1 / 16

Active Directory Federation Services 2.0 Overview

Active Directory Federation Services 2.0 Overview. InCommon Service Provider Training. What is it?. A SAML implementation (both IdP and SP) from Microsoft A WS-Fed implementation (Passive Requester) An AD-based single signon system A server role in Windows Server 2008. Some Terminology….

kasen
Download Presentation

Active Directory Federation Services 2.0 Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Directory Federation Services 2.0 Overview InCommon Service Provider Training

  2. What is it? • A SAML implementation (both IdP and SP) from Microsoft • A WS-Fed implementation (Passive Requester) • An AD-based single signon system • A server role in Windows Server 2008

  3. Some Terminology… • Security token – This refers to the assertion from the IdP. • Claim – a “claim” is just an attribute from the IdP’s assertion. • Claims Provider – This is just the ADFS term for an IdP. • Relying Party – This is just the ADFS term for an SP (a consumer of claims). • Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example). • More: • http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx

  4. What can it do? • Act as an IdP (Claims Provider) • Act as an SP (Relying Party) • Seamlessly integrate with growing list of apps: • Sharepoint 2010: • http://blogs.msdn.com/b/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx • Microsoft Unified Access Gateway (proxy): • http://technet.microsoft.com/en-us/library/gg470578.aspx • Citrix: • http://support.citrix.com/servlet/KbServlet/download/9932-102-15146/WI%20for%20ADFS%20FAQ.pdf • Interoperate with other SAML 2.0 solutions (like Shibboleth)

  5. What are the limitations? • Metadata support • Certificate support • WAYF/DS support • Forced Authentication support • Other?

  6. Resources • ADFS Home: • http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx • Using ADFS with Shibboleth and InCommon: • http://go.microsoft.com/fwlink/?LinkId=204784 • More How-To Guides: • http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspx • Claims Rule syntax: • http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx • Shibboleth wiki on ADFS interop: • https://spaces.internet2.edu/display/SHIB2/MicrosoftInterop

  7. Adding Shibboleth Claims Providers • ADFS can’t deal with a federation metadata file • No support for <EntitiesDescriptor> • This can be handled via script/app • Uses MS PowerShell to import into ADFS • Import one at a time • Must force only one encryption cert • No other entity can use the same encryption cert • The Microsoft ADFS/InCommon doc has code for a python script • Dealing with multiple federations?

  8. How to Integrate Sharepoint • Install ADFS according to documentation • Create a new Relying Party on the ADFS server • Configure the RP manually • SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2) • The identifier/entityID is https://<yourFQDN>/_trust/ • For claims rules, you can just use “Pass-Through” rules (since Shibb-sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed) • On the Sharepoint server, use PowerShell to add a new Security Token Service (STS): • Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below) • Consider adding some custom code to sync SP profiles • Hook the “OnSignedIn” event of the “federatedAuthentication” module • Use SP’s UserProfileManager class • http://shannonbray.wordpress.com/2010/10/02/claims-based-authentication-made-simple/

  9. How to Integrate Your Own App • Developer’s machine: • Install WIF runtime (KB974405) • Install WIF SDK (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504&displaylang=en) • Web Server • Install WIF runtime (KB974405) • Set your app’s App Pool property for “loadUserProfile” to ‘true’

  10. How to Integrate Your Own App (cont) • For the app itself (assuming VS2008): • Ensure that build target is .NET 3.5 (or greater) • Check out (from source control) the app’s web.config file (next step needs to write to it) • Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’ • Choose your app’s web.config file • Use your app’s URL as the application URI, making sure to include the trailing slash (Ex. https://serverFQDN/app/) • Choose to “Use an Existing STS” and point to your ADFS server’s metadata • https://<yourADFS-FQDN>/FederationMetadata/2007-06/FederationMetadata.xml • Accept other defaults

  11. How to Integrate Your Own App (cont) • Edit the attributes/claims that your app requests • Web site: Edit the <microsoft.identitymodel> section of web.config, uncomment needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer • Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at <app root>/FederationMetadata/2007-06/FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option: • Look for the <fed:ClaimsTypesRequested> section • Add new <auth:ClaimType> elements as needed • Name and Role enabled by default, consider adding these: • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />

  12. How to Integrate Your Own App (cont) • On ADFS Server • Add a new Relying Party • Auto-configure from metadata: • https://<WebServerFQDN>/app/FederationMetadata/2007-06/FederationMetadata.xml • Create ‘Pass-Through’ Claims Rules for new RP. Consider pass-through rules for these claims (as so-named in the ADFS RP Claim Rules GUI) • “Name” is the userID/sAMAccountName/ePPN • “Given Name” is the user’s first name • “Surname” is the user’s last name • “E-Mail Address” is the user’s email address • “Role” is the user’s role (or eduPersonAffiliation, etc)

  13. How to Integrate Your Own App (cont) • App code references: • Add reference to Microsoft.IdentityModel (after installing WIF runtime) • App Code: • using Microsoft.IdentityModel.Claims; • using System.Threading; • In Page.Load() • IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0]; • Microsoft Reference: • http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BB9AB270-473B-4852-B26E-031A88EDD113

  14. How to Integrate Your Own App (cont) string GIVENNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; string SURNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; string EMAIL_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; string ROLE_CLAIM_TYPE = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"; string UID,FName, LName, EmailAddr, Role = ""; bool AuthOK,roleFound = false; if (claimsIdentity != null) { AuthOK = claimsIdentity.IsAuthenticated; UID = claimsIdentity.Name; foreach (Claim c in claimsIdentity.Claims) { if (c.ClaimType == GIVENNAME_CLAIM_TYPE) FName = c.Value; if (c.ClaimType == SURNAME_CLAIM_TYPE) LName = c.Value; if (c.ClaimType == EMAIL_CLAIM_TYPE) EmailAddr = c.Value; if (c.ClaimType == ROLE_CLAIM_TYPE) { //role is mutlivalued, so build one semicolon-delimited string if (roleFound) Role += ";" + c.Value; else { Role += c.Value; roleFound = true; } } } }

  15. DiscoveryService/WAYF?? • ADFS does not support the OASIS DiscoveryService profile • To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery” • This is very customizable, as it is just a .NET page (.aspx) • Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.* • Search-as-you-type • Cookie name • Multi-Fed Selector

  16. Demo • Claims Provider Properties • Claims Provider Claims Rules • Relying Party Properties • Relying Party Claims Rules • Sharepoint Login • Custom code to sync SP profiles • Hooks the “OnSignedIn” event of the “federatedAuthentication” module • Uses SP’s UserProfileManager class • Custom app integration

More Related