Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Federation Services Architecture Drilldown John Pritchard Microsoft Corporation SVR311.

Similar presentations


Presentation on theme: "Active Directory Federation Services Architecture Drilldown John Pritchard Microsoft Corporation SVR311."— Presentation transcript:

1 Active Directory Federation Services Architecture Drilldown John Pritchard Microsoft Corporation SVR311

2 Target Audience IT Professionals who want to understand how ADFS works Session is about ADFS components and how they work, and the specifications ADFS is based on

3 What are the major components of ADFS and how do they work? What is ADFS based on? How might I use ADFS? Key Takeaways

4 Agenda Level set Distributed IAM Problems Federated IAM Solution Active Directory Federation Services Architecture & Components Managing Access with Claims (User Attributes) Demo Deployment & Programming Models ADFS WS-* Specifications Heritage Multi-vendor Interoperability

5 Your COMPANY and your EMPLOYEES Your SUPPLIERS Your PARTNERS Your REMOTE and VIRTUAL EMPLOYEES Your CUSTOMERS Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce Orgs Have To Extend Access

6 Problem: Business Costs of Extending your Network Privacy protection SOX, HIPAA, etc. Auditing and reporting Regulatory Compliance Provisioning latency Forgotten passwords Logon frequency End User Productivity Account provisioning requests Password reset requests Account proliferation Orphaned or inaccurate accounts Compromised passwords Least access Security IT/Helpdesk Efficiency

7 Solution: Federated Identity and Access Management Industry Definition Standards-based technology & IT processes … Distributed identification, authentication and authorization … Across boundaries (security, departmental, organizational or platform boundaries) … ADFS Vision Log on once, secure access to everything Leverage identity and services as broadly as possible

8 Security Tokens & Claims Distributed authentication/authorization Secret Key Password Proof of Possession Security tokens assert claims Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc.) Signed X.509 Kerberos XrML SAML

9 Security Token Service Key Distribution Center A security token service issues security tokens STSs can “swap” tokens as a request crosses security domain boundaries

10 Federated IAM in Action X-organization, X-platform Web SSO 1.User clicks A.Datum portal link to Trey Research order processing application Trey Research Inc. A.Datum Corp. 2.User redirected to A.Datum STS Seamlessly authenticated via Kerberos (Windows integrated AuthN & AD)Seamlessly authenticated via Kerberos (Windows integrated AuthN & AD) 3.User obtains SAML security token from A.Datum STS for Trey Research STS Federation claims per business agreementFederation claims per business agreement 4.User obtains SAML security token from Trey Research STS for application Federation + application-specific claims Federation + application-specific claims 5.User accesses Trey Research order processing application ActiveDirectory FederationSTS FederationSTS SIDs FederationClaims ApplicationClaims Order Entry Application Order Entry Portal

11 Agenda Level set Distributed IAM Problems Federated IAM Solution Active Directory Federation Services Architecture & Components Managing Access with Claims (User Attributes) Demo Deployment & Programming Models ADFS WS-* Specifications Heritage Multi-vendor Interoperability

12 ADFS Architecture Active Directory Authenticates users Manages attributes used to populate claims Federation Service (FS) STS Issues security tokens Manages federation trust policy FS Proxy (FS-P) Client proxy for token requests Provides UI for browser clients Web Server SSO Agent Enforces user authentication Creates user authorization context Note: ADFS supports both W2K & W2K3 forests FS & FS-P co-located by default, Can be separate boxes FS, FS-P & SSO agent require IISv6 W2K03 R2 Browser clients only for ADFSv1 (W2K03 R2 release) HTTPS LPC/Web Methods Windows Authentication/L DAP

13 Federation Service ASP.NET-hosted service running on IISv6 – Windows 2003 Server R2 Federation Policy management Establishes trust for signed security tokens by certificate-based key distribution Defines token/claim types & shared namespace for Federated security realms Security token generation Retrieves user attributes for claim generation from AD (or ADAM) via LDAP Transforms claims (if required) between internal & federation namespaces Builds signed SAML security token & sends to FS-P Builds “User SSO” cookie contents & sends to FS-P User authentication Validates ID/Password via LDAP Bind for Forms-based authentication

14 Federation Service Proxy ASP.NET-hosted service running on IISv6 – Windows 2003 Server R2 User authentication Provides UI for Home Realm Discovery & Forms-based Logon Authenticates users for Windows Integrated & Client SSL authentication Writes “User SSO” cookie to Browser (similar to Kerberos TGT) Security token processing Requests security token for client from FS Routes token to web server via “POST redirect” through browser

15 Web Server SSO Agent ISAPI extension for IISv6 – Windows 2003 Server R2 User authentication Intercepts URL GET requests & Redirects un-authenticated clients to LS Writes “Web Server SSO” cookie to Browser (similar to Kerberos service ticket) Windows Service User authorization Creates NT Token for impersonation (AD users only) Managed Web Module Security token processing Validates user’s security token and parses claims in token User authorization Populates ASP.NET GenericPrincipal context from claims to support IsInRole() Provides raw claims to app

16 Web SSO Agent Schematic

17 STS: Trust & claims policy setup (out of band) Browser: Application and security token requests (HTTPS) ADFS Trust & Message Flows

18 OrganizationB PrivateNamespace OrganizationA Private Namespace ADFS Identity Federation Projects AD Identities to other security realms FederationServer Federation Server Server Federation Servers Manage: Trust – Keys Trust – Keys Security – Claims required Security – Claims required Privacy – Claims allowed Privacy – Claims allowed Audit – Identities, authorities Audit – Identities, authorities

19 ADFS: Claim & Token Processing

20 ADFS: Supported Security Tokens Currently only issue SAML tokens Tokens are not encrypted All messages are over HTTPS Tokens are signed (default) Signed with RSA Private key and signature verified with public key from X.509 certificate (optional) Can be signed with Kerberos session key FS-R tokens for Web server SSO Agent NT service component of Web server SSO Agent must run as a domain service account and must have an SPN configure

21 ADFS: Supported Claim Types WS-Federation interoperable claim types Identity User Principal Name (UPN) Address Common Name (any string value) GroupCustom name/value pair (eg SSN / ) ADFS-to-ADFS only authZ data SIDs Sent to avoid employee shadow accounts in extranet DMZ Sent in SAML token Advice element (not a standard claim type) Organizational claims Common set of claims across account stores and partners Mark organizational claims as sensitive (not audited/logged)

22 ADFS: Claims Processing Extensibility Interface allows plug-in modules to be developed for custom claim transformation ADFS v1 FS supports one claim transform module. Not a pipeline for multiple modules. Further lookups to a LDAP or SQL store Complex claim transformations requiring computation

23 ADFS Federation Claims Flow

24 Supply Chain/Purchasing Application

25 Agenda Level set Distributed IAM Problems Federated IAM Solution Active Directory Federation Services Architecture & Components Managing Access with Claims (User Attributes) Demo Deployment & Programming Models ADFS WS-* Specifications Heritage Multi-vendor Interoperability

26 B2B: ADFS Federated Web SSO Partners do NOT need local accounts Web-based purchasing & inventory control apps Partner employees use their corporate AD accounts Intranet UX: Web SSO after Windows desktop logon Internet UX: Web SSO after Forms-based logon or SSL client authN

27 B2E: ADFS Extranet Web SSO Single sign-on for HQ & “Road Warrior” users Web-based Wholesale Order Entry app in DMZ All employees have accounts in intranet AD Intranet UX: Web SSO after Windows desktop logon Internet UX: Web SSO after Forms-based logon or SSL client authN

28 B2C: ADFS “Online” Web SSO Classic Web SSO for Internet customers Web-based Retail Order Entry & Customer Service apps Customers issued user accounts in DMZ (AD or ADAM) Internet UX: Web SSO after Forms-based logon

29 ADFS App Programming Model Web Server SSO Agent Authenticates users for app Creates authorization context for app NT Impersonation and ACLs ASP.NET IsInRole() String match, You do all the authorization logic AzMan RBAC integration App can add Role/Group claims to AzMan context ASP.NET Raw Claims API System.Web.Security.SingleSignOn.Authorization Session SVR400 Developing Solutions on the Microsoft Identity and Access Platform

30 AzMan (RBAC) Roles Federated IAM via Claims & RBAC ADFS & Authorization Manager integration Resource Realm Account Realm SIDs/Attribs Federation Realm FederationClaimsApplicationClaims Web Server FederationSTS ActiveDirectory FederationSTS

31 Agenda Level set Distributed IAM Problems Federated IAM Solution Active Directory Federation Services Architecture & Components Managing Access with Claims (User Attributes) Demo Deployment & Programming Models ADFS WS-* Specifications Heritage Multi-vendor Interoperability

32 WS-Federation Web services federation language Defines messages to enable security realms to federate & exchange security tokens BEA, IBM, Microsoft, RSA, VeriSign Two “profiles” of the model defined Passive (Browser) clients – HTTP/S Active (Smart) clients – SOAP SecurityTokenService HTTP Receiver HTTP messages SOAP messages SOAPReceiver

33 Passive Requestor Profile Supported by ADFSv1 in Windows Server 2003 R2 Binding of WS-Federation & WS-Trust for browser (passive) clients Implicitly adhere to policy by following redirects Implicitly acquire tokens via HTTP msgs Authentication Requires secure transport (HTTPS) Cannot provide “proof of possession” for tokens Limited (time based) token caching Tokens can be replayed

34 Sample Flow: Browser Client Requesting Browser Requestor’s IP/STS Target Resource Target’s IP/STS Get resource Detect realm Redirect to resource’s IP/STS Redirect to requestor’s IP/STS Login Return identity token Return resource token Return secured response

35 Active Requestor Profile Future ADFS release Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients Explicitly determine token needs from policy Explicitly request tokens via SOAP msgs Strong authentication of all requests Can provide “proof of possession” for tokens Supports delegation Client can provide token for web service to use on its behalf Allows rich token caching at client Improved user experience & performance

36 Sample Flow: Active SOAP Client WS-Policy used to route client token requests Requesting Service Requestor’s IP/STS Target Service Target’s IP/STS Acquire policy Request token Return token Request tokenReturn token Send secured request Return secured response Acquire policy

37 WS-Federation Interoperability WS-* public workshops/mailing list prepare specs for submission to standards bodies WS-Federation vendor workshop (3/29/04) Passive Requestor Profile & SAML token Microsoft, IBM, RSA, Oblix, PingID, Open Network, Netegrity 100% interop achieved by all participants WS-Federation product previews at Tech·Ed Interop pavilion & Vendor panel

38 Call to Action Play with ADFS ADFS Hands-On Lab! ADFS in R2 Beta 2 Encourage claims-aware application development today; get federation “for free” when R2 ships Authorization Manager ASP.NET IsInRole

39 Resources White Papers: “Federation of Identities in a Web Services World” “Federated Identity Management Interoperability” Video:

40 We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation Your Feedback is Important!

41

42 © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

43


Download ppt "Active Directory Federation Services Architecture Drilldown John Pritchard Microsoft Corporation SVR311."

Similar presentations


Ads by Google