Presentation is loading. Please wait.

Presentation is loading. Please wait.

A claims-based Identity Metasystem

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "A claims-based Identity Metasystem"— Presentation transcript:

1 A claims-based Identity Metasystem
AD FS-2 A claims-based Identity Metasystem Henk Den Baes Technology Advisor Microsoft BeLux

2 Agenda The access challenge Defining AD FS-2 Federation with MS-online
Exchange SharePoint CRM, … Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

3 Agenda The access challenge Defining AD FS-2 Federation with MS-online
Exchange SharePoint CRM, … Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

4 Cloud DB AD App6 App5 Separate Sign-in Separate Sign-in App4 Separate
Additional Provisioning Additional Provisioning DB AD App6 Extranet App5 Separate Sign-in Separate Sign-in App4 Intranet Intranet Extranet Separate Sign-in Separate Sign-in DB AD Additional Provisioning SSO Separate Sign-in App3 App1 App2 AD DB AD DB ILM Additional Provisioning Additional Provisioning

5 Defining the Problem Working with identity is hard
Applications must use different identity technologies in different situations: Active Directory (Kerberos) inside a Windows domain Username/password on the Internet WS-Federation and the Security Assertion Markup Language (SAML) between organizations Why not define one approach that can be used in all of these cases? Claims-based identity allows this It can make life simpler for developers

6 Cloud SSO SSO and Claims App6 App5 SSO and Claims App4 SSO and Claims
“AD FS-2” enables apps and infrastructure to be more easily plugged together Cloud SSO and Claims App6 Extranet App5 SSO and Claims App4 Intranet Intranet Extranet SSO and Claims SSO and Claims SSO and Claims SSO and Claims App3 App1 App2 FIM 2010

7 Authentication problem statement
4/17/2017 7:15 PM Every connected app must handle two functions Authenticate user Get information about user to drive app behavior Many different technologies to do this Name/password, X.509, Kerberos, SAML, LDAP, … Scenario drives technology choice Application bound to constraints of technology But modern apps face increasing requirements: federation, strong authentication, SOA, cloud… Solution: claims-based identity Abstraction layer hides detail of authenticating user, getting information about user Application logic exposed to claims only; claims = information about the user Change details after deployment without changing application code © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Agenda The access challenge Defining AD FS-2 Federation with MS-online
Exchange SharePoint CRM, … Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

9 Identities Information about a person or object, i.e. Users
Traverses the network as an array of bytes – referred to as a token In a Claims-based scenario, the array of bytes carry Claims

10 Claims Claims carry pieces of information about the user Token Claim
Signature Name Age Location Token

11 Issuer Tokens are issued by Security Token Service (STS) software
Identity providers (IP) can include Directory Services, Windows Live Id, etc.

12 Claims Based Identity access
Claims Provider 2. Look up claims, transform for app trust 1. Authenticate 3. Return claims Claims Framework Your App 5. Use claims 4. Send claims End User Application Server

13 2. Look up claims, transform for app
Introducing AD FS-2 AD ADFS-2 Server FIM Claims Provider 2. Look up claims, transform for app trust 1. Authenticate 3. Return claims 5. Use claims Claims Framework WIF Your App 4. Send claims End User Application Server

14 What is AD FS 2.0? Active Directory Federation Services 2.0 Server
Claims provider server Federation trust manager Windows Identity Foundation Framework for claims aware applications Windows CardSpace Identity client for claims aware applications

15 Client Sends Token from IP to RP
User 7 User approves release of token Client 4 User selects a Card 1 Client tries to access a resource Request Security Token sent to IP by CardSpace 5 3 CardSpace shows which IPs can satisfy RP’s policy 2 RP provides identity requirements policy 6 IP returns security token 8 CardSpace releases Token to RP Relying Party (RP) Identity Provider (IP)

16 AD FS-2 Server Components
Policy Store Account Store Internet Client Intranet Client AD FS-2 Server Management APIs and UX AD FS-2 Proxy Metadata Proxy Token Issuance Proxy Card Issuance Metadata Token Issuance

17 Geneva Server Components
Policy Store Geneva Clients: Web Browsers Windows CardSpace and Other Identity Selectors WS-* Aware Clients (WCF, etc.) Account Store Internet Client Intranet Client Geneva Server Management APIs and UX Geneva Proxy Metadata Proxy Token Issuance Proxy Card Issuance Metadata Token Issuance

18 AD FS-2 Server Components
Policy Store Geneva Policy Store: SQL Server Account Store Internet Client Intranet Client AD FS-2 Server Management APIs and UX AD FS-2 Proxy Metadata Proxy Token Issuance Proxy Card Issuance Metadata Token Issuance

19 AD FS-2 Server Components
Policy Store Geneva Server: Security Token Service for SOAP and browser clients Information card issuance web site Policy and service management Account Store Internet Client Intranet Client AD FS-2 Server Management APIs and UX AD FS-2 Proxy Metadata Proxy Token Issuance Proxy Card Issuance Metadata Token Issuance

20 What's Involved for the Developer?
1. Who are you? <federatedAuthentication enabled="true"> <wsFederation issuer=" realm = “ passiveRedirectEnabled = "true"/> </federatedAuthentication> 2. What can you do? IClaimsIdentity caller = Thread.CurrentPrincipal.Identity as IClaimsIdentity; string Role = (from c in caller.Claims where c.ClaimType == MyClaimTypes.Role select c.Value).Single();

21 Windows CardSpace Selecting identities
CardSpace provides a standard user interface for choosing an identity Using the metaphor of cards Choosing a card selects an identity (i.e., a token)

22 Extend Access Across Organizations
EMPOWER BUSINESS Ability to move seamlessly between applications using a single identity Collaboration across organizations EMPOWER IT No need to manage external accounts Simplified and flexible claims-based federation Common authentication controls for building custom applications ON-PREMISES ACTIVE DIRECTORY FEDERATION SERVICES WS-* and SAML 2.0 EXTERNAL PARTNER Geneva (ADFS) project is one of the most significant enhancements for future use and dissemination of the Identity Federation. -Kuppinger Cole Source: Awards for Outstanding Identity Management Projects. Kuppinger Cole, May

23 Simplifying Access Management with Active Directory Federation Services 2
Streamline User Access Management Enhance Application Security Interoperable & Adaptable Quick roll out of high value projects Manage Compliance Reduce TCO and leverage the cloud ACTIVE DIRECTORY FEDERATION SERVICES WS-* and SAML 2.0 Simplify User Access Increase productivity Reduce password burden Improve Developer Productivity Enhance Application Security Open and Extensible

24 Security Considerations
Server Token Crypto Administrator Domain Controller Kerberos or NTLM Shared Secret Domain Admin Certificate Authority x.509 certificate Trusted chain Certificate Admin Federation Server SAML ??? Treat your AD FS-2 servers like domain controllers Your AD FS-2 Server admins are like domain administrators AD FS-2 includes claims policy language, which is extremely powerful Manage your certificates Token signing protects from man-in-the-middle attacks SSL validates the end-points

25 Skills Required for Engagement considerations
ADFS (obviously) PKI IIS HTTP Probably some development (WIF, custom STS)

26 WS-* Protocol Support AD FS1 AD FS2
WS-Federation 1.0 (Passive Requestor Interop Profile) Y WS-Federation 1.2 (Min Passive Requestor Subset) n/a POST (push) Binding WS-Trust 2005 and 1.3 ( aka Active Requestor Profile) Issue Issue “OnBehalfOf” (proxy support) Issue “ActAs” (identity delegation) WS-SecurityPolicy 1.2

27 SAML Token Support AD FS1 AD FS2 SAML 1.1 Tokens Y
Authentication & Attribute Statements Signed tokens Encrypted tokens N SAML 2.0 tokens Extensible claim type (any URI) Proof tokens (symmetric/asymmetric keys) Authentication Context

28 Federation/SSO Futures
Authorization Authorization Manager (AzMan) v.Next Authorization server “U-Prove”: minimal disclosure tokens Issued tokens that don’t inescapably contain correlation handles Users can prove properties of encoded claims Disclose subset of claims Derived claims: age > 21 proof instead of disclosing DoB Prove claim not equal to value (name not on deny list) Offline/disconnected scenarios Identity selector for mobile platform

29 Agenda The access challenge Defining AD FS-2 Federation with MS-online
Exchange SharePoint CRM, … Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

30 How AD FS-2 is Changing Our Game
ADFS Partners ADFS Server SQL Authz Store

31 Federation with MS Online
On-premise Microsoft Online AD FS-2 Server Microsoft Federation Gateway trust trust “Microsoft Federation Gateway Utility” SharePoint Online Relying party Exchange Online CRM Online Corporate User

32 Authentication and Sign-On
4/17/2017 7:15 PM How it works today How it will work Users have separate password for cloud services Sign-in tool stores password to achieve SSO for Outlook Users log in to cloud services with domain credentials No Outlook sign-in tool required Sign-in tool Token-based referral ADFS 2.0 (Geneva)

33 Federated Identity using AD FS 2
AD FS-2 Server connects AD to the cloud for single sign-on 2. Configure federated trust with Microsoft Online Services 1. Install AD FS 2 AD FS-2 Users are authenticated by local AD FS-2 server Windows Server 2008 User benefits Same identity on-premises and in the cloud No need to manage separate passwords Administrator benefits No sign-on application to manage across desktops Passwords not synchronized to the cloud Security control retained over user accounts No need to manually de-provision cloud users No changes to enterprise deployment of AD Other benefits Supports multi-factor authentication for OWA Allows you to customize the OWA login page

34 User Login Process with AD FS 2
User opens Outlook or clicks OWA URL – is taken to AD FS-2 server for authentication AD FS-2 server validates credentials with Active Directory AD FS-2 server issues login token and posts it to Federation Gateway Federation Gateway validates token and transforms claims Federation Gateway issues service token and posts it to service User accesses service Microsoft Federation Gateway Cloud Exchange Online Browser Enterprise Outlook Desktop Apps Geneva Active Directory

35 Comparing User Experiences: With and Without ADFS 2.0
Outlook 2010 Outlook 2007 Outlook 2007 or 2010 OWA ActiveSync, POP, IMAP Entourage 2008 WS Ed. Win 7 Win 7 Vista/XP With ADFS 2.0 AD credentials AD credentials AD credentials AD credentials (No prompt)** (No prompt)** Each session* Each session* Once at setup Once at setup Without ADFS 2.0 LiveID LiveID LiveID LiveID LiveID LiveID Each session* Each session* Each session* Each session Once at setup Once at setup With AD FS 2.0 in place, users access Online services using their domain credentials Password prompts are eliminated in some scenarios If AD FS 2.0 is not deployed, users access Online services using a LiveID The Microsoft Online Services Sign-in Tool will be retired *Teams are investigating patches for Outlook and Windows that would eliminate this prompt **No prompt if logged on to the corporate network. Internet-based users will be prompted.

36 Agenda The access challenge Defining AD FS-2 Federation with MS-online
Exchange SharePoint CRM, … Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

37 © 2009 Microsoft Corporation. All rights reserved
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Business Ready Security: The Road Ahead
Earlier CY 2009 H2 CY 2010 H1 Management Protection & Access Solutions Platform Active Directory® Domain Services DirectAccess Subject to Change

Download ppt "A claims-based Identity Metasystem"

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
Implementing and Administering AD FS

Implementing and Administering AD FS
Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft

Windows CardSpace and the Identity Metasystem Glen Gordon Developer Evangelist, Microsoft
Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,

Adoption Time Single paradigm, mature tools, stable design patterns and frameworks Software developer’s comfort zone Competing paradigms, no tools,
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.

 Lynn Ayres Program Manager Identity Services  Tore Sundelin Program Manager Identity Services BB29.
Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.

Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation ARC204.
Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services

Jax ArcSig 3/22/2011 Keith Tingle. About Me Keith Tingle Lender Processing Services
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.

 Kim Cameron Distinguished Engineer Microsoft Corporation BB11.
Brjann Brekkan Technical Product Manager Microsoft Corp. Session Code: SIA307.

Brjann Brekkan Technical Product Manager Microsoft Corp. Session Code: SIA307.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
David Chappell Chappell & Associates www.davidchappell.com.

David Chappell Chappell & Associates
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Identity and Access Management Business Ready Security Solutions.

Identity and Access Management Business Ready Security Solutions.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Similar presentations

Ads by Google