1. Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft

2. Microsoft Virtual Academy Active Directory Federation Services (AD FS)

3. Module Overview AD FS Overview AD FS Deployment Scenarios Configuring AD FS Components

4. Lesson 1: AD FS Overview What Is Identity Federation? What Are the Identity Federation Scenarios? Benefits of Deploying AD FS

5. What is Identity Federation? An identity federation: Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundaries Requires a trust relationship between two organizations or entities Allows organizations to retain control of: Resource access Their own user and group accounts

6. What Are the Identity Federation Scenarios? Federation for business- to-consumer or business-to-employee in a Web single sign-on scenario Federation for business-to- business (B2B) Federation within an organization across multiple Web applications

7. Benefits of Deploying AD FS AD FS provides the following benefits: Works with Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) Extends AD DS to the Internet Enables improved: Security and control over authentication Regulatory compliance Interoperability with heterogeneous systems

8. Demonstration: Installing AD FS In this demonstration, you will see how to install the Active Directory Federation Services Server Role

9. Lesson 2: AD FS Deployment Scenarios What Is a Federation Trust? What Are the AD FS Components? How AD FS Provides Identity Federation in a B2B Scenario How AD FS Traffic Flows in a B2B Federation Scenario How AD FS Provides Web Single Sign-On Integrating AD FS and AD RMS

10. What Is a Federation Trust? Web Server Account Partner Organization Resource Partner Organization Resource Federation Server Account Federation Server AD DS Federation Trust

11. What Are the AD FS Components? AD FS Components: AD FS Web Agent Resource Federation Server Proxy Account federation server AD DS domain controllers Account Federation Service Proxy Resource Federation Server

12. How AD FS Provides Identity Federation in a B2B Scenario Contoso Online Retailer Resource Federatio nServer Account Federatio n Server AD DS Account Federation Server Proxy AD FS- enabled Web Server Resource Federation Server Proxy PERIMETER NETWORK INTRANET FOREST Federation Trust

13. How AD FS Traffic Flows in a Business to Business Federation Scenario Web Server Resource Federation Server Account Federation Server AD DS Federation Trust 1 1 2 2 3 3 5 5 4 4 Contoso Online Retailer

14. Lesson 3: Configuring AD FS Components Federation Service Configuration Options What Are AD FS Trust Policies? Demonstration: Configuring the Federation Services for an Account Partner AD FS Web Proxy Agent Configuration Options What Are AD FS Claims?

15. Federation Service Configuration Options To implement the federation service: Create and configure applications Create a trust policy for both the resource and account partners Create organizational claims Create account stores

16. What Are AD FS Trust Policies? Resource partner trust policies include: Token Lifetime Federation Service URI Federation Service endpoint URL The option to use a Windows trust relationship for this partner Token Lifetime Federation Service URI Federation Service endpoint URL The option to use a Windows trust relationship for this partner Trust policies are the configuration settings that define how to configure a federated trust and how the federated trust works In addition, the account partner trust policies include: Location for a certificate to verify the resource partner Options for configuring how resource accounts are created Location for a certificate to verify the resource partner Options for configuring how resource accounts are created

17. Demonstration: AD FS Initial Configuration In this demonstration, you will see how run the AD FS Management Snap-In and run through the initial configuration steps.

18. AD FS Web Proxy Agent Configuration Options AD FS Web Proxy Agent Configuration Options: Install the AD FS Web Agent on the IIS server Windows Token-based authentication requires ISAPI extensions Claims-aware authorization can authenticate natively with ASP.NET Determine how to collect user credential information from browser clients and Web applications 1 1 2 2

19. What Are AD FS Claims? Claim TypeDescription Identity UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: user@realm E-mail: indicates Request for Comments (RFC) 2822– style e-mail names of the form user@domain Common name: indicates an arbitrary string that is used for personalization GroupIndicates membership in a group or role Custom Indicates a claim that contains custom information about a user, for example, an employee ID number

20. Module Review and Takeaways Review Questions Summary of AD FS

21. Thanks for Watching!

22. ©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.