Skip to main content

Kynetx Impact Conference - notes - morning day 2

Posted by haroldcarr on November 19, 2009 at 6:42 PM PST

==============================================================================
9:00-9:45 am
User-Centric Identity in the Client-Side Revolution
Kim Cameron
Microsoft Chief Architect of Identity, Distinguished Engineer

Identity
- the stuff of poets and philosophers

Digital Identity
- Recognize us in different contexts
- foundation for personalization
- need to traverse silos
- need for contextual separation
- each person has mosaic of identities

Architectural problem
- internet was not designed with any way to know who you're connected to
- current identity: patchwork quilt of kludges

Identity metasystem - identity layer for internet
- across OS, vendors, industries, protocols, nations
- no vendor ownership
- identity options and choices
- allow user to see different aspects of digital life in holistic way
- promote understanding, control and privacy
- can we have a visual paradigm for understanding and selecting identity
  that at least gives people parity with files?
- federation fabric does not mean uber-identity

Claims-based model
- abstraction layer for authentication, authorization, obtaining
  info about users, devices and services
- claim: statement made by one subject about another
  that is in doubt
  email = kcameron@microsoft.com
  age > 21
  manager = John Doe
  role = architect
- identity metasystem: open standards-based architecture
  for exchange of claims under user control
- claims transformers that match impedance
- write to model, let infrastructure adapt to environment

CB access: classic triangle:

  claims                    App
 Provider               Requires Claims

           Subject

Reusable Identities
- make service available without high admin burden (off-load authen/author)
- app available to more than just employees

Identity Federation
- framework for building apps
- server - claims provider (integrated with directory or DB)
- infocard selector
  federation client that puts users in control
  handles home realm discovery
  provides active security features

AD Federation Service
- Industry standards and protocols
- works with any other federation software or service
- supports info cards
- built into AD - present in 90% of middle/large corps
- RTW Q1 2010

Example: Cloud Services
- Federation gateways as key part of their cloud backbone
- governments doing the same
- brokers access to cloud apps and dev services
- single federation relationship to access any service
- compliant with SAML, WS-Federation, WS-Trust, OpenID

Consumer space: OpenID
- Metasystem model
- big service providers supporting: Yahoo, AOL, Google, Windows Live
- Many small providers (e.g., universities)
- US Gov support
- widely available software for ISVs
- SEVERE security issues being worked on by industry

Minimal Disclosure Token (need-to-know system)

Identity Provider (has address, drivers license, DOB, ...)

                     Relying Party (prove you are over 21 and from WA)

USER  (only send "over 21 == true" not DOB, address, drivers license, ...)

Laws of identity
- user control and consent
- minimal disclosure for a constrained use
- justifiable parties
- ...

freeing directory
- we need a directory metasystem that works in the cloud, in enterprises
  and organizations and on devices
- shared architecture, data model and semantics, protocols, publication
- policy framework for config
- simple apis integrated with developer platforms

Constraints
- app dev experience the same
- same user experience regardless of device
- directory must be insulated from its success
- directory shouldn't need to trust the apps that use it
  need to support per-service shadow identity stores

New demands
- relationships and multiple identifiers
- cross directory federation and virtual teams
- multi tenant (mergers and acquisitions)
- partitioning (data and workload)
- extensible without disruption
- support RSS, REST, WS*, .NET, Win32...
- simplify common tasks
- complex query, polyarchy
- use ubiquitous tooling

claims naming
- claims transformers
- standards
- legal agreements are harder

------------------------------------------------------------------------------
10:00-10:45 am
Leveraging the Purpose-centric Web, New Tools & Technologies to Change
   Your Business
Tim Christin, Sr. VP Identity Solutions, Acxiom Corp.

Examples - cross site - does not require buy in from sites
- employee discount cards
- safety recalls
- loyalty programs

How does a Kynetx developer get hold of Acxiom data?
- that conversation is in process

------------------------------------------------------------------------------
11:00-11:45 am
Building Purpose-Centric Apps with KRL - Advanced
Sam Curren, Kynetx Lead Developer

examples
- annotate search results
- bookmarklet (both as deployment method and debugging)
- supports versioning and testing new undeployed versions
- errorstack.com - integrated with kynetx
- use firebug - kynetx library available in firebug evaluation page