Presentation is loading. Please wait.

Presentation is loading. Please wait.

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Published byJob Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,"— Presentation transcript:

1

2

3

4 Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors, publisher and distributor assume will not be liable for errors or omissions, or for damages resulting from the use of the information presented and contained herein

5 Identity Provider (IP) Active Directory Security Token Service (STS) User / Subject /Principal Requests token for AppX Issues Security Token crafted for Appx Relying party (RP)/ Resource provider Issuer IP-STS Trusts the Security Token from the issuer The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) Email address of user Email address of manager Phone number Other attribute values Security Token “Authenticates” user to the application ST Signed by issuer AppX Authenticates user

6 User User trusts website and STS via SSL certificates Certificate path validated and CRL checked ST Sign with STS token signing certificate private key Validate with STS token signing certificate public key encrypt with RP encryption certificate public key Decrypt with RP encryption certificate private key STS RP CNG certificates are not supported

7 STS-IP Endpoint of STS for logon STS claims offered Name of STS STS Certificate to sign tokens (private key) Establishing the trust Endpoint of STS for logon STS claims offered Name of STS STS Certificate to validate tokens (public key) Federation metadata Web.configSTS-IP database

8 WAP ADFS AD FS configuration store Copied during WAP configuration uses supplied credentials Self-signed certificate Uses certificate authentication Copied to certificate store Used to create Certificate Trust List (CTL)

9

10

11 SLL Termination betweenpossibleImpact Client and WAPYes/NoBreaks Workplace join and client SSL authentication WAP and AD FSNoBreaks proxy trust with AD FS WAP and published serverYesNo impact on WAP/ADFS functionality

12 partner.xtseminars.com example.com Internet ISP DNS Client Client2 Proxy-p adfs1 dc1 srv1 adfs-p Proxy

13

14 AD FS STS Claims-aware app Active Directory Browse app Not authenticated Redirected to STS Authenticate Our user Query for user attributes Return security token Return cookies and page Send Token App trusts STS ST

15 Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z AD FS logon endpoint Action to perform Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp %2f decodes to /

16 Hidden form with POST method POST back URL defined via RP configuration in AD FS SAML claims Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request Begins / ends with saml:Assertion

17 AD FS

18 APP

19

20 BrowserWinINETFiddler Webserver Spoof certificate

21

22

23 Process token Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Return new ST Your AD FS STS Your Claims-aware app Active Directory Partner user Partner AD FS STS & IP Redirected to your STS Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your STS ST App trusts STS Your STS trusts your partner’s STS

24

25

26 Issuance Transform rules Issuance Authorization rules Acceptance Transform rules Relying Party Trusts Claims Provider Trusts STS AD Username, user & group SIDs Logon Issued claims Acceptance Transform rules Username user & group SIDs Token authentication ST Claims Deny ST

27

28 Web application ADFS Claims-aware web application Web application with Windows Authentication AD FS preauthentication Kerberos constrained delegation Publish applications and services to the Internet WAP Users are authenticated and authorized before gaining access to the corporate network Pass-through KCD

29 SAMLSWTJWT JSON Web Tokens (JWT)Simple Web Token ( Microsoft, Google, Yahoo) Security Assertion Markup Language SAML 1.1/2.0 Complex to: Create Parse Validate Transmit Easy to: Create Parse Validate Transmit Too simple! Time

30 Firewall WAP DC Web application using Windows Authentication (Kerberos) The SPN for the application must be registered on the service account running the application The WAP computer account must be configured for constrained delegation with protocol transition to the SPN of the web application AD FS preauthentication required

31

32

33

34 John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

35

36 www.microsoft.com/learning http://developer.microsoft.com http://microsoft.com/technet http://channel9.msdn.com/Events/TechEd

37

38

39

Download ppt "Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
steve plank “planky” microsoft Lest we forget windows azure appfab

steve plank “planky” microsoft Lest we forget windows azure appfab
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS

Implementing and Administering AD FS
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
An Introduction to Information Card Barry Dorrans Charteris plc

An Introduction to Information Card Barry Dorrans Charteris plc
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google