Windows CardSpace

1
Windows CardSpace

• Martin Parry
• Developer Evangelist
• Microsoft
• martin.parry_at_microsoft.com

2
Event slides will be posted at

• http//www.microsoft.com/uk/msdnevents

3
Identity problems

• Passwords too easy to crack
• Or too hard to remember
• I want multiple identities
• Results in identity silos
• Banks etc. would like to make sign-on data a lot
  more complex
• Users ability to remember is the obstacle
• Nobody trusts a single organization to store all
  identity information

4
Identity a new approach

• Kim Cameron www.identityblog.com
• Seven laws of identity
• We have interoperable WS- specs
• Allow multiple identity systems to take part
• We have a standard format for credentials
• SAML tokens
• The Identity Metasystem

5
Security Tokens

• SAML
• Security Assertion Markup Language
• Prevailing format for credentials today
• Whats in a security token?
• Collection of claims (self-asserted or
  verifiable)
• Token signed by issuer
• Issuing a token
• Use WS-Security and WS-Trust
• Consuming a token
• Verify signature, decide if issuer trusted
• Read claims (for authZ decisions)

6
Example Security Token

• Given Name Martin
• Family Name Parry
• Email martin.parry_at_microsoft.com

MartinParrymartin.parry_at_...
7
Security Token Service
Give it something...
Username/passwordX.509 CertificateAnother
security tokenBiometric Etc...
MartinParrymartin.parry_at_...
8
Federation

• If users have accounts elsewhere and you trust
  the authN that takes place there
• Dont add user accounts to your system
• Accept security tokens issued elsewhere
• Establish trust between systems
• WS-Federation
• Think of B2B scenarios

9
Federation example

• Instead of provisioning a new user account for a
  partner, Ill let her organization authenticate
  her
• Automate the trust relationship
• Ask user to supply a SAML token issued by a
  partner org
• SAML token contains claims about the user
• Partner org claims that this users name is Alice
• Partner org claims that Alice is a Purchaser
• Partner org claims that Alice is authorized to
  purchase bike parts
• Reduces identity management burden and latency

10
Information Cards

• Identities represented as cards
• Users understand that they need to be careful
  when giving out credit card details
• Self-issued personal card
• Created by user and held in local secure store
• Private personal identifier
• Managed card
• Issued by trusted Identity Provider
• Visible locally but identity information is
  stored at IP
• Cards do not contain security tokens
• They represent my ability to supply a token

11
How it works
Relying Party
2.
I would like a SAML 1.1 token, containing First
Name, Surname, issued by any
Policy
3. UI filters cards that can satisfy policy

• Access resource

7. Token is presented
4. User picks a card
6. Token is created
5. Token is requested
Identity Provider
12
Demo

• Create a self-issued card
• Sign on to a website using the card

13
HTML

• ltform id"form1" method"post" action"login1.aspx
  "gt
• ltdivgt
• ltbutton type"submit"gtClick here to sign
  inlt/buttongt
• ltobject type"application/x-informationcard"
  name"xmlToken"gt
•  ltparam name"tokenType" value"urnoasisnamest
  cSAML1.0assertion"/gt
•   ltparam name"issuer" value"http//schemas.xmlso
  ap.org/ws/2005/05/identity/issuer/self"/gt
•   ltparam name"requiredClaims"
•    value"http//schemas.xmlsoap.org/ws/2005/05/id
  entity/claims/givenname
•        http//schemas.xmlsoap.org/ws/2005/05/ident
  ity/claims/surname
•        http//schemas.xmlsoap.org/ws/2005/05/ident
  ity/claims/emailaddress
•   http//schemas.xmlsoap.org/ws/2005/05/ident
  ity/claims/privatepersonalidentifier" /gt
• lt/objectgt
• lt/divgt
• lt/formgt

14
Server-side code

• protected void Page_Load(object sender, EventArgs
  e)
• string xmlToken Request.Params"xmlToken"
• if (xmlToken null xmlToken.Equals(""))
• ShowError("Token presented was null")
• else
• TokenHelper tokenHelper
• new TokenHelper(xmlToken, "www.fabrikam.com")
• givenname.Text tokenHelper.GetClaim(Clai
  mTypes.GivenName)
• surname.Text tokenHelper.GetClaim(ClaimT
  ypes.Surname)
• email.Text tokenHelper.GetClaim(ClaimTyp
  es.Email)

• Clearly all the works in TokenHelper
• Get it in the samples at www.netfx3.com

15
How to implement a RP

• Update user database
• To include unique IDs from CardSpace
• Create an association page
• Users can associate cards with their accounts
• Update the sign-in page
• To allow the use of cards
• Can still allow other credentials
• Update registration page
• To allow the use of cards

16
Event slides will be posted at

• http//www.microsoft.com/uk/msdnevents

17

• Get the latest technology previews, trial
  software, special offers
• Get information tailored to your needs
• Pick your RSS feeds
• Sign up for MSDN Connection at
• http//www.msdn.co.uk

18
Resources, tools and betas

• Learn about development for Windows Live
• http//dev.live.com
• Useful resource for .NET Framework 3.0, the
  development platform for Windows Vista
• http//www.netfx3.com
• Get the latest betas for Windows Vista and Office
  2007
• http//www.microsoft.com/betaexperience
• Try Visual Studio
• http//www.microsoft.com/getthetrials
• Check out the free Express versions of Visual
  Studio
• http//msdn.microsoft.com/express
• Learn about and try the new Web and client
  designer tools
• http//www.microsoft.com/expression
• Resources
• http//www.gotdotnet.com
• http//www.asp.net

19
Additional Information

• UK MSDN Events
• Post events page including slide decks
• http//www.microsoft.com/uk/msdnevents
• Upcoming events
• http//www.microsoft.com/uk/msdn/events/upcoming.a
  spx
• UK MSDN Site Flash Newsletter
• Local news, events, nuggets webcasts
• http//www.microsoft.com/uk/msdn
• Register to receive the bi-weekly MSDN Flash by
  email
• http//www.microsoft.com/uk/msdn/flash.aspx