140 likes | 338 Views
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@ sevecek.com | www.sevecek.com |. Active Directory Federation Services. AD FS. XML over HTTP/S based authentication and "trust" Replacement for AD trusts Free download.
E N D
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com | Active Directory Federation Services
AD FS • XML over HTTP/S based authentication and "trust" • Replacement for AD trusts • Free download
AD FS vs. local user stores • Local user stores • AD LDS (LDAP), SQL, XML, … • you must manage the accounts • you know their passwords • you must reset and unlock and disable • AD FS • leaves account management on the account partner side • you never see their password
SharePoint WS Federation passive URL • This is the resulting redirection after client is authenticated and claims are processed and signed • https://intranet.gopas.cz/_trust/
SharePoint realm • Used to identify the calling application • it is the thing that SharePoint sends to ADFS to identify itself • urn:something:something-else • urn:intranet.gopas.virtual:sharepoint
SharePoint incoming claim types http://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes.aspx
Claim types and SharePoint • Only IdentifierClaim is saved in user's "settings" page • Other claim types can be used to authorize access to resources with People Picker • No lookup for account partner claim values
More groups as a single claim • c:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-5-21-573680338-1201701862-760492540-1037”, Issuer == “AD AUTHORITY”] • && c1:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-5-21-573680338-1201701862-760492540-1185”, Issuer == “AD AUTHORITY”] • && c2:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-5-21-573680338-1201701862-760492540-1139”, Issuer == “AD AUTHORITY”] • => issue(Type = “http://schemas.sp.local/canDoIt”, Value = “true”, Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com | Active Directory Federation Services Thank you!