Claims- -Based Identity Layer Based Identity Layer Claims for the “ “New Internet New Internet” ” for the Slava Kavsan, Slava Kavsan, Partner Architect Partner Architect Microsoft Corp. Microsoft Corp.
Topics Topics Need for the Internet Identity Layer Need for the Internet Identity Layer Claims- -based Identity model based Identity model Claims Laws of Identity and Identity Metasystem Laws of Identity and Identity Metasystem Claims taxonomy Claims taxonomy Claims transformation model for access Claims transformation model for access Authentication, role of Personal Trusted Devices Authentication, role of Personal Trusted Devices Federated Identity Federated Identity Identity and Access Management Identity and Access Management
Seamless, Easy and Trusted Identity Seamless, Easy and Trusted Identity Enterprise Enterprise Partner Partner Social Net Social Net E- -commerce commerce Government Government E What will it take? What will it take? Redefined perimeters Redefined perimeters Standards- -based abstraction layer based abstraction layer Standards Unified interfaces for use and programming Unified interfaces for use and programming Agile cooperating systems – – rendezvous of capabilities rendezvous of capabilities Agile cooperating systems
Missing Internet Identity Layer Missing Internet Identity Layer Identity layer – – architectural hole in the Internet architectural hole in the Internet Identity layer OSI/X.500 scratched the surface, did not succeed OSI/X.500 scratched the surface, did not succeed Not addressed in the current “ “short short” ” Internet stack (IPv4, IPv6) Internet stack (IPv4, IPv6) Not addressed in the current PKI offers a solid foundation, but serious limitations exist PKI offers a solid foundation, but serious limitations exist Result: identity ad hoc quasi- -layer in applications and protocols layer in applications and protocols Result: identity ad hoc quasi
What is a Digital Identity? What is a Digital Identity? claims made about a subject Set of claims made about a subject Set of Many “ “sets sets” ” for many uses for many uses Many Required for transactions in real world Required for transactions in real world and online and online Model on which all modern access Model on which all modern access technology is based technology is based
“The Laws of Identity The Laws of Identity” ” “ technologically- -necessary principles of identity management necessary principles of identity management technologically User control and consent User control and consent 1. 1. Minimal disclosure for a defined use Minimal disclosure for a defined use 2. 2. Justifiable parties Justifiable parties 3. 3. Directional identity Directional identity 4. 4. Pluralism of operators and technologies Pluralism of operators and technologies 5. 5. Human integration Human integration 6. 6. Consistent experience across contexts Consistent experience across contexts 7. 7.
Universal Identity Metasystem Universal Identity Metasystem Allows digital identity to be loosely coupled: Allows digital identity to be loosely coupled: multiple operators and implementations multiple operators and implementations connects existing and future identity systems connects existing and future identity systems leverages the strengths of its constituent systems leverages the strengths of its constituent systems provides interoperability between them provides interoperability between them standards based standards based Enables consistent and simple user experience Enables consistent and simple user experience
Critical Components of Identity Layer Critical Components of Identity Layer Audit Audit Rights Rights Identity Repositories Identity Repositories Mgmt Mgmt s s c c i i r r Access Access t t e e m m o o Policies Policies D D i i B B i i r r e e Authentication Authentication c c t t o o Compliance Compliance r r y y SSO SSO Privacy Privacy PKI PKI Authorization Authorization Provisioning Provisioning Protection Protection Data Data Identity Identity Roaming Roaming Identity Federation Identity Federation Personal Personal Trusted Trusted Devices Devices RBAC RBAC Key Key Identity & Access Mgmt Identity & Access Mgmt F F e e d d Mgmt Mgmt e e r r a a t t i i o o n n
Claims – – “ “Currency Currency” ” of Digital Identity of Digital Identity Claims Claim – in doubt Claim assertion in doubt – assertion Fact – Fact – trusted claim trusted claim entities : Claims describe properties of entities : Claims describe properties of Subjects: humans, devices, applications Subjects: humans, devices, applications Resources: services, devices, networks, data, transactions Resources: services, devices, networks, data, transactions Actions: resource Actions: resource- -specific operations, e.g. read, approve specific operations, e.g. read, approve Contexts: runtime characteristics of access sessions Contexts: runtime characteristics of access sessions Identity – Identity – context context- -specific set of Subject claims specific set of Subject claims
Claims Taxonomy Claims Taxonomy Identifier claims – – unique entity markers in a given namespace unique entity markers in a given namespace Identifier claims Subject Identifier Type Strength username cognition domain-specific identifier, e.g. account directly controlled namespace # fully qualified domain name (FQDN) hierarchical namespace email address, phone # client addressability, protocol non-ambiguity URL IdP addressability, protocol non-ambiguity public key “native” security Attribute claims – – properties of an entity properties of an entity Attribute claims Association claims – – set membership descriptors of an entity set membership descriptors of an entity Association claims Groups – Subjects , e.g. Groups set of Subjects – set of , e.g. “ “Manager Manager” ” Capabilities – Capabilities set of Resources/Actions Resources/Actions , e.g. – set of , e.g. “ “$50kPO/Approve $50kPO/Approve” ” Scopes – Resources , e.g. Scopes set of Resources – set of , e.g. “ “Financial Report Financial Report” ” Static claims, e.g. “ “DOB: May DOB: May- -21 21- -1979 1979” ” Static claims, e.g. Derived claims, e.g. “ “AgeCategory: over AgeCategory: over- -21 21” ” Derived claims, e.g.
Capability Claims Capability Claims Resources/Actions to express: set of Resources/Actions Capability - - set of to express: Capability role in Enterprise or Application s role Subject’ ’s in Enterprise or Application Subject request Access request Access grant Access grant Access delegation Unit of delegation Unit of Capability Model ACL Model Explicit access grant Implicit access grant via group membership Separation of access decision and enforcement Combined access decision and enforcement Rich policy language (incl. delegation, SoD) Constrained policy language General purpose authorization model Special-purpose: access to persisted objects Scalable management due to separation of Hard to manage: highly distributed nature policies from resources due to ACLs association with each resource ACL – – Access Control List Access Control List ACL SoD – – Separation of Duties Separation of Duties SoD
Claims Transformation Claims Transformation Access process is a sequence of claim transformations Access process is a sequence of claim transformations Three dimensions of claims transformations: Three dimensions of claims transformations: Form: X.509 certificates SAML Assertions Form: X.509 certificates SAML Assertions Trust : : unsigned claims signed claims; claims facts Trust unsigned claims signed claims; claims facts Value : Value : credentials attributes capabilities credentials attributes capabilities policies describing claims relations Transformation rules: policies describing claims relations Transformation rules: Transformers: PKI Authorities, Token Services, directories, etc. Transformers: PKI Authorities, Token Services, directories, etc. Claims can be “ “pushed pushed” ” to or to or “ “pulled pulled” ” by transformers by transformers Claims can be Form Form Value Value Trust Trust
Authentication Authentication Not an end in itself, part of the access process Not an end in itself, part of the access process Distinct interactively- -driven claim transformation step: driven claim transformation step: Distinct interactively trust/form transform, e.g. username/password to SAML AuthN Statement trust/form transform, e.g. username/password to SAML AuthN Statement establishes level of confidence in the subject identity establishes level of confidence in the subject identity establishes level of confidence of the subject real time presence e establishes level of confidence of the subject real time presenc Mutual (site- -to to- -user) authentication user) authentication Mutual (site establishes level of confidence in the service identity establishes level of confidence in the service identity credential = identifier claim + Authentication instrument: credential = identifier claim + Authentication instrument: authenticator authenticator
Recommend
More recommend
