A quickstart on Identity
Identity is an area getting a log of attention in the blogosphere lately. Specifically, I've been following Kim Cameron's Identity Blog, and checking out the buzz around InfoCard and ADFS. I’ve put together a bit of a cheat sheet below to save you some time searching and trying to grok this stuff
Let’s start with Identity and try to quickly get up to speed on the basics of Identity in general. To do that, let’s plug into Kim Cameron’s headspace on this topic.
Kim Cameron and Identity:
Who is this guy?
- Kim is an Architect at Microsoft who works on Identity and Identity Access. This topic blew wide open when he started his identity blog and got a fantastic open discussion going with many others from all sorts of backgrounds, companies, beliefs etc.
Can I meet him?
- Sure, grab a coffee and kick back and watch the conversation he had with Scoble on Channel9
Kim's Identity blog
His Laws of Identity MSDN article
- Follow the rest of his blog where he quite often likes to find examples where
If you don't have time to read the above whitepaper, here's a summary of the Laws from one of Kim's posts: The Laws of Identity in Point Form
1. User Control and Consent:
Digital identity systems must only reveal information identifying a user with the user's consent. (Starts here...)
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution . ( Starts here...)
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship. ( Starts here...)
4. Directed Identity
A universal identity metasystem must support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. ( Starts here...)
5. Pluralism of Operators and Technologies:
A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers. ( Starts here...)
6. Human Integration:
A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications. ( Starts here...)
7. Consistent Experience Across Contexts:
A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies. ( Starts here...)
Identity Metasystem & InfoCard
Ok, now that you have the basics of where Kim’s headspace on Identity is, it’s time to look at his whitepaper on the Identity MetaSystem
Ensure you have a read through the full paper get the full context of what it’s all about, but if you want to know what our plans are in this area, I pulled out a snippet so you see where InfoCard starts to fit in as well as ADFS.
Microsoft's Implementation Plans ( full article here )
- Microsoft plans to build software filling all roles within the identity metasystem (while encouraging others to also build software filling these roles, including on non-Windows platforms). Microsoft is implementing the following software components for participation in the metasystem:
- "InfoCard" identity selector: "InfoCard" is the code name for a WinFX component that provides the consistent user experience required by the identity metasystem. It is specifically hardened against tampering and spoofing to protect the end user's digital identities and maintain end-user control. A visual "Information Card" in the client user interface represents each digital identity managed by "InfoCard". The user selects identities represented by "InfoCards" to authenticate to participating services.
- "InfoCard" simple self-issued identity provider: "InfoCard" also includes a simple identity provider that enables individual PC users to create and utilize self-issued identities, enabling password-free strong authentication to relying parties. A self-issued identity is one where the user vouches for the information they are providing, much like users do today when registering with a Web site. We are implementing the simple self-issued identity provider to help bootstrap the identity metasystem; we believe self-issued identities will continue to be accepted for certain classes of services. Identities hosted in the simple self-issued identity provider will not include or store sensitive personal information, such as Social Security numbers (or other national ID numbers if these are developed) or credit card numbers. Self-issued identities are not intended to provide the full range of features that a managed identity provider can offer - the market is wide open for companies to provide managed identity solutions to consumers.
- Active Directory identity provider: This is a managed identity provider integrated with Active Directory. It includes a full set of policy controls to manage the use of Active Directory identities in the identity metasystem. Active Directory Federation Services, a new Active Directory feature shipping in Windows Server 2003 R2, is the first step to integrating identities in Active Directory with the identity metasystem.
- "Indigo": The code-named "Indigo" Web services run time provides developers a way to rapidly build and deploy distributed applications, including relying party services in the identity metasystem.
Starting to bring everything together – Andy Harjanto’s blog
Ok, interesting stuff. Now, here’s where it gets really cool and more tangible. On Kim’s blog I ended up finding Andy Harjanto's blog who has some awesome posts on working with InfoCard and Indigo.
In this post Andy points to some articles for background information but then jumps straight into showing you how to start the “InfoCard Service”, then go in and play around with the UI a bit.
Go to his main blog page and then cruise up through the rest of his posts as he does a fantastic job of bringing all of this stuff down to real tangible examples (and code!). I’m definitely subscribed to Andy’s blog!!