PS2009 — Stefan Brands, Microsoft

Feb 3rd, 3:10pm

Dr. Stefan Brands was in town this week so even though he wasn’t on the original program, the organizers decided to add Microsoft’s newest addition to the conference.  Brands is now an Principal Architect in the Identity and Security Division.  

The first part of the presentation was standard Identity 2.0 stuff. A User accesses a Service Provider (SP), who in turn asks for one or more claims. User then authenticates to an Identity Provider (IdP) to get required claims.  Claims are passed by user to Service Provider.  Access granted.  

Mr. Brands explained how Geneva — a major new release of Microsoft Active Directory Federation Services — fits into each part of the user-centric model:

  • Used by the IdP, Geneva Server will provide claims (including SAML 2.0);
  • CardSpace Geneva will provide user control over distribution of claims by offering an active client; and
  • Geneva Framework will provide tools to applications to accept and process claims.

The interesting part of the presentation was the discussion how U-Prove technology (from Credentica, Brands’ old company) is being incorporated into Geneva to allow for more refined handling of claims by CardSpace users.  As examples:

  • Users can selectively disclose some claims, but not all, to an SP.  If a CardSpace card had six attributes, but the user only needed one to access the services, the user could mask the other five claims.
  • Users can strip down the claims to bare minimum to maximize privacy protection.  For example, if an SP only needed to know that the user was a resident of Quebec, it only would need the first letter of the postal code — “H”.  The user could hide the remaining five characters in the postal code string and only supply the first one to prove residency.

Interesting stuff.

In response to a question, Mr. Brands differentiated federated identity from user-centric by saying that only user-centric identity management is suitable to the large-scale, citizen-oriented systems that government need to deploy. In his view, federation is best suited to enterprise applications and services that are shared between business partners.


Author: code

Mike Waddingham is senior Information Technology management consultant with over 30 years of industry experience. He is the owner of Code Technology Corp.