner Dmitry Sotnikov Manager, New Product Research Quest Software
Recovery Manager for AD OnDemand • Identity challenges • Hosted service in Windows Azure • Customers sign in with Live IDs or AD • Quest employees sign in with AD • Single sign on across services
Recovery Manager for AD OnDemand Live ID Windows Azure Configuration Database 2. Get security token Custom STS 3. Access service & data User Data 1. Authenticate Recovery Manager Service AD FS 2.0 Enterprise
Directions • Having claims platform is just a foundation • Now we’re building on the foundation, just like our customers and partners are • Sharing our thinking on future directions • Authorization • OpenID and Information Card convergence • Our work on next generation Active Directory schema and programming model
Authorization: .Net ACS CTP • Claims-based, rules-driven authorization for REST web services • Developed with Google, Yahoo • OAuth Web Resource Authorization Protocol (WRAP) • Simple Web Tokens (SWT) • Integrated with WIF and AD FS 2.0 http://www.microsoft.com/windowsazure/dotnetservices/
OpenID • Key part of Identity Metasystem • 50,000 destination sites • US Government sites to be OpenID enabled • Major portals are OpenID providers • Yahoo, Google, MySpace, AOL • Live ID to become OpenID provider in 2010 • Lessons learned from CTP (Oct 2008-Aug 2009): http://winliveid.spaces.live.com/blog/cns!AEE1BB0D86E23AAC!1791.entry
OpenID Challenges • Usability issues make it hard for most people to understand • Destination sites show selection of providers that may not include accounts you have or want to use • Security issues make it unsuitable for high-value interactions • Rogue site may redirect user to phisher posing as user’s provider • Client software that remembers identities you use can help address both issues
Directions:OpenID/InfoCard Integration demo Kim Cameron Distinguished Engineer Identity and Access
More to Identity than Claims in Tokens • Beyond authentication, applications also need • To find people, resources, policies • To leverage relationships between identities • We need a Directory Metasystem along lines of Identity Metasystem • Work holistically in cloud, in enterprises, on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Simple APIs integrated with developer platforms • Working on next generation directory federation service that will “clamp on” to existing Active Directory
‘M’ Model: System.IdentityNew way of representing identity data • Logical schema for “directory” information • Represents parties with multiple identities and relationships through kinds, party to party relationships • Extensible without disturbing base schema and implementations • Built-in support for multiple tenants, federation, expiration of directory data • Accessed through API which exposes “logical model” via LINQ
“Top Ten” New Directory Queries • Who are all the “architects” inside my organization? • What is the email address of person who just called me? • Who had access to this resource last June? • What are the email addresses of all FTE s in my division? • How send email to the members of this security group? • How grant John, a lawyer, access to sites of small businesses for which he works? • How rename a domain without breaking security? • How build a personal distribution list and share it? • How delegate access to Joe while Sally is out of town? • Who can approve Gert’s expense report?
Directions:System.Identity demo Gert Drapers Principal Architect Identity and Access Platform
Identity @ PDC 2009 • Visit us at the booth in the pavilion • Try hands on labs • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications • Introduction to the .Net Access Control Service • Attend sessions
What To Do Next • Reflect on identity and your application • Consider what our guests have said about how to change paradigms • Download and try out identity kits, samples • Attend our sessions • Get ready for the identity Big Bang • Join the conversation: http://www.identityblog.com
YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com
Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….