1 / 33

Software + Services Identity Roadmap

SVC10. Software + Services Identity Roadmap. Kim Cameron Distinguished Engineer Microsoft Corporation http://www.identityblog.com. Agenda. Review of the claims-based architecture and status report on Microsoft’s progress. Agenda.

dino
Télécharger la présentation

Software + Services Identity Roadmap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SVC10 Software + Services Identity Roadmap Kim Cameron Distinguished Engineer Microsoft Corporation http://www.identityblog.com

  2. Agenda • Review of the claims-based architecture and status report on Microsoft’s progress

  3. Agenda • Review of the claims-based architecture and status report on Microsoft’s progress • Beyond promises to reality • Three Architect-Engineers who bet on claims to produce their products talk about the Good, the Bad and the Ugly • Directions • Progress on authorization • OpenID identity selector • ‘M’ Model: System.Identity

  4. Problem Statement • The first two lines of any application • Who are you? • What are you allowed to do? • Identity is an input • The “mouse” or “keyboard” of collaboration and social networking • Big architectural problem • The Internet was built without any way of knowing who you are connecting to • Many scenarios and requirements • Internet, intranet, cloud, federation, thin client, rich client, … • Many technology choices • Kerberos, SAML, X.509, OpenID, … • No single technology satisfies all requirements

  5. The Claims-Based Model • Claims-based model • Abstraction layer for authenticating, authorizing, obtaining information about users, devices and services • Claim: statement made by one subject about another subject that is in doubt • Email = kcameron@microsoft.com • Age > 21 • Manager = John Doe • Role= Architect • Identity Metasystem: open standards-based architecture for exchange of claims under user control • “Claims transformers” that match impedance • Write to model, let infrastructure adapt to environment

  6. Claims Architecture 2. Look up claims, transform for application trust Claims Provider 1. Authenticate 3. Return claims Federation Client Your App 4. Send claims Claims Framework Client Relying Party

  7. Microsoft Identity Software + ServicesOne identity model that puts users in control of their identities Improved Productivity Improved Security • Interoperability Windows Live ID Microsoft Federation Gateway .Net Access Control Service Services Claims-Based Access Active Directory Federation Services 2.0 Windows CardSpace2.0 Windows Identity Foundation Software

  8. What We’re Announcing Today • Windows Identity Foundation RTW • Extension to .Net for claims-based identity • http://www.microsoft.com/wif

  9. Select Partner StoriesAnd lessons learned

  10. Claims Based Access and Microsoft Dynamics CRM “5” partner Andrew Bybee Principal Program Manager Microsoft Dynamics CRM

  11. Microsoft Dynamics CRM “5” • Identity challenges • Custom authentication code • Grant access to users at partner organizations • Mash up: single sign on across applications across companies • Support browser, rich, and mobile clients

  12. Partner User Access to CRM trust • Public sector and large organizations • Browser, mobile, Office, and third party clients AD FS 2.0 AD FS 2.0 Partner or Supplier Enterprise Partner access CRM “5”

  13. Claims Based Identity in Microsoft SharePoint 2010 partner Venky Veeraraghavan Program Manager SharePoint Server

  14. Seamless Identity FlowIn, Through and Out of SharePoint • Use customer Identity Providers • Automatic & secure identity delegation • Authorization over application specific roles • “No-credential” access to web services SharePoint Content Hop 1 Hop 2 Hop ‘n’ Client Web Server App Server Web Services

  15. Demo: ‘External List’

  16. Quest Recovery Manager for AD OnDemand partner Dmitry Sotnikov Manager, New Product Research Quest Software

  17. Recovery Manager for AD OnDemand • Identity challenges • Hosted service in Windows Azure • Customers sign in with Live IDs or AD • Quest employees sign in with AD • Single sign on across services

  18. Recovery Manager for AD OnDemand Live ID Windows Azure Configuration Database 2. Get security token Custom STS 3. Access service & data User Data 1. Authenticate Recovery Manager Service AD FS 2.0 Enterprise

  19. Directions • Having claims platform is just a foundation • Now we’re building on the foundation, just like our customers and partners are • Sharing our thinking on future directions • Authorization • OpenID and Information Card convergence • Our work on next generation Active Directory schema and programming model

  20. Authorization: .Net ACS CTP • Claims-based, rules-driven authorization for REST web services • Developed with Google, Yahoo • OAuth Web Resource Authorization Protocol (WRAP) • Simple Web Tokens (SWT) • Integrated with WIF and AD FS 2.0 http://www.microsoft.com/windowsazure/dotnetservices/

  21. OpenID • Key part of Identity Metasystem • 50,000 destination sites • US Government sites to be OpenID enabled • Major portals are OpenID providers • Yahoo, Google, MySpace, AOL • Live ID to become OpenID provider in 2010 • Lessons learned from CTP (Oct 2008-Aug 2009): http://winliveid.spaces.live.com/blog/cns!AEE1BB0D86E23AAC!1791.entry

  22. OpenID Challenges • Usability issues make it hard for most people to understand • Destination sites show selection of providers that may not include accounts you have or want to use • Security issues make it unsuitable for high-value interactions • Rogue site may redirect user to phisher posing as user’s provider • Client software that remembers identities you use can help address both issues

  23. Directions:OpenID/InfoCard Integration demo Kim Cameron Distinguished Engineer Identity and Access

  24. More to Identity than Claims in Tokens • Beyond authentication, applications also need • To find people, resources, policies • To leverage relationships between identities • We need a Directory Metasystem along lines of Identity Metasystem • Work holistically in cloud, in enterprises, on devices • Shared architecture, data model and semantics, protocols, publication paradigm • Simple APIs integrated with developer platforms • Working on next generation directory federation service that will “clamp on” to existing Active Directory

  25. ‘M’ Model: System.IdentityNew way of representing identity data • Logical schema for “directory” information • Represents parties with multiple identities and relationships through kinds, party to party relationships • Extensible without disturbing base schema and implementations • Built-in support for multiple tenants, federation, expiration of directory data • Accessed through API which exposes “logical model” via LINQ

  26. “Top Ten” New Directory Queries • Who are all the “architects” inside my organization? • What is the email address of person who just called me? • Who had access to this resource last June? • What are the email addresses of all FTE s in my division? • How send email to the members of this security group? • How grant John, a lawyer, access to sites of small businesses for which he works? • How rename a domain without breaking security? • How build a personal distribution list and share it? • How delegate access to Joe while Sally is out of town? • Who can approve Gert’s expense report?

  27. Directions:System.Identity demo Gert Drapers Principal Architect Identity and Access Platform

  28. Identity @ PDC 2009 • Visit us at the booth in the pavilion • Try hands on labs • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications • Introduction to the .Net Access Control Service • Attend sessions

  29. What To Do Next • Reflect on identity and your application • Consider what our guests have said about how to change paradigms • Download and try out identity kits, samples • Attend our sessions • Get ready for the identity Big Bang • Join the conversation: http://www.identityblog.com

  30. YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com

  31. Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….

More Related