1 / 23

Identity as a collaborative foundation

Identity as a collaborative foundation. Kim Cameron Chief Architect Of Identity Distinguished Engineer Microsoft. Identity. The stuff of Poets and Philosophers Great pursuit, no expertise. Digital Identity . How the web and the virtual world recognize us in different contexts

fonda
Télécharger la présentation

Identity as a collaborative foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity as a collaborative foundation Kim Cameron Chief Architect Of Identity Distinguished Engineer Microsoft

  2. Identity • The stuff of Poets and Philosophers • Great pursuit, no expertise

  3. Digital Identity • How the web and the virtual world recognize us in different contexts • Foundation for personalization • The social “mouse” or “keyboard” • Foundation for collaboration and social phenomena • We can’t collaborate over time if I can’t recognize and refer to you

  4. Architectural Problem • The Internet was not designed with any way to know who you’re dealing with or connecting to • Patchwork quilt of kludges • kludge (kluːdʒ) Also kluge - 'An ill-assorted collection of poorly-matching parts, forming a distressing whole' (Granholm); esp. in Computing, a machine, system, or program that has been improvised or 'bodged' together; a hastily improvised and poorly thought-out solution to a fault or 'bug'. … • (The word 'kludge' is...derived from the same root as the German Kluge..., originally meaning 'smart' or 'witty'.... 'Kludge' eventually came to mean 'not so smart' or 'pretty ridiculous'.)

  5. Who are you? What are you allowed to do? How should your experience be personalized? One “illness” hurts in many places The hardest job of app developer… The hardest job of IT architect How do I get apps that are provably securable and manageable? How do I get apps that can work together in an architecture? Hardest job of compliance officer: common policy across silos

  6. Cloud turns malaise to crisis • Cloud as enabler of flexible, on-demand, pay-as you go business processes for both small and large enterprises • Key enabler for “Business architect” • Impossible without reuse of enterprise identities in the cloud. • Federated Identity gates the cloud Reusable Claims-Based Identity

  7. Identityblog.com

  8. Identity Metasystem • Identity layer for the Internet • Across OS, Vendors, Industry Sectors, Protocols, National Boundaries • No vendor ownership • Identity options and choice • Allow the user to see different aspects of her digital life in a holistic way • Promote user understanding, control and privacy • Can we have a visual paradigm for understanding and selecting identity that at least gives people parity with files? • FEDERATED FABRIC DOES NOT MEAN UBER-IDENTITY

  9. Claims-based model Abstraction layer for authenticating, authorizing, obtaining information about users, devices and services Claim: statement made by one subject about another subject that is in doubt Email = kcameron@microsoft.com Age > 21 Manager = John Doe Role= Architect Identity Metasystem: open standards-based architecture for exchange of claims under user control “Claims transformers” that match impedance Write to model, let infrastructure adapt to environment The Claims-Based Model

  10. Claims-Based Access Claims Provider Application (requires Claims) • Application: requires, uses claims to define users • Claims Provider: supports protocols for issuing claims • Relationship: context in which meaning of claims defined Relationship 1. Require claims 2. Get claims 3. Send claims SUBJECT

  11. Standardized IT Components Microsoft Services Identity Backbone • Framework • Framework for building claims-aware applications • Server • Claims Provider (integrated with a directory or database) • Information Card Selector • Federation client that puts users in control • Handles “home realm discovery” • Provides “Active” security features Enterprise Identity Backbone Enterprise Application Directory Federation Framework FederationServer Claims FederationServer Database

  12. Same components in cloud • Claims Service • “Enterprise” protocols also used by cloud providers • Additional protocol for providers in Consumer space: OpenID • Several large cloud service providers already support the model • Allows single federation agreement to access many services • No lock-in to any cloud provider Cloud Service Identity Backbone Identity Store Cloud Application Claims API Claims Service Claims Claims Service Claims Service Enterprise University Directory Database

  13. Where is the industry in the process? • Standards widely accepted – OASIS • Interoperability deeply tested – OSIS Interoperability Testing and Liberty Alliance • Platforms will finally have claims as a built-in feature • Microsoft Windows Identity Foundation and ADFS V2 • Part of Active Directory – expect wide adoption and deployment given no marginal cost • COTS Software can count on claims “being there” • Example: Several Microsoft flagship applications • Great products by many vendors • Cloud service adoption and strong competition • Many proofs of concept by private enterprise and government • Ubiquity within sight

  14. New initiatives in consumer space: OpenID • Metasystem model • Big service providers are all supporting OpenID (Yahoo, AOL, Google, Windows Live, etc) • Many small providers (e.g. universities) • US Government support • Widely available software for ISVs • Severe security issues being worked on by the industry Reusable Claims-Based Identity

  15. Identity selector for OpenID Reusable Claims-Based Identity

  16. But there are limits to “naïve” federation: • People expect a clear separation between contexts, yet sometimes want to connect them too

  17. Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Important New Frontier:Minimal Disclosure Technology Identity Provider Name: Alice SmithAddress: 1234 Pine, Seattle, WAD.O.B.: 23-11-1955 Relying Party

  18. Name: Alice Smith Address: 1234 Pine, Seattle, WA D.O.B: 23-11-1955 Minimal Disclosure Token Identity Provider Which adult from WA is this? ? Prove that you are over 21 and from WA Relying Party Over-21 proof

  19. Minimal Disclosure Scenarios Birth certificate RP Prove name, DOB & address eID

  20. Ordering a New Birth Certificate

  21. Minimal Disclosure Scenarios Dating site RP Prove over-21 & gender eID

  22. Visiting a Social Website

  23. Identityblog.com

More Related