Claims- -Based Identity Layer Based Identity Layer Claims for the - - PowerPoint PPT Presentation

Claims Claims-

• Based Identity Layer

Based Identity Layer for the for the “ “New Internet New Internet” ”

Slava Kavsan, Slava Kavsan, Partner Architect Partner Architect Microsoft Corp. Microsoft Corp.

Topics Topics

Need for the Internet Identity Layer Need for the Internet Identity Layer Claims Claims-

• based Identity model

based Identity model

Laws of Identity and Identity Metasystem Laws of Identity and Identity Metasystem Claims taxonomy Claims taxonomy Claims transformation model for access Claims transformation model for access Authentication, role of Personal Trusted Devices Authentication, role of Personal Trusted Devices Federated Identity Federated Identity Identity and Access Management Identity and Access Management

Seamless, Easy and Trusted Identity Seamless, Easy and Trusted Identity

Enterprise Enterprise Partner Partner Social Net Social Net E E-

• commerce

commerce Government Government

What will it take? What will it take?

Redefined perimeters Redefined perimeters Standards Standards-

• based abstraction layer

based abstraction layer Unified interfaces for use and programming Unified interfaces for use and programming Agile cooperating systems Agile cooperating systems – – rendezvous of capabilities rendezvous of capabilities

Missing Internet Identity Layer Missing Internet Identity Layer

Identity layer Identity layer – – architectural hole in the Internet architectural hole in the Internet OSI/X.500 scratched the surface, did not succeed OSI/X.500 scratched the surface, did not succeed Not addressed in the current Not addressed in the current “ “short short” ” Internet stack (IPv4, IPv6) Internet stack (IPv4, IPv6) PKI offers a solid foundation, but serious limitations exist PKI offers a solid foundation, but serious limitations exist Result: identity ad hoc quasi Result: identity ad hoc quasi-

• layer in applications and protocols

layer in applications and protocols

What is a Digital Identity? What is a Digital Identity?

Set of Set of claims claims made about a subject made about a subject Many Many “ “sets sets” ” for many uses for many uses Required for transactions in real world Required for transactions in real world and online and online Model on which all modern access Model on which all modern access technology is based technology is based

“ “The Laws of Identity The Laws of Identity” ”

technologically technologically-

• necessary principles of identity management

necessary principles of identity management

1. 1.

User control and consent User control and consent

2. 2.

Minimal disclosure for a defined use Minimal disclosure for a defined use

3. 3.

Justifiable parties Justifiable parties

4. 4.

Directional identity Directional identity

5. 5.

Pluralism of operators and technologies Pluralism of operators and technologies

6. 6.

Human integration Human integration

7. 7.

Consistent experience across contexts Consistent experience across contexts

Universal Identity Metasystem Universal Identity Metasystem

Allows digital identity to be loosely coupled: Allows digital identity to be loosely coupled:

multiple operators and implementations multiple operators and implementations connects existing and future identity systems connects existing and future identity systems leverages the strengths of its constituent systems leverages the strengths of its constituent systems provides interoperability between them provides interoperability between them standards based standards based

Enables consistent and simple user experience Enables consistent and simple user experience

Critical Components of Identity Layer Critical Components of Identity Layer

D i r e c t

• r

y D i r e c t

• r

y F e d e r a t i

• n

F e d e r a t i

• n

Personal Personal Trusted Trusted Devices Devices Identity Identity Roaming Roaming Provisioning Provisioning SSO SSO Access Access Policies Policies Data Data Protection Protection Privacy Privacy Key Key Mgmt Mgmt Audit Audit RBAC RBAC B i

• m

e t r i c s B i

• m

e t r i c s PKI PKI Compliance Compliance

Identity Repositories Identity Repositories Authentication Authentication Authorization Authorization Identity Federation Identity Federation Identity & Access Mgmt Identity & Access Mgmt

Rights Rights Mgmt Mgmt

Claims Claims – – “ “Currency Currency” ” of Digital Identity

• f Digital Identity

Claim Claim – – assertion assertion in doubt in doubt Fact Fact – – trusted claim trusted claim Claims describe properties of Claims describe properties of entities entities: :

Subjects: Subjects: humans, devices, applications humans, devices, applications Resources: Resources: services, devices, networks, data, transactions services, devices, networks, data, transactions Actions: Actions: resource resource-

• specific operations, e.g. read, approve

specific operations, e.g. read, approve Contexts: Contexts: runtime characteristics of access sessions runtime characteristics of access sessions

Identity Identity – – context context-

• specific set of Subject claims

specific set of Subject claims

Claims Taxonomy Claims Taxonomy

Identifier claims Identifier claims – – unique entity markers in a given namespace unique entity markers in a given namespace Attribute claims Attribute claims – – properties of an entity properties of an entity

Association claims Association claims – – set membership descriptors of an entity set membership descriptors of an entity

Groups Groups – – set of set of Subjects Subjects, e.g. , e.g. “ “Manager Manager” ” Capabilities Capabilities – – set of set of Resources/Actions Resources/Actions, e.g. , e.g. “ “$50kPO/Approve $50kPO/Approve” ” Scopes Scopes – – set of set of Resources Resources, e.g. , e.g. “ “Financial Report Financial Report” ”

Static claims, e.g. Static claims, e.g. “ “DOB: May DOB: May-

• 21

21-

• 1979

1979” ” Derived claims, e.g. Derived claims, e.g. “ “AgeCategory: over AgeCategory: over-

• 21

21” ”

Subject Identifier Type Strength username cognition domain-specific identifier, e.g. account # directly controlled namespace fully qualified domain name (FQDN) hierarchical namespace email address, phone # client addressability, protocol non-ambiguity URL IdP addressability, protocol non-ambiguity public key “native” security

Capability Claims Capability Claims

Capability Capability -

• set of

set of Resources/Actions Resources/Actions to express: to express: Subject Subject’ ’s s role role in Enterprise or Application in Enterprise or Application Access Access request request Access Access grant grant Unit of Unit of delegation delegation

Capability Model ACL Model

Explicit access grant Implicit access grant via group membership Separation of access decision and enforcement Combined access decision and enforcement Rich policy language (incl. delegation, SoD) Constrained policy language General purpose authorization model Special-purpose: access to persisted objects Scalable management due to separation of policies from resources Hard to manage: highly distributed nature due to ACLs association with each resource

ACL ACL – – Access Control List Access Control List SoD SoD – – Separation of Duties Separation of Duties

Claims Transformation Claims Transformation

Access process is a sequence of claim transformations Access process is a sequence of claim transformations Three dimensions of claims transformations: Three dimensions of claims transformations:

Form: Form: X.509 certificates SAML Assertions X.509 certificates SAML Assertions Trust Trust: : unsigned claims signed claims; claims facts unsigned claims signed claims; claims facts Value Value: : credentials attributes capabilities credentials attributes capabilities

Transformation rules: Transformation rules: policies policies describing claims relations describing claims relations Transformers: PKI Authorities, Token Services, directories, etc. Transformers: PKI Authorities, Token Services, directories, etc. Claims can be Claims can be “ “pushed pushed” ” to or to or “ “pulled pulled” ” by transformers by transformers

Form Form Value Value Trust Trust

Authentication Authentication

Not an end in itself, part of the access process Not an end in itself, part of the access process Distinct interactively Distinct interactively-

• driven claim transformation step:

driven claim transformation step:

trust/form trust/form transform, e.g. username/password to SAML AuthN Statement transform, e.g. username/password to SAML AuthN Statement establishes level of confidence in the subject identity establishes level of confidence in the subject identity establishes level of confidence of the subject real time presenc establishes level of confidence of the subject real time presence e

Mutual (site Mutual (site-

• to

to-

• user) authentication

user) authentication

establishes level of confidence in the service identity establishes level of confidence in the service identity

Authentication instrument: Authentication instrument: credential = identifier claim +

credential = identifier claim + authenticator authenticator

Identity Layer Authentication Facilities Identity Layer Authentication Facilities

Pluggable multi Pluggable multi-

• credential authentication framework

credential authentication framework

Credential collection: interactive solicitation of credentials Credential collection: interactive solicitation of credentials Credential validation: authenticator verification, claims transf Credential validation: authenticator verification, claims transformation

• rmation

Credential lifecycle management: provisioning, renewal, revocati Credential lifecycle management: provisioning, renewal, revocation

• n

Mutual authentication Mutual authentication Advanced capabilities Advanced capabilities -

• transaction risk

transaction risk-

• based authentication

based authentication

Usability Usability Risk Risk Cost Cost

password password

Personal Trusted Devices Personal Trusted Devices

Authentication factors: Authentication factors:

what you know what you know – – password, PIN password, PIN what you have what you have -

• hardware token, Personal Trusted Device (PTD)

hardware token, Personal Trusted Device (PTD) who you are who you are – – biometrics biometrics hybrids, hybrids, “ “grey areas grey areas” ”, e.g. RFID as biometric prosthesis , e.g. RFID as biometric prosthesis ☺ ☺

Goal: reduce over Goal: reduce over-

• reliance on password

reliance on password-

• based authentication

based authentication

to increase level of confidence in subject to increase level of confidence in subject’ ’s identity s identity to combat phishing attacks through use of capture to combat phishing attacks through use of capture-

• resistant credentials

resistant credentials to enhance portability of identity claims to enhance portability of identity claims

Broad spectrum of PTDs Broad spectrum of PTDs – – smart cards, OTP tokens, phones smart cards, OTP tokens, phones But there is a price: But there is a price:

cost of ownership cost of ownership usability characteristics usability characteristics management complexity management complexity emergency access, e.g. scenarios when PTD is lost or unusable emergency access, e.g. scenarios when PTD is lost or unusable

Federated Identity Federated Identity

Identity Identity Provider Provider

P

• l

i c y P

• l

i c y Credential Credential

Relying Relying Party Party

Simple abstraction of Simple abstraction of “ “digital personas digital personas” ” to manage collections of claims to manage collections of claims to manage cryptographic keys to manage cryptographic keys Grounded in metaphor of physical cards Grounded in metaphor of physical cards citizen ID card, driver citizen ID card, driver’ ’s license, credit card s license, credit card self self-

• issued cards signed by user

issued cards signed by user managed cards signed by Identity Provider managed cards signed by Identity Provider

I d e n t i t y c l a i m s I d e n t i t y c l a i m s Identity claims Identity claims

enables seamless enables seamless portability of identity portability of identity across security domains across security domains

Client: Identity Selector Client: Identity Selector

Privacy Privacy

Privacy is woven throughout Laws of Identity Privacy is woven throughout Laws of Identity Identity Metasystem based on these laws has privacy built Identity Metasystem based on these laws has privacy built-

• in, not add

in, not add-

• on
• n

empowers empowers “ “user user-

• centric

centric” ” control of identity information control of identity information provides enhanced data protection for identity information provides enhanced data protection for identity information increases mutual trust and the level confidence for e increases mutual trust and the level confidence for e-

• commerce

commerce

Identity and Access Management Identity and Access Management

Identity Layer management facilities for Identity: Identity Layer management facilities for Identity: automated identity lifecycle management workflow automated identity lifecycle management workflow delegation and self delegation and self-

• service capabilities

service capabilities managing broad range of identity instruments, claims and access managing broad range of identity instruments, claims and access policies policies mechanisms for compliance with business and regulatory policies mechanisms for compliance with business and regulatory policies

Biometric credentials Applets Barcode & Magnetic Swipe encoding Digital Certificates Physical Access Physical Access Controls Controls

NT NT Login Login rparris rparris letmei letmei n n SAP SAP richardp richardp x4Lo19b x4Lo19b

• C. Schwab
• C. Schwab

richparr richparr echo2 echo2

Passwords Keys Photo Physical Access

Summary Summary

Claims Claims-

• based Identity Access and Management model

based Identity Access and Management model

enables common approach for building Internet Identity Layer enables common approach for building Internet Identity Layer establishes concept of claims as building blocks of Identity establishes concept of claims as building blocks of Identity models access control as claim transformation process models access control as claim transformation process facilitates user facilitates user-

• centric identity management and privacy

centric identity management and privacy enhances trust, usability and seamless nature of Identity enhances trust, usability and seamless nature of Identity