440 likes | 884 Views
SVR311 . Active Directory Federation Services Architecture Drilldown . John Pritchard Microsoft Corporation johnpr@microsoft.com. Target Audience. IT Professionals who want to understand how ADFS works
E N D
SVR311 Active Directory Federation Services Architecture Drilldown John Pritchard Microsoft Corporation johnpr@microsoft.com
Target Audience • IT Professionals who want to understand how ADFS works • Session is about ADFS components and how they work, and the specifications ADFS is based on
Key Takeaways What are the major components of ADFS and how do they work? What is ADFS based on? How might I use ADFS?
Agenda • Level set • Distributed IAM Problems • Federated IAM Solution • Active Directory Federation Services • Architecture & Components • Managing Access with Claims (User Attributes) • Demo • Deployment & Programming Models • ADFS WS-* Specifications Heritage • Multi-vendor Interoperability
Your SUPPLIERS Your CUSTOMERS Your REMOTE andVIRTUAL EMPLOYEES Your PARTNERS Orgs Have To Extend Access Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain Your COMPANY andyour EMPLOYEES M&A Mobile/global workforce Flexible/temp workforce
Problem: Business Costs of Extending your Network IT/Helpdesk Efficiency Regulatory Compliance End User Productivity Security Account provisioning requests Password reset requests Account proliferation Provisioning latency Forgotten passwords Logon frequency Orphaned or inaccurate accounts Compromised passwords Least access Privacy protection SOX, HIPAA, etc. Auditing and reporting
Solution: Federated Identity and Access Management • Industry Definition • Standards-based technology & IT processes … • Distributed identification, authentication and authorization … • Across boundaries (security, departmental, organizational or platform boundaries) … • ADFS Vision • Log on once, secure access to everything • Leverage identity and services as broadly as possible
Security Tokens & ClaimsDistributed authentication/authorization • Security tokens assert claims • Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc.) Signed Proof of Possession X.509 Kerberos XrML Secret Key SAML Password
Security Token Service A security token service issues security tokens Key Distribution Center Security Token Service STSs can “swap” tokens as a request crosses security domain boundaries
Federation STS Federation STS Order Entry Portal Order Entry Application Active Directory Federated IAM in Action X-organization, X-platform Web SSO Federation Claims Application Claims SIDs Trey Research Inc. A.Datum Corp. • User clicks A.Datum portal link to Trey Research order processing application • User redirected to A.Datum STS • Seamlessly authenticated via Kerberos (Windows integrated AuthN & AD) • User obtains SAML security token from A.Datum STS for Trey Research STS • Federation claims per business agreement • User obtains SAML security token from Trey Research STS for application • Federation + application-specific claims • User accesses Trey Research order processing application
Agenda • Level set • Distributed IAM Problems • Federated IAM Solution • Active Directory Federation Services • Architecture & Components • Managing Access with Claims (User Attributes) • Demo • Deployment & Programming Models • ADFS WS-* Specifications Heritage • Multi-vendor Interoperability
Active Directory Authenticates users Manages attributes used to populate claims Federation Service (FS) STS Issues security tokens Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context ADFS Architecture Windows Authentication/LDAP LPC/Web Methods HTTPS Note: ADFS supports both W2K & W2K3 forests FS & FS-P co-located by default, Can be separate boxes FS, FS-P & SSO agent require IISv6 W2K03 R2 Browser clients only for ADFSv1 (W2K03 R2 release)
Federation Service • ASP.NET-hosted service running on IISv6 – Windows 2003 Server R2 • Federation Policy management • Establishes trust for signed security tokens by certificate-based key distribution • Defines token/claim types & shared namespace for Federated security realms • Security token generation • Retrieves user attributes for claim generation from AD (or ADAM) via LDAP • Transforms claims (if required) between internal & federation namespaces • Builds signed SAML security token & sends to FS-P • Builds “User SSO” cookie contents & sends to FS-P • User authentication • Validates ID/Password via LDAP Bind for Forms-based authentication
Federation Service Proxy • ASP.NET-hosted service running on IISv6 – Windows 2003 Server R2 • User authentication • Provides UI for Home Realm Discovery & Forms-based Logon • Authenticates users for Windows Integrated & Client SSL authentication • Writes “User SSO” cookie to Browser (similar to Kerberos TGT) • Security token processing • Requests security token for client from FS • Routes token to web server via “POST redirect” through browser
Web Server SSO Agent • ISAPI extension for IISv6 – Windows 2003 Server R2 • User authentication • Intercepts URL GET requests & Redirects un-authenticated clients to LS • Writes “Web Server SSO” cookie to Browser (similar to Kerberos service ticket) • Windows Service • User authorization • Creates NT Token for impersonation (AD users only) • Managed Web Module • Security token processing • Validates user’s security token and parses claims in token • User authorization • Populates ASP.NET GenericPrincipal context from claims to support IsInRole() • Provides raw claims to app
ADFS Trust & Message Flows STS: Trust & claims policy setup (out of band) Browser: Application and security token requests (HTTPS)
Organization A Organization B PrivateNamespace Private Namespace ADFS Identity FederationProjects AD Identities to other security realms Federation Servers Federation Server Federation Server • Manage: • Trust – Keys • Security – Claims required • Privacy – Claims allowed • Audit – Identities, authorities
ADFS: Supported Security Tokens • Currently only issue SAML tokens • Tokens are not encrypted • All messages are over HTTPS • Tokens are signed • (default) Signed with RSA Private key and signature verified with public key from X.509 certificate • (optional) Can be signed with Kerberos session key • FS-R tokens for Web server SSO Agent • NT service component of Web server SSO Agent must run as a domain service account and must have an SPN configure
ADFS: Supported Claim Types • WS-Federation interoperable claim types • Identity • User Principal Name (UPN) • E-mail Address • Common Name (any string value) • Group • Custom • name/value pair (eg SSN / 123-45-6789) • ADFS-to-ADFS only authZ data • SIDs • Sent to avoid employee shadow accounts in extranet DMZ • Sent in SAML token Advice element (not a standard claim type) • Organizational claims • Common set of claims across account stores and partners • Mark organizational claims as sensitive (not audited/logged)
ADFS: Claims Processing Extensibility • Interface allows plug-in modules to be developed for custom claim transformation • ADFS v1 FS supports one claim transform module. Not a pipeline for multiple modules. • Further lookups to a LDAP or SQL store • Complex claim transformations requiring computation
Agenda • Level set • Distributed IAM Problems • Federated IAM Solution • Active Directory Federation Services • Architecture & Components • Managing Access with Claims (User Attributes) • Demo • Deployment & Programming Models • ADFS WS-* Specifications Heritage • Multi-vendor Interoperability
B2B: ADFS Federated Web SSO Partners do NOT need local accounts Web-based purchasing & inventory control apps • Partner employees use their corporate AD accounts • Intranet UX: Web SSO after Windows desktop logon • Internet UX: Web SSO after Forms-based logon or SSL client authN
B2E: ADFS Extranet Web SSOSingle sign-on for HQ & “Road Warrior” users Web-based Wholesale Order Entry app in DMZ • All employees have accounts in intranet AD • Intranet UX: Web SSO after Windows desktop logon • Internet UX: Web SSO after Forms-based logon or SSL client authN
B2C: ADFS “Online” Web SSOClassic Web SSO for Internet customers Web-based Retail Order Entry & Customer Service apps • Customers issued user accounts in DMZ (AD or ADAM) • Internet UX: Web SSO after Forms-based logon
ADFS App Programming Model • Web Server SSO Agent • Authenticates users for app • Creates authorization context for app • NT Impersonation and ACLs • ASP.NET IsInRole() • String match, You do all the authorization logic • AzMan RBAC integration • App can add Role/Group claims to AzMan context • ASP.NET Raw Claims API • System.Web.Security.SingleSignOn.Authorization • Session SVR400 Developing Solutions on the Microsoft Identity and Access Platform
Federation STS Federation Claims Application Claims SIDs/Attribs Federation STS Active Directory AzMan (RBAC) Roles Federated IAM via Claims & RBACADFS & Authorization Manager integration Federation Realm Web Server Resource Realm Account Realm
Agenda • Level set • Distributed IAM Problems • Federated IAM Solution • Active Directory Federation Services • Architecture & Components • Managing Access with Claims (User Attributes) • Demo • Deployment & Programming Models • ADFS WS-* Specifications Heritage • Multi-vendor Interoperability
WS-Federation • Web services federation language • Defines messages to enable security realms to federate & exchange security tokens • BEA, IBM, Microsoft, RSA, VeriSign • Two “profiles” of the model defined • Passive (Browser) clients – HTTP/S • Active (Smart) clients – SOAP HTTP messages HTTPReceiver Security Token Service SOAP Receiver SOAP messages
Passive Requestor Profile Supported by ADFSv1 in Windows Server 2003 R2 • Binding of WS-Federation & WS-Trust for browser (passive) clients • Implicitly adhere to policy by following redirects • Implicitly acquire tokens via HTTP msgs • Authentication Requires secure transport (HTTPS) • Cannot provide “proof of possession” for tokens • Limited (time based) token caching • Tokens can be replayed
Redirect to resource’s IP/STS Detect realm Redirect to requestor’s IP/STS Login Return identity token Return resource token Return secured response Sample Flow: Browser Client Requesting Browser Requestor’s IP/STS Target Resource Target’s IP/STS Get resource
Active Requestor ProfileFuture ADFS release • Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients • Explicitly determine token needs from policy • Explicitly request tokens via SOAP msgs • Strong authentication of all requests • Can provide “proof of possession” for tokens • Supports delegation • Client can provide token for web service to use on its behalf • Allows rich token caching at client • Improved user experience & performance
Acquire policy Request token Return token Acquire policy Request token Return token Send secured request Return secured response Sample Flow: Active SOAP ClientWS-Policy used to route client token requests Requesting Service Requestor’s IP/STS Target Service Target’s IP/STS
WS-Federation Interoperability • WS-* public workshops/mailing list prepare specs for submission to standards bodies • http://groups.yahoo.com/group/WS-Security-Workshops/ • WS-Federation vendor workshop (3/29/04) • Passive Requestor Profile & SAML token • Microsoft, IBM, RSA, Oblix, PingID, Open Network, Netegrity • 100% interop achieved by all participants • WS-Federation product previews at Tech·Ed • Interop pavilion & Vendor panel
Call to Action • Play with ADFS • ADFS Hands-On Lab! • ADFS in R2 Beta 2 • Encourage claims-aware application development today; get federation “for free” when R2 ships • Authorization Manager • ASP.NET IsInRole
White Papers: http://www.microsoft.com/idm “Federation of Identities in a Web Services World”“Federated Identity Management Interoperability” Video: http://msdn.microsoft.com/theshow/episode047/default.asp Resources
Your Feedback is Important! We invite you to participate in ouronline evaluationon CommNet,accessible Friday only If you choose to complete the evaluation online, there isno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.