1 / 19

Enterprise Identity

Enterprise Identity. Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. Exchange. SQL/File Servers. Active Directory.

kermit
Download Presentation

Enterprise Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group

  2. Agenda • Overview of Enterprise Federation Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

  3. Exchange SQL/File Servers Active Directory Your EMPLOYEES onyour NETWORK App Servers Web Servers Your SUPPLIERS and their NETWORKS Extranet Access with Identity Federation Logon to Windows Single Sign-on inside your NETWORK

  4. ADFS Identity Federation • Projecting user Identity from a single logon … • Providing distributed authentication & claims-based authorization … • Connecting islands (across security, organizational or platform boundaries) … • Enabling web single sign-on & simplified identity management

  5. ADFS Components

  6. Active Directory or ADAM Authenticates users Manages attributes Windows 2000 or 2003 ADFS Components

  7. ADFS Components Federation Service (FS) • Security Token Service (STS) • Maps user attributes to claims • Issues security tokens • Manages federation trust policy • Requires IISv6 Windows 2003 R2

  8. ADFS Components Federation Server Proxy (FSP) • Client proxy for token requests • Provides UI for browser clients • Forms based auth • Home realm discovery • Requires IISv6 Windows 2003 R2

  9. ADFS Components Web Agent • Enforces user authentication • Creates app authZ context from claims • NT Impersonation and ACLs • ASP.NET IsInRole() • AzMan RBAC integration • ASP.NET Raw Claims API • Requires IISv6 Windows 2003 R2

  10. ADFS Authentication Flow A. Datum Account Forest Trey Research Resource Forest

  11. Centrify support for ADFS Web SSO for non-IIS web servers • DirectControl provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS6 • Apache and popular J2EE web servers • BEA WebLogic • Apache Tomcat • IBM Websphere • JBoss • Web agent is a direct drop in for non Microsoft web servers • Customer benefits • Simple and cost effective entrance into the Federated identity world • No modification of applications • Uses existing deployed infrastructure (AD)

  12. Quest support for ADFS Web SSO for non-IIS web servers • ADFS supported in Vintela Single Sign-on for Java V3.1 • Existing Java apps need no modifications • VSJ 3.1 ADFS servlet filter will: • Support ADFS authentication for Java applications in the resource domain • Allow Java application servers to leverage an existing ADFS infrastructure • Enable federation of Java/J2EE applications within ADFS-based trust fabric • Support NTLM, SPNEGO & WS-Federation based authentication • VSJ servlet filters work with any J2EE applicationserver • No change required to the Java application – it “just works”

  13. Shibboleth Interoperability Sponsored by Microsoft and ADFS • Standards based, open source • Shibboleth System 1.3 release • Developing plug-ins for SAML 1.1 Identity and Service Providers • Support WS-Federation Passive Requestor Interoperability Profile • Enables Interop with ADFS and other compliant vendor products

  14. HTTP messages HTTPReceiver Security Token Service SOAP Receiver SOAP messages WS-Federation • Web Services Federation Language • Defines messages to enable security realms to federate & exchange security tokens • BEA, IBM, Microsoft, RSA, VeriSign • Two “profiles” of the model defined • Passive (Browser) clients – HTTP/S • Active (Smart) clients – SOAP

  15. Passive Requestor Profile Supported by ADFSv1 in W2K03 R2 • Binding of WS-Federation & WS-Trust for browser (passive) clients • Implicitly adhere to policy by following redirects • Implicitly acquire tokens via HTTP msgs • Authentication requires secure transport (HTTPS) • Client cannot provide “proof of possession” • Tokens subject to replay • Limited (time based) token caching

  16. GET (to Web Server) 302 Redirect (to Resource STS) Detect user’s home realm 302 Redirect (to Account STS) Authenticate User POST “Redirect” security token (to Resource STS) POST “Redirect” security token (to Web Server) 200 OK Response (from Web Server) Authentication Message Flow Browser Client Account STS Web Server Resource STS

  17. Active Requestor Profile Future ADFS release • Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients • Explicitly determine token needs from policy • Explicitly request tokens via SOAP msgs • Strong authentication of all requests • Client can provide “proof of possession” • Supports delegation • Client can provide token for use on its behalf • Allows rich token caching at client • Improved performance w/o security risk

  18. Fetch service policy Fetch SP policy Request token Fetch IP policy Return token Request token Return token Send secured request Return secured response Sample Flow: Active Client WS-Policy used to route client token requests Requesting Service Target Service Service Provider STS Identity Provider STS

  19. Review • Overview of Enterprise Federation Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

More Related