sim402. kerberos, ntlm, basic, digest, forms?
TRANSCRIPT
Active Directory Federation Services, Part 1: How Do They Really Work?
John Craddock ([email protected])Infrastructure and Security Architect XTSeminars Ltd
SIM402
Application Authentication
Within your environment Windows Authentication provides single sign-on for all applications
Windows Authentication provides details of the authenticated user and group membership
Developer Challenges
If the developer wants Active Directory held information about the user, it requires attribute value extraction
Developer must understand ADHardcoded LDAP query stringsContinual reinvention of the wheel
Add something about SQL
Access from the Internet
Without a VPN, DirectAccess or authentication proxy solution
Kerberos failsRequires developers to use a different authentication model
Kerberos, NTLM, Basic, Digest,
Forms?
Application in the Cloud
How do we handle authentication if we move an enterprise application to the Cloud?The Microsoft BPOS dedicated service co-locates the organisation’s AD directory
Your DCs are hosted in the Microsoft datacentre
Allowing Access by Partners
Requires YOU to hold account and profile details for all of your partner’s users that need to access the application
YOU must manage the life-cycle of those usersDoes your partner keep you informed of changes?
The partner’s users need to remember yet another password
Your OrganizationPartner organization
The Answer
Create an identity (includes authentication) framework that can be consumed by all applications regardless of their locationAllow an identity token to carry more information than just the user and group membershipsTrust your partners to authenticate their usersSolution based on industry standard protocolsMake it work for browsers and web services
The Solution
Many players in the game…Microsoft solution
Active Directory Federation ServicesThe latest release AD FS v 2.0
Federation of Identity
Key Concepts Identity Provider (IP)
ActiveDirectory
Security Token Service (STS)
User / Subject /Principal Requests token for AppX
Issues Security Tokencrafted for Appx
Relying party (RP)/Resource provider
Issuer IP-STS
Trusts the Security Tokenfrom the issuer
The Security TokenContains claims about the user
For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values
Security Token “Authenticates” user to the application
ST
Signed by issuer
AppX
Authenticates user
Claims-Aware Application
The application makes authorization decisions based on the claims contained in the security token
No longer required to make authentication decisions
Same authorisation logic for Application deployed on the Intranet or as a Cloud service
Receiving claims from its own organization’s users or users from trusted partners
Building Claims-Aware Applications
Window Identity Foundation (WIF) provides a common programming model for claims
Used by Windows Communication Foundation (WCF) and ASP.NET applicationsValidates the incoming security token and parses the claims that are inside
SharePoint Services and SharePoint 2010 can be enabled to support claims-based identity
Configured via wizard and PowerShell
Standards and Protocols
ADFS v 2.0 supports both active and passive clientsActive clients interact via web servicesPassive clients interact via browser requests
Support for Industry standard protocols allows interoperability with third-party solutions
WS-FederationSharePoint requires WS-Federation v 2
WS-TrustSAML SAML refers to both a format for the security token and a protocol (SAML-P)
SAML tokens 1.1 and 2.0 tokens can be transported by WS*
demo
Federation the user experience
Passive ClientADFS STSClaims-aware app Active Directory
Browse app
Not authenticated
Redirected to STS Authenticate
Our user
Query for user attributesReturn Security Token
Return cookiesand page
Send Token
App trusts STS
ST
ST
Process token
Home realm discovery
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
Working with PartnersYour
ADFS STSYour
Claims-aware app
ActiveDirectory
Partneruser
PartnerADFS STS & IP
Redirected to your STS
Authenticate
Send Token
Return cookiesand page
Browse app
Not authenticated
Redirect to your STS
ST
ST
ST
ST
App trusts STS Your STStrusts your
partner’s STS
X.509 Certificates
Trust is managed through certificatesCertificates for
HTTPS CommunicationsSecurity token signing and encryption
Require PKI for A & B certificates, C & D can be self-signed
CommunicationA
Signing
Relying party Issuer
ST
Encryption ST
B
Public key of C C
Public key of DD
Root for ARoot for B
Federation Metadata
During the establishment of the issuer / relying party trust, both parties will require configuration which includes
End-points for communicationClaims offered by issuer Claims accepted by replying partyPublic keys for signing and encryption
This information can be configured manually or automatically via the exchange of federation metadata
Federation metadata can be automatically updated
Installing ADFS
Requires Windows Server 2008 / 2008 R2Requires IIS 7, .NET 3.5 SP1, WIFSee deployment guide for required hot fixes and updates
Issue and install server certificates for HTTPSDownload and install ADFS 2.0
Simple WizardNew / farm member / Proxy – SSL certMore details later
Configuration
Relationships between APP1 and STS1 established through the exchange of federation metadata
Can be manually configured
Claims-awareapplication
ADFS 2.0 Active Directory
Define AD as claims provider
APP1
Define STS1 as claims provider
STS1
Define APP1 as Relying party
demo
Configuring WSS 3.0 as a relying party
Requirements
SharePoint Services SP2 or Microsoft Office SharePoint Server (MOSS) 2007 SP2Microsoft Federation Extensions for SharePoint 3.0
Processing Claims Rules
Claims Pipeline
AD
Issuance Transform rules
Issuance Authorization rules
Permit or Deny
RP
ST
Acceptance Transform rules
Relying Party Trusts
Claims Provider Trusts
Specify the users that are permitted to access the
relying party
Specify incoming claims that will be accepted from the
claims provider and passed to the pipeline
Permit: specifies claims that will be sent to the relying party
Deny: Not processed
Claims Provider Trusts
Claim Rules
Rule templates simplify the creation of rulesExamples of rules are:
Permit / deny user based on incoming claim valueTransform the incoming claim valuePass through / filter an incoming claim
Multiple claim rules can be specified and are processed in top to bottom order
Results from previously processed claims can be used as the input for subsequent rules
Creating Rules
A claim rule consists of two parts, condition and issuance statement
Condition
Issuance Statement
Custom Claims
Capabilities of custom rules includeSending claims from a SQL attribute storeSending claims from an LDAP attribute store using a custom LDAP filterSending claims from a custom attribute storeSending claims only when 2 or more incoming claims are metSending claims only when an incoming claim matches a complex valueSending claims with complex changes to an incoming claim valueCreating claims for use in later rules
Claim Rule Language
The claim rule language consists of Condition => Issuance Statement
Pass through all role Claims c:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”]Þ issue(claim = c);
Change the value of the Role Claim SalesStaff to Purchasersc:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Value =~ “^(?i)SalesStaff$”]=> issue(“http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = “Purchasers”, ValueType = c.ValueType)
demo
Creating rules to allow access to SharePoint
How do we Let Partners in?
So far we have looked at supporting claims aware apps within your organization
Creating an identity (includes authentication) framework that can be consumed by all applications regardless of their locationAllowing the identity token to carry more information than just the user and group memberships
To allow partners to access our systems we must trust them to authenticate their users
Federated Identity
Your STS now trusts your partner to provide a security token containing claims for their usersYour STS is no longer responsible for identifying the user but still processes the claims from the partner as previously described
Claims Trust
RelyingParty x
Relying Party Trust
Claims Trust
Your ADFSSTS
Partner ADFSSTS & IP
Relying Party Trust
Partner organization Your organization
SummaryPartner user
Client request token for access to relying party x
Your Organization ADFS
Claims Trust
Relying Party Trust
RelyingParty x
ProcessesAcceptance
Transform Rules
ProcessesIssuance
Authorization Rules
If allowed processesIssuance Rules
STReturns tokenfor Relying Party x
If denied Processing ends
Security Token Service (STS)
ST from PartnerSTST Trusted
Partner
ST
Process token
Home realm discovery
ST
ST
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
ST
Passive ClientYour
ADFS STSYour
Claims-aware app
ActiveDirectory
Partner user
PartnerADFS STS & IP
Redirected to your STS
ST
Authenticate
Send Token
Return pageand cookie
Browse app
Not authenticated
Redirect to your STS
Remember the Benefits
Claims provide a framework that can be consumed by all applications regardless of their locationAllows the identity token to carry more information than just the user and group membershipsYour trusted partners manage the identity and authentication of their usersThe solution is based on industry standard protocolsWorks for browsers and web services
What Next?
Build a test lab and try the Microsoft ADFS step-by-step guides
How To Set Up The AD FS 2.0 Lab Environment for Federated Collaboration
Hyper-V images available for download
Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0
Read the ADFS Design and Deployment guidesRead AD FS blogs
More on ADFS and Federation
XTSeminars one-day event:Federation and Federated [email protected] for more information
Get your local Microsoft subsidiary to run the event!
Consulting Services on Request
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
Related Content
SIM401 | Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available InfrastructureOSP308 | Claims Identity in Microsoft SharePoint 2010
MID342-HOL | Use the Windows Azure Appfabric Access Control Service to Federate with Multiple Business Identity ProvidersSIM399-HOL | Managing Claims Authentication Using Microsoft Forefront Identity Manager 2010
SIM377-INT | Claims-Based Identity
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
Complete an evaluation on CommNet and enter to win!
Scan the Tag to evaluate this session now on myTech•Ed Mobile