Conference Architect Insight 2007, Active or Passive Federation for the Enterprise

Steve Plank, Identity Architect, Microsoft

- Federation Flow
- Home-round discovery is the process of knowing of all the trust relations I have which one will

be the one that applies to me
- All the redirection is done using HTTP 302
- Check the WS-Federation Passive Requestor *Interoperable* Profile protocol, lastest version is

of 2006
- ADFS Limitations:
 - Browser only, no web services
 - Home realm discovery
 - Domain-centric viewpoint
  - All trust deciosions made centrally, one-by-one
  - Doesnt scale; users not involved
- Identity Metasystem Protocols, check www.identityblog.com
- In active federation, the client has the option of looking at the token and aborting it. This is

something that does not happen in passive federation
- Shift of Emphasis
 - The user is in control, home realm discovery is selecting an IP
 - Identity selector, allows the user to select an identity provider and coordinates

protocol flow and user experience
- The identity provider is a web service following standards
- Implementation: X.509, Web and Web Service Protocols
- Windows CardSpace:
 - Easily and safely manage your digital identities
 - Authenticate with web sites and web services
- Is easier:
 - No usernames and passwords
 - Consistent login and registration
- Is safer:
 - Avoid phishes
 - Multi-factor authentication
- The relying party says what IPs will it trust
- Information Cards
 - Signed XML metadata describing an identity provider
- CardSpace and the Enterprise
 - Eventually all MS products will interact with CardSpace
 - ADFS v 2.0 will respond directly to CardSpace requests
 - In about 3 years will be pretty normal to use cards to login
- Key: Trust is local
- When to use cards?
 - Integrated authentication, nothing gets in the way, perfect inside the firewall
 - Information Cards, no username and password, just select a card, explicit security

boundaries
- Future: Dual Architectures?
- ADFS 2
- Conclusion:
 - Information Card architecture provides benefits to the federated enterprise
 - However "User" is in control
 - Simplification and visualization allow IT to devolve control to resource owners
 - Setting access control policy for relying parties becomes simple
 - Ultimately, we reap the benefits of a single user experience at home and in the enterprise

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!


Published Tuesday, March 06, 2007 10:11 AM by António Cruz
Filed under , , ,

Comments

 

Ant said:

March 6, 2007 9:58 PM
 

canoas'blog said:

March 8, 2007 2:06 AM