Mais conteúdo relacionado
T2
- 1. Web2.0
OpenID
November 15 2007
Web2.0
•
ID
•
•
2
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 1
- 2. Web2.0
•
•
•
•
•
•
•
•
3
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
• Web ID
• SAML
• OpenID
• CardSpace
• Liberty Alliance Project
Concorida
• OpenSSO
4
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 2
- 3. 5
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
2004 ( )
6
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 3
- 4. ID /
ID /
7
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
/
USB
IC
8
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 4
- 5. 9
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• OASIS SAML (Security Assertion Markup Language)
• Liberty Alliance
b
●
●
a
●
@ A
Web
10
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 5
- 6. 11
Copyright © 2007 Sun Microsystems K.K.
Web
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
Web
• Web
•
Web
12
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 6
- 7. ID = identification
•
•
•
•
•
>
>
>
>
13
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• XML
>
>
•
>
•
>
>
>
>
14
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 7
- 8. Web ID
15
Copyright © 2007 Sun Microsystems K.K.
web
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• Web
ID Web
>
:
•
:
•
Web :
•
•
16
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 8
- 9. blog
ID
•
17
Copyright © 2007 Sun Microsystems K.K.
TypePad blog
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
ID TypePad
•
18
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 9
- 10. Sun
SSO
•
>
>
• My Sun ID
19
Copyright © 2007 Sun Microsystems K.K.
Blogspot blog (Google Account )
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• Check out http://TrayTable.blogspot.com!
20
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 10
- 11. Amazon
21
Copyright © 2007 Sun Microsystems K.K.
jyte.com ProoveMe OpenID
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
22
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 11
- 12. jyte :ProtectNetwork SAML ID /
OpenID
23
Copyright © 2007 Sun Microsystems K.K.
CardSpace
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
24
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 12
- 13. SSOCircle
25
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
>
>
>
>
• Web
>
>
>
•
>
26
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 13
- 14. • Identification:
>
>
• Authentication:
>
> RP
• Authorization:
ID ID Authz
>
Identity Relying party
(web application
provider
or community)
(login site)
Authn
Browser
(or other interface)
User
27
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
Identity Relying party
provider (web application
or community)
(login site)
Browser
(or other interface)
User
28
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 14
- 15. Identity Relying party
provider (web application
or community)
(login site)
Rrelying Party
Browser
(or other interface)
User
29
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
Identity Relying party
provider (web application
or community)
(login site)
. ..
Browser
(or other interface)
User
30
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 15
- 16. SSO
Identity
Identity
Provider
Provider
Authenticate
when asked
Authenticate
2
1
1
2
Attempt
Access Service
access Service
successfully Provider 3 Provider
Succeed
in attempt
IdP-vs-SP-init
• Lois Idp • Lois SP(RP)
• Lois SP(RP)
• SP(RP) IdP
31
Copyright © 2007 Sun Microsystems K.K.
SSO
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• SSO +
> IdP RP
•
IP
>
RP
–
•
SSO
>
IdP
–
• Circle of Trust (CoT)
•
>
32
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 16
- 17. CoT (Circle of Trust : )
(IdP)
A
B
H
C
G
D
F
SP
E
•
CoT •
•
•SLA
•
33
Copyright © 2007 Sun Microsystems K.K.
Idp discover)
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
SSO RP (RP-initiate) IdP
>
> Identity Relying party
provider (web application
IdP
– or community)
(login site)
GUI
–
IdP
–
– RP IdP (CoT)
–
–
IdP
–
34
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 17
- 18. SSO :
IdP / RP )
•
•
>
–
70-80%
•
SLA
>
>
>
>
quot;How long has THAT been there?quot;
35
Copyright © 2007 Sun Microsystems K.K.
:
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• ID(Identifier)
(personally identifiable
>
information (PII))
>
•
> Email , .
> RP
–
36
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 18
- 19. •
RP
>
RP
–
•
• Identity 2.0 Web 2.0 Web
(Lightweight identity)
>
ID
( publishable ID)
•
37
Copyright © 2007 Sun Microsystems K.K.
:“me generation”
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
ID
•
>
> wiki
> Web2.0
ID
>
•
Web
>
> RP
> Web
38
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 19
- 20. 2:“Trust no one”
IdP RP
•
IdP
RP
•
Identity Relying party
provider (web application
or community)
(login site)
Browser
(or other interface)
User
39
Copyright © 2007 Sun Microsystems K.K.
3: “Do What I mean”
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
...
>
>
>
•
>
> SSO
•
>
>
40
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 20
- 21. 41
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
SAML OpenID
Comprehensive use Simple use case
● ●
“Me generation”
case coverage coverage
● Comprehensive
Strong on IdP
●
challenge solutions, discovery but weak
except IdP discovery on other challenges
● Can be deployed to
● The very definition
do any user “Do what I mean” of “me generation”
philosophy
centricity
type
Consistent user
“Trust no one”,
experience,
XML message
“me generation”
formats
in part
CardSpace
“Smart client” component
●
● Addresses web
authentication challenges
● The very definition of
“trust no one”
42
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 21
- 22. SAML
43
Copyright © 2007 Sun Microsystems K.K.
SAML ?
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
“an XML-based framework for marshaling security and identity
information and exchanging it across domain boundaries”
•
> SAML V2.0 Liberty ID-FF
>
•
> B2B, B2C, G2C...
•
Google Search Appliance...
>
44
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 22
- 23. •
(SSO)
>
> Distributed transaction
> Authorization Service
• SAML 1.x SSO
• SAML = Security Assertion Markup Language
45
Copyright © 2007 Sun Microsystems K.K.
SAML
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
• SAML subject” statement”
:
> Authentication
> Attribute
> Authorization decision
• SAML
•
•
• XML
46
46
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 23
- 24. SAML
Operational modes for Metadata to
IdP SP Enhanced
IdP SP ...
use in conformance describe provider
Lite Lite client
testing and RFPs abilities and needs
Profiles combining binding, Web browser
Enhanced IdP Single
... Custom
assertion, and protocol use SSO client SSO discovery logout
to support defined use cases
Protocols to get
Assertion Authentication Name ID Single
... Custom
assertions and query/request request management logout
do identity mgmt
Authentication
Attribute
context classes
profiles
to describe types of
for interpreting
authentication
attrib semantics
performed/desired
Authentication Attribute Authz decision
Assertions of authn, attribute,
Custom
statement statement statement
and entitlement information
HTTP HTTP HTTP SAML
SOAP over
Bindings onto standard
PAOS Custom
HTTP redirect POST artifact URI
communications protocols
47
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• Issuer ID timestamp
• Assertion ID
• Subject
> Name security domain
>
Conditions”
•
> SAML conditions
condition:
>
• “advice”
>
•
48
48
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 24
- 25. <saml:Assertion
MajorVersion=“1” MinorVersion=“0”
AssertionID=“128.9.167.32.12345678”
Issuer=“Smith Corporation“
IssueInstant=“2001-12-03T10:02:00Z”>
<saml:Conditions
NotBefore=“2001-12-03T10:00:00Z”
NotOnOrAfter=“2001-12-03T10:05:00Z”>
<saml:AudienceRestrictionCondition>
<saml:Audience>…URI…</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:Advice>
…a variety of elements can go here…
</saml:Advice>
…statements go here…
</saml:Assertion>
49
49
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• Public Key – XML Signature
• Smartcard
• Internet Protocol
• Smartcard PKI
• Internet Protocol Password
• Software PKI
• Kerberos
• Telephony
• Mobile One Factor Unregistered
• Nomadic Telephony
• Mobile Two Factor Unregistered
• Personalized Telephony
• Mobile One Factor Contract
• Authenticated Telephony
• Mobile Two Factor Contract
• Secure Remote Password
• Password
• SSL/TLS Cert-Based Client Authentication
• Password Protected Transport
• Time Sync Token
• Previous Session
• Unspecified
• Public Key – X.509
• Your own customised classes...
• Public Key – PGP
• Public Key – SPKI
50
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 25
- 26. :
web browser SSO
SSO
•
federation
•
Profiles combining binding, Web browser
assertion, and protocol use
SSO
to support defined use cases
Protocols to get Authentication
assertions and request
do identity mgmt
Assertions of authn, attribute, Authentication
and entitlement information statement
Bindings onto standard HTTP HTTP HTTP
communications protocols redirect POST artifact
51
Copyright © 2007 Sun Microsystems K.K.
SAML :SP-initiated/redirect/POST
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
Service Provider Identity Provider
sp.example.com idp.example.org
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
2 3
7 5
IdP discovery can
be by special cookie,
Challenge
Access
or any other means Redirect with GET using
for
resource? <AuthnRequest> <AuthnRequest>
credentials
Signed
POST signed User
Supply <Response>
<Response> login
resource in HTML form
6
1 4
User or UA action
Browser
User or UA action
52
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 26
- 27. :IdP-initiated/POST
Service Provider Identity Provider
sp.example.com idp.example.org
Resource
Single
Assertion Access
Sign-On
Consumer check
Service
Service
1
4
6
Select Challenge
remote for
resource credentials
Signed User
POST signed <Response>
Supply login
<Response> in HTML form
resource
2
3
5
User or UA action
Browser
53
Copyright © 2007 Sun Microsystems K.K.
: enhanced client / proxy SSO
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
Profiles combining binding,
Enhanced
assertion, and protocol use
client SSO
to support defined use cases
Protocols to get
Authentication
assertions and
request
do identity mgmt
Assertions of authn, attribute, Authentication
and entitlement information statement
Bindings onto standard SOAP over
PAOS
communications protocols HTTP
54
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 27
- 28. ECP
Service Provider Identity Provider
sp.example.com idp.example.org
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
2
6 4
Signed
<AuthnRequest>
<Response>
in SOAP request
in PAOS
Access
response
resource
Signed
<Response>
Supply <AuthnRequest>
in SOAP
resource in PAOS request
response
1 3
5
EnhancedClient SOAP intermediary
or Enhanced Proxy
55
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
SSO +
Prepare to book hotel logged in
Prepare to rent car logged in
Book flight logged in
as johnd; accept offer of
as jdoe; accept offer of
as johndoe
federation with AirlineInc.com
federation with AirlineInc.com
AirlineInc.com CarRental.com HotelBooking.com
Agree on azqu3H7 for referring to Joe
(neither knows the ID used on other side)
Agree on f78q9c0 for referring to Joe
(neither knows the ID used on the other side)
56
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 28
- 29. SP IDP ID
●
●
●
Opaque Handle
User
●
Browser
Identity
Authentication Service
Provider
Service
UserID = Jsmith
App
Provider
Password = Rigol3tt0!
UserID = Joe OpaqueHandle = XYZ
Password = CaRm3N
OpaqueHandle = XYZ
Liberty Federation
(Linking of Accounts)
57
Copyright © 2007 Sun Microsystems K.K.
Local ID IdP Linked ID Linked ID SP Local ID
jdoe Airline 61611 61611 Cars john
jdoe Bank 71711 61612 Hotels john
mlamb Airline 81811 61621 Cars mary
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
Persistent pseudonym
Identity Identity
(NameID=”61611”) and attributes
store store
Service Provider Identity Provider
cars.example.com airline.example.com
Resource
Assertion Single
Access Consumer Sign-On
check Service Service
2 6
10 8 4
Pass along
User User
Access signed
login login
Pass
resource <Response>
as jdoe along as john
Convey <AuthnRequest>
<AuthnRequest>
asking for Convey signed
Challenge Challenge
Supply persistent <Response>
for credentials; for
resource pseudonym about 61611
opt-in? credentials
1 3
7
9 5
Browser
User with local ID john at airline.example.com
and local ID jdoe at cars.example.com
58
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 29
- 30. :
• Mon.Service-Public.fr
•
•
59
Copyright © 2007 Sun Microsystems K.K.
Google Apps
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
Google Apps Education Edition
2.5
Google
Google Provisioning API
SAML Single Sign-On(SSO) API
Provisioning API Google Apps
SSO
IT Google
Web 2.0 API
Google Apps Education Edition
http://www.google.co.jp/a/help/intl/ja/edu/customers/nihon_university.html
60
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 30
- 31. SAML
• Federated identity :
IdP RP
•
•
• Web
ECP
•
• IdP discovery: cookie
: IdP IdP
•
:
•
: (Liberty Alliance
•
)
61
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
OpenID
62
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 31
- 32. 63
Copyright © 2007 Sun Microsystems K.K.
OpenID ?
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
“an open, decentralized, free framework for user-centric digital identity”
• Web
URL (or XRI) namespace
>
Web
>
•
>
• “Web 2.0”
wiki SNS
>
64
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 32
- 33. OpenID
• OpenID
>
ID
> OpenID comsumer) (RP) OpenID
ID (IdP) URL
XRI
Web Page URL XRI
>
ID
•
> Simple Registration extension
email
>
65
Copyright © 2007 Sun Microsystems K.K.
OpenID (V1.1)
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
Sign up ID
• <link rel=“...”> magic Web
RP
URL OpenID
• sign on OpenID RP
• RP
• OP (OpenID Provider) confirmation (
RP
OpenID RP
•
• See http://simonwillison.net/2006/openid-screencast/
66
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 33
- 34. OpenID – (part 1)
jyte.com
claimid.com (my IdP)
67
Copyright © 2007 Sun Microsystems K.K.
OpenID – (part 2)
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
claimid.com
jyte.com
transparent
68
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 34
- 35. Project concordia
projectconcordia.org
OpenID
openid.sun.com
openid.sun.com
URL
openid.sun.com
projectconcordia.org
69
Copyright © 2007 Sun Microsystems K.K.
SP-initiated simplified sign-on with OpenID
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
OpenID Consumer RP OpenID Provider (OP)
Optionally
(e.g. projectconcordia.org) (e.g. prooveme.com)
set up
symmetric
session
5
4 key (can be
remembered
Discovers for future
OP thru interactions)
OpenID
resolution
7
10 2 6 9
User
login
POST
OpenID
Access Authentication
site? response
Display (and maybe Challenge
Redirect
OpenID Simple Reg
Allow for
to OP
prompt attributes)
access credentials
page sent with
8
3
1 GET or POST
User or UA action
Browser
User or UA action
70
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 35
- 36. OpenID
• “ digerati”
•
•
Sources : USA Today (March, 2007), GoogleTrends (April, 2007), Technorati (April, 2007)
71
Copyright © 2007 Sun Microsystems K.K.
OpenID ( )
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
prooveme.co
m
http://openiddirectory.com/
72
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 36
- 37. OpenID SSO
• RP
+
ID) Web
•
+ IdP
IdP
– ( IdP
)
–
SSO
73
Copyright © 2007 Sun Microsystems K.K.
OpenID
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• OpenID
SSO
>
– OpenID (identity
federation)
> OpenID
• SSO OpenID
>
OpenID ID
>
> Web E-Mail
74
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 37
- 38. OpenID
• ID
> ProtectNetwork.com (also gives “SAML IDs”), MyOpenID.com,
ProoveMe.com...
> AOL http://openid.aol.com/screenname
> Sun openid.sun.com
Web
•
shita.com
>
• OpenID
75
Copyright © 2007 Sun Microsystems K.K.
OpenID2.0 1.X
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• OpenID 2.0 ( 1.1
):
> XRI XRDS
> IdP-initiated ( RP )
( OpenID
>
)
One-time OpenID
>
•
>
>
>
>
76
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 38
- 39. OpenID
•
> http://wiki.openid.net/OpenID_Phishing_Brainstorm
•
URL URL
>
Consumer
> http://wiki.openid.net//Replay_Attack_Prevention
• reputation
77
Copyright © 2007 Sun Microsystems K.K.
AOL reputation
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• AOL OpenID (10/30/2007):
> 1. myopenid.com
> 2. claimid.com
> 3. livejournal.com
> 4. verisignlabs.com
> 5. myvauthid.com
> 6. openid.sun.com
> 7. myvidoop.com
> 8. signon.com
> 9. idtail.com
> 10. xlogon.net
> 11. idproxy.net
> 12. typekey.com
> 13. sxipper.com
14. alwaysknownas.com
>
> 15. myID.net
78
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 39
- 40. SAML OpenID
• OpenID Web
> URL
UI
>
>
• SAML OpenID
*
IdP discovery
>
> FOSS ( wrapper hard cording
)
• SAML circles of trust”
SLA
>
• * http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml,
http://www.protectnetwork.com, and http://www.ssocircle.com
79
Copyright © 2007 Sun Microsystems K.K.
OpenID
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
• Federated identity : simplified sign-on ID
me generation” OpenID
•
do what I mean” (not “trust no one”)
•
Diffie-Hellman
• Web
•
• IdP discovery: IdP
:
•
:
•
: IdP,RP
•
80
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 40
- 41. CardSpace
81
Copyright © 2007 Sun Microsystems K.K.
Windows CardSpace ?
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
•
“a Microsoft .NET Framework version 3.0 component that provides
the consistent user experience required by the identity metasystem”
•
– Card selector trust no one” IdP/RP
– claim
• Web
–
– OS
–
82
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 41
- 42. CardSpace
identity selector
•
IdP STS)
>
managed cards
Idp claim
–
CoT namespace
claim self-asserted card
>
IdP identity selector
–
RP
•
> RP IdP
RP
83
Copyright © 2007 Sun Microsystems K.K.
CardSpace RP-initiated simplified
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved.
sign-on Information card-accepting RP STS that is a
managed-card
identity provider (IP)
for particular card
6
2
9
Authn and
Access Convey
request
resource? claims to RP
claims from
appropriate
IP based on
Send
card selection
RP
Supply policy
resource Send claims
reqmts
8 5
1
Match RP policy requirements 7 Optionally encrypt claims for RP
3
to available IP policy capabilities
Card 1 Card 2 ...
CardSpace
identity
4 Select one card out of those available that match policy
selector
intersection and select any optional claims asked for
User action
84
Copyright © 2007 Sun Microsystems K.K.
Copyright © 2007 Sun Microsystems K.K. All Rights Reserved. Page 42