1. March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training

2. 6/2/2015 2 What is it?  A SAML implementation (both IdP and SP) from Microsoft  A WS-Fed implementation (Passive Requester)  An AD-based single signon system  A server role in Windows Server 2008

3. Some Terminology…  Security token – This refers to the assertion from the IdP.  Claim – a “claim” is just an attribute from the IdP’s assertion.  Claims Provider – This is just the ADFS term for an IdP.  Relying Party – This is just the ADFS term for an SP (a consumer of claims).  Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example).  More: http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx 6/2/2015 3

4. 4 What can it do?  Act as an IdP (Claims Provider)  Act as an SP (Relying Party)  Seamlessly integrate with growing list of apps: Sharepoint 2010: –http://blogs.msdn.com/b/spidentity/archive/2010/01/23/claims-based- authentication-cheat-sheet-part-2.aspx Microsoft Unified Access Gateway (proxy): –http://technet.microsoft.com/en-us/library/gg470578.aspx Citrix: –http://support.citrix.com/servlet/KbServlet/download/9932-102- 15146/WI%20for%20ADFS%20FAQ.pdf  Interoperate with other SAML 2.0 solutions (like Shibboleth)

5. What are the limitations?  Metadata support  Certificate support  WAYF/DS support  Forced Authentication support  Other? 6/2/2015 5

6. Resources  ADFS Home: http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx  Using ADFS with Shibboleth and InCommon: http://go.microsoft.com/fwlink/?LinkId=204784  More How-To Guides: http://technet.microsoft.com/en-us/library/adfs2-step-by-step- guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step- guides(WS.10).aspx  Claims Rule syntax: http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx  Shibboleth wiki on ADFS interop: https://spaces.internet2.edu/display/SHIB2/MicrosoftInterop 6/2/2015 6

7. Adding Shibboleth Claims Providers  ADFS can’t deal with a federation metadata file No support for  This can be handled via script/app Uses MS PowerShell to import into ADFS Import one at a time Must force only one encryption cert No other entity can use the same encryption cert  The Microsoft ADFS/InCommon doc has code for a python script Dealing with multiple federations? 6/2/2015 7

8. How to Integrate Sharepoint  Install ADFS according to documentation  Create a new Relying Party on the ADFS server Configure the RP manually SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2) The identifier/entityID is https:// /_trust/ For claims rules, you can just use “Pass-Through” rules (since Shibb- sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed)  On the Sharepoint server, use PowerShell to add a new Security Token Service (STS): Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below) Consider adding some custom code to sync SP profiles –Hook the “OnSignedIn” event of the “federatedAuthentication” module –Use SP’s UserProfileManager class  http://shannonbray.wordpress.com/2010/10/02/claims-based- authentication-made-simple/ http://shannonbray.wordpress.com/2010/10/02/claims-based- authentication-made-simple/ 6/2/2015 8

9. How to Integrate Your Own App  Developer’s machine: Install WIF runtime (KB974405) Install WIF SDK ( http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb- 9162-2c9422208504&displaylang=en ) http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb- 9162-2c9422208504&displaylang=en  Web Server Install WIF runtime (KB974405) Set your app’s App Pool property for “loadUserProfile” to ‘true’ 6/2/2015 9

10. How to Integrate Your Own App (cont)  For the app itself (assuming VS2008): Ensure that build target is.NET 3.5 (or greater) Check out (from source control) the app’s web.config file (next step needs to write to it) Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’ –Choose your app’s web.config file –Use your app’s URL as the application URI, making sure to include the trailing slash (Ex. https://serverFQDN/app/) –Choose to “Use an Existing STS” and point to your ADFS server’s metadata https:// /FederationMetadata/2007- 06/FederationMetadata.xml –Accept other defaults 6/2/2015 10

11. How to Integrate Your Own App (cont) Edit the attributes/claims that your app requests –Web site: Edit the section of web.config, uncomment needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer –Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at /FederationMetadata/2007-06/FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option: Look for the section Add new elements as needed Name and Role enabled by default, consider adding these: – 6/2/2015 11

12. How to Integrate Your Own App (cont)  On ADFS Server Add a new Relying Party –Auto-configure from metadata: https:// /app/FederationMetadata/2007-06/FederationMetadata.xml Create ‘Pass-Through’ Claims Rules for new RP. Consider pass- through rules for these claims (as so-named in the ADFS RP Claim Rules GUI) –“Name” is the userID/sAMAccountName/ePPN –“Given Name” is the user’s first name –“Surname” is the user’s last name –“E-Mail Address” is the user’s email address –“Role” is the user’s role (or eduPersonAffiliation, etc) 12

13. How to Integrate Your Own App (cont)  App code references: Add reference to Microsoft.IdentityModel (after installing WIF runtime)  App Code: using Microsoft.IdentityModel.Claims; using System.Threading;  In Page.Load() IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];  Microsoft Reference: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BB 9AB270-473B-4852-B26E-031A88EDD113http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BB 9AB270-473B-4852-B26E-031A88EDD113 13

14. How to Integrate Your Own App (cont) string GIVENNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; string SURNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; string EMAIL_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; string ROLE_CLAIM_TYPE = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"; string UID,FName, LName, EmailAddr, Role = ""; bool AuthOK,roleFound = false; if (claimsIdentity != null) { AuthOK = claimsIdentity.IsAuthenticated; UID = claimsIdentity.Name; foreach (Claim c in claimsIdentity.Claims) { if (c.ClaimType == GIVENNAME_CLAIM_TYPE) FName = c.Value; if (c.ClaimType == SURNAME_CLAIM_TYPE) LName = c.Value; if (c.ClaimType == EMAIL_CLAIM_TYPE) EmailAddr = c.Value; if (c.ClaimType == ROLE_CLAIM_TYPE) { //role is mutlivalued, so build one semicolon-delimited string if (roleFound) Role += ";" + c.Value; else { Role += c.Value; roleFound = true; } 14

15. DiscoveryService/WAYF??  ADFS does not support the OASIS DiscoveryService profile  To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery”  This is very customizable, as it is just a.NET page (.aspx) Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.* Search-as-you-type Cookie name Multi-Fed Selector 15

16. Demo  Claims Provider Properties  Claims Provider Claims Rules  Relying Party Properties  Relying Party Claims Rules  Sharepoint Login Custom code to sync SP profiles –Hooks the “OnSignedIn” event of the “federatedAuthentication” module –Uses SP’s UserProfileManager class  Custom app integration 16