Presentation on theme: "SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner."— Presentation transcript:
Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner organization Your organization Claims Provider Trust
AD Acceptance Transform rules ST Issuance Transform rules Issuance Authorization rules ST Acceptance Transform rules Issuance Transform rules Issuance Authorization rules AD Acceptance Transform rules ST Issuance Transform rules Issuance Authorization rules ST Acceptance Transform rules Relying Party Trusts Claims Provider Trusts Relying Party Trusts Claims Provider Trusts
Active Directory Configuration SQL Cluster Firewall & Load Balancer Perimeter Network ADFS Proxy Farm Firewall & Load Balancer Internet Intranet ADFS Federation Farm Remote userCorpNet users Forms Authentication
adfs.example.com Domain joined proxies simplify management through group policy May not meet your security requirements Domain joined proxies simplify management through group policy May not meet your security requirements
ADFS v 2.0 Claims aware application UAG Kerberos application Publishes ADFS Farm Publishes Applications Active Directory
Multiple authentication options DirectAccess HTTP/HTTPS Layer3 VPN Application publishing Optimizer modules for Exchange SharePoint CRM Reverse proxy for Web farms Third party support RemoteApps via Integrated Remote Desktop Services Gateway
Evaluate Endpoint Access Settings Evaluate Endpoint Access Settings Authenticate user against authentication servers Authentication Servers Authentication Servers External IP and URL HTTP or HTTPS External IP and URL HTTP or HTTPS UAG Trunk Trunk Portal Add Applications to Trunk
https://adfs.example.com Terminates HTTPS and then sends to ADFS Farm CTB prevents server accepting credentials from new SSL channel
Authentication via SAML security token UAG ADFS Request Kerberos Ticket to APP1 on behalf of user Authenticate to APP1 using Kerberos App1 Authentication & Authorization via Kerberos ticket Domain Controller running KDC
KDC UAG Server Tom TGT K-ST Data server Claims Authentication Request Kerberos token with user’s identity Request Kerberos ST with user’s identity K-ST Impersonate user Uses: Kerberos extension Service-for-User-to-Self (S4U2Self)
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars.
Sessions On-Demand & CommunityMicrosoft Certification & Training Resources Resources for IT ProfessionalsResources for Developers Connect. Share. Discuss.
Scan the Tag to evaluate this session now on myTechEd Mobile