410 likes | 856 Views
SIM402. Active Directory Federation Services, Part 1: How Do They Really Work?. John Craddock (john.craddock@xtseminars.co.uk) Infrastructure and Security Architect XTSeminars Ltd. Within your environment Windows Authentication provides single sign-on for all applications
E N D
SIM402 Active Directory Federation Services, Part 1: How Do They Really Work? John Craddock (john.craddock@xtseminars.co.uk) Infrastructure and Security Architect XTSeminars Ltd
Within your environment Windows Authentication provides single sign-on for all applications Windows Authentication provides details of the authenticated user and group membership Application Authentication
Developer Challenges Add something about SQL • If the developer wants Active Directory held information about the user, it requires attribute value extraction • Developer must understand AD • Hardcoded LDAP query strings • Continual reinvention of the wheel
Kerberos, NTLM, Basic, Digest, Forms? Access from the Internet • Without a VPN, DirectAccess or authentication proxy solution • Kerberos fails • Requires developers to use a different authentication model
Application in the Cloud • How do we handle authentication if we move an enterprise application to the Cloud? • The Microsoft BPOS dedicated service co-locates the organisation’s AD directory • Your DCs are hosted in the Microsoft datacentre
Allowing Access by Partners • Requires YOU to hold account and profile details for all of your partner’s users that need to access the application • YOU must manage the life-cycle of those users • Does your partner keep you informed of changes? • The partner’s users need to remember yet another password Partner organization Your Organization
The Answer • Create an identity (includes authentication) framework that can be consumed by all applications regardless of their location • Allow an identity token to carry more information than just the user and group memberships • Trust your partners to authenticate their users • Solution based on industry standard protocols • Make it work for browsers and web services
The Solution • Many players in the game… • Microsoft solution • Active Directory Federation Services • The latest release AD FS v 2.0 Federation of Identity
Issuer IP-STS Key Concepts Authenticates user Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal ActiveDirectory Issues Security Token crafted for Appx ST The Security Token Contains claims about the user • For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Signed by issuer
Claims-Aware Application • The application makes authorization decisions based on the claims contained in the security token • No longer required to make authentication decisions • Same authorisation logic for Application deployed on the Intranet or as a Cloud service • Receiving claims from its own organization’s users or users from trusted partners
Building Claims-Aware Applications • Window Identity Foundation (WIF) provides a common programming model for claims • Used by Windows Communication Foundation (WCF) and ASP.NET applications • Validates the incoming security token and parses the claims that are inside • SharePoint Services and SharePoint 2010 can be enabled to support claims-based identity • Configured via wizard and PowerShell
Standards and Protocols • ADFS v 2.0 supports both active and passive clients • Active clients interact via web services • Passive clients interact via browser requests • Support for Industry standard protocols allows interoperability with third-party solutions • WS-Federation • SharePoint requires WS-Federation v 2 • WS-Trust • SAML • SAML refers to both a format for the security token and a protocol (SAML-P) • SAML tokens 1.1 and 2.0 tokens can be transported by WS*
Passive Client Claims-aware app ADFS STS Active Directory App trusts STS Our user Browse app Not authenticated Redirected to STS Authenticate Return Security Token ST ST Query for user attributes Send Token Return cookiesand page
Working with Partners ActiveDirectory Your ADFS STS Partner ADFS STS & IP YourClaims-aware app App trusts STS Your STS trusts yourpartner’s STS Browse app Partneruser Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate ST ST ST ST Return ST for consumption by your STS Redirected to your STS Process token Return new ST Send Token Return cookiesand page
X.509 Certificates Relying party Issuer • Trust is managed through certificates • Certificates for • HTTPS Communications • Security token signing and encryption • Require PKI for A & B certificates, C & D can be self-signed Root for B Root for A A Communication B Signing C Public key of C D Encryption Public key of D ST ST
Federation Metadata • During the establishment of the issuer / relying party trust, both parties will require configuration which includes • End-points for communication • Claims offered by issuer • Claims accepted by replying party • Public keys for signing and encryption • This information can be configured manually or automatically via the exchange of federation metadata • Federation metadata can be automatically updated
Installing ADFS • Requires Windows Server 2008 / 2008 R2 • Requires IIS 7, .NET 3.5 SP1, WIF • See deployment guide for required hot fixes and updates • Issue and install server certificates for HTTPS • Download and install ADFS 2.0 • Simple Wizard • New / farm member / Proxy – SSL cert • More details later
Configuration Active Directory ADFS 2.0 Claims-awareapplication • Relationships between APP1 and STS1 established through the exchange of federation metadata • Can be manually configured Define AD as claims provider Define STS1 as claims provider APP1 STS1 Define APP1 as Relying party
Requirements • SharePoint Services SP2 or Microsoft Office SharePoint Server (MOSS) 2007 SP2 • Microsoft Federation Extensions for SharePoint 3.0
Processing Claims Rules Specify the users that are permitted to access the relying party Claims Provider Trusts ClaimsPipeline Acceptance Transform rules AD Issuance Authorization rules Permit or Deny Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Issuance Transform rules ST Permit: specifies claims that will be sent to the relying party Deny: Not processed RP Relying Party Trusts Claims Provider Trusts
Claim Rules • Rule templates simplify the creation of rules • Examples of rules are: • Permit / deny user based on incoming claim value • Transform the incoming claim value • Pass through / filter an incoming claim • Multiple claim rules can be specified and are processed in top to bottom order • Results from previously processed claims can be used as the input for subsequent rules
Creating Rules Condition • A claim rule consists of two parts, condition and issuance statement Issuance Statement
Custom Claims • Capabilities of custom rules include • Sending claims from a SQL attribute store • Sending claims from an LDAP attribute store using a custom LDAP filter • Sending claims from a custom attribute store • Sending claims only when 2 or more incoming claims are met • Sending claims only when an incoming claim matches a complex value • Sending claims with complex changes to an incoming claim value • Creating claims for use in later rules
Claim Rule Language • The claim rule language consists of Condition => Issuance Statement • Pass through all role Claims • c:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”] • issue(claim = c); • Change the value of the Role Claim SalesStaff to Purchasers • c:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Value =~ “^(?i)SalesStaff$”] • => issue(“http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = “Purchasers”, ValueType = c.ValueType)
How do we Let Partners in? • So far we have looked at supporting claims aware apps within your organization • Creating an identity (includes authentication) framework that can be consumed by all applications regardless of their location • Allowing the identity token to carry more information than just the user and group memberships • To allow partners to access our systems we must trust them to authenticate their users
Federated Identity Partner organization Your organization • Your STS now trusts your partner to provide a security token containing claims for their users • Your STS is no longer responsible for identifying the user but still processes the claims from the partner as previously described Partner ADFSSTS & IP Your ADFSSTS Claims Trust Claims Trust Relying Party Trust Relying Party Trust RelyingParty x
Summary Your Organization ADFS Security Token Service (STS) Partner user ST from Partner Trusted Partner Claims Trust Client request token for access to relying party x Relying Party Trust Processes AcceptanceTransform Rules RelyingParty x Returns token for Relying Party x Processes IssuanceAuthorization Rules If denied Processing ends ST ST ST ST If allowed processes Issuance Rules
Passive Client ActiveDirectory Your ADFS STS Partner ADFS STS & IP YourClaims-aware app Partner user Browse app Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS ST ST ST ST Process token Return new ST Send Token Return pageand cookie
Remember the Benefits • Claims provide a framework that can be consumed by all applications regardless of their location • Allows the identity token to carry more information than just the user and group memberships • Your trusted partners manage the identity and authentication of their users • The solution is based on industry standard protocols • Works for browsers and web services
What Next? • Build a test lab and try the Microsoft ADFS step-by-step guides • How To Set Up The AD FS 2.0 Lab Environment for Federated Collaboration • Hyper-V images available for download • Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0 • Read the ADFS Design and Deployment guides • Read AD FS blogs
More on ADFS and Federation • XTSeminars one-day event: • Federation and Federated Identity • info@xtseminars.co.uk for more information • Get your local Microsoft subsidiary to run the event!
Consulting Services on Request John.craddock@xtseminars.co.uk John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk
Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. Related Content • SIM401 | Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available Infrastructure • OSP308 | Claims Identity in Microsoft SharePoint 2010 • MID342-HOL | Use the Windows Azure Appfabric Access Control Service to Federate with Multiple Business Identity Providers • SIM399-HOL | Managing Claims Authentication Using Microsoft Forefront Identity Manager 2010 • SIM377-INT | Claims-Based Identity
Track Resources • Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. • You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/
Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn