Joe<\/a> .<\/p>\nHe started years ago by building in support for usernames and passwords.\u00a0 He was supposed to finish up within a few weeks, but soon found he needed a second project to build in better password reset and account management.<\/p>\n
This soon worked pretty well, but when presented to customers, no one would deploy in large numbers unless he added a help desk component – so he did.<\/p>\n
Then as Active Directory started gaining critical mass, he needed to set up a project to integrate with Active Directory.\u00a0 When\u00a0that was finished, the large sites wanted to use AD with multiple forests,\u00a0and that involved a complete rewrite…<\/p>\n
Next, people wanted to use the app outside the firewall, so he needed to add One Time Password (OTP) support.\u00a0Supporters of\u00a0Smart Cards were adamant that if OTP was supported, smartcards should work too.<\/p>\n
Joe\u00a0was just\u00a0pretty much ready to return to his “core work”\u00a0when he was asked to support SAML.\u00a0He hadn't even finished\u00a0his initial investigation of this\u00a0when people started asking for OpenID support too.\u00a0 Plus he needed to integrate with another software product by a different vendor\u00a0 – who used a completely different and proprietary approach to identity.<\/p>\n
As he was looking at\u00a0all this\u00a0he was hit by phishing attacks. That brought about a whole new round of security reviews – one for every one of the projects just discussed.<\/p>\n
Now Joe\u00a0has realized\u00a0that his application has to be easily hostable in the cloud as well as work on-premise. And it needs to support delegation so it can access other services on behalf of his users…<\/p>\n
So you\u2019ll understand that\u00a0he really wants and needs a better way. He wants to focus on the core values of his app, not the changing trends in identity.<\/p>\n
Claims-based Access<\/strong><\/p>\n\u00a0As we understood more about these problems, and the hardships they were causing developers, we started work on a way to insulate the application from all these issues.<\/p>\n
Our goal? You – the developer – would write the application once and be done, yet it would support all the identity requirements customers have as they host it in different environments.<\/p>\n
This\u00a0was the same kind of problem we had in spades in the early days of computing. Back then, you needed to write separate code for each type of disk drive you wanted to support. There was no end to it. If you didn\u2019t support the new drives you\u2019d lose part of your market. So we needed the idea of a logical disk that was always the same.<\/p>\n
We can now do the same thing around identity. We use what we call the Claims Based model.<\/p>\n
A claim<\/em> is a statement by one subject about another subject. Examples: someone's email address, age, employer, roles, custumer number, permission to access something.\u00a0 There are no constraints on the semantics of a claim.<\/em><\/p>\nThe model starts from the needs of the application:\u00a0 you write your application\u00a0on the\u00a0assumption you can\u00a0get whatever claims you need.<\/p>\n
Then there is a standards-based architecture for getting you those claims. We call it the Identity Metasystem \u2013 meaning a system of identity systems.\u00a0<\/p>\n
\u00a0![\"\"](\"\/wp-content\/images\/2008\/10\/architecture.jpg\")
<\/p>\n
Here\u2019s how the architecture works. As I said, the application is in control. It specifies the kinds of claims it requires. The claims providers support protocols for issuing claims. You can also pop in claims providers that translate from one claim to another \u2013 we call this claims transformers. That makes the system very flexible and open.<\/p>\n
The technical name for a claims provider is a \u201cSecurity Token Service\u201d. You\u2019ll see the abbreviation STS on upcoming slides.<\/p>\n
The important thing here is that all existing identity mechanisms can be represented through claims and participate in the metasystem. As an app developer, you just deal with claims. But you get support for all permutations and combinations without getting your hands dirty or even thinking about it.<\/p>\n
I say \u201call\u201d to emphasize something \u2013 the open nature of this system. It accepts and produces identities from and for every type of platform and technology \u2013 no walled gardens.<\/p>\n
You can choose to get your identity from anywhere you wish.\u00a0 You can choose any framework to build your app.\u00a0 You can choose to use any client or browser.<\/p>\n
What's involved for the developer?<\/strong><\/p>\nLet me give you an example.\u00a0 I'll\u00a0peek ahead and\u00a0show you how the claims-based model is used in the Geneva Framework – new capabilities within .NET.\u00a0\u00a0Other frameworks would have similar capabilities, though\u00a0we think our approach is\u00a0especially programmer-friendly.\u00a0<\/p>\n
Basically, to answer the “Who are you?” question,\u00a0you write your app as per normal,\u00a0and simply\u00a0add this extra configuration to you app.config<\/strong> file:\u00a0<\/p>\n![\"\"](\"\/wp-content\/images\/2008\/10\/snippet_1.jpg\")
<\/p>\n
(There are a couple of more cut-and-paste lines needed, to make sure some modules are included, but otherwise\u00a0that\u2019s it.)<\/p>\n
Now, when a user hits your app, if they haven't been authenticated yet, they will get automatically redirected to the claims provider at https:\/\/sts1.contoso.com\/FederationPassive<\/strong>\u00a0to pick up their claims.\u00a0 The claims provider will get\u00a0your user\u00a0to authenticate, and if all goes well, will redirect\u00a0her back to your application with her identity set, and\u00a0any necessary claims available to your program.\u00a0 In other words, with zero effort on your part, no unauthenticated user will ever hit your app.\u00a0 Yet you are completely free to point your app at any claims provider on any platform made by any vendor and located anywhere on the Internet.<\/p>\nTo drill into the actual claim values, you use a technique like this:<\/p>\n
![\"\"](\"\/wp-content\/images\/2008\/10\/snippet_2.jpg\")
<\/p>\n
You\u2019ll see the Thread has a Current Principal, and the Principal has an Identity, so you get a Claims Identity interface as shown, then cycle through the claims or pull out the one you need.\u00a0 In this case, it is the claim with the type of “role” – in the the enum MyClaimTypes.Role…<\/p>\n
If you are an application developer,\u00a0we've already come to\u00a0the big takeaway of this presentation.\u00a0 You can get up and go home now.\u00a0 Everything else I\u2019m going to show you is just to give you a deeper understanding of all the\u00a0many use cases\u00a0and scenarios that can be supported through these mechanisms.<\/p>\n
Again, the claims shown in this example are implemented through well accepted industry standards.\u00a0The same code works with\u00a0claims\u00a0that come from anywhere, any platform, any vendor, any operating system, any cloud provider.<\/p>\n
Solving problems with claims<\/strong><\/p>\n{In the next segment<\/a>, I'll share the ideas I presented to my developer audience about how they could use claims to solve concrete problems.}<\/p>\n\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"
Sharing my presentation on Identity Software + Services at the Microsoft PDC<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[37,43,2,8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1019"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1019"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1019\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"\/wp-content\/images\/2008\/10\/three_questions.jpg\")
Whether you are creating serious Internet banking systems, hip new social applications, multi-party games or business applications for enterprise and government, you need to know something about the person using your application. We call this identity.<\/p>\n