Brian Puhl Technology Architect Microsoft IT Session Code: ITS212
Agenda Federating identities Microsoft IT Federation environment Introducing Geneva Server Migrating from ADFS to Geneva Identity management when federating Microsoft IT Federation scenarios
Your COMPANY and your EMPLOYEES Your SUPPLIERS Your REMOTE and VIRTUAL EMPLOYEES Your CUSTOMERS Customer satisfaction and customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain M&A Mobile/global workforce Flexible/temp workforce Orgs Have to Extend Access Your PARTNERS
User Password Proliferation Domain Account REDMOND\BPuhl E-Company Store Fidelity 401K Social Security Number TravelPort Company Poll BPuhl Live Meeting BrianP Live ID Marketing Leads App Brian.Puhl Generic ID for everything else imav8n Sub-Keyboard Crypto API The same password for everything! Super-Secret Passphrase (more secure) - Only have to remember one thing - I never write it down - Easy for me to remember - Change it once per year Samantha_Is_17_Anika_Is_5
Agenda Federating identities Microsoft IT Federation environment Introducing Geneva Server Migrating from ADFS to Geneva Identity management when federating Microsoft IT Federation scenarios
Microsoft IT Federation Ecosystem ADFS v1 Federations Internal Network Perimeter Network 59 Federations 29 unique partners Using Ping, IBM, & Others Worldwide usage Corp (Internal) Live ID / Passport Self FS Proxies
Agenda Federating identities Microsoft IT Federation environment Introducing Geneva Server Migrating from ADFS to Geneva Identity management when federating Microsoft IT Federation scenarios
Geneva Server Security token service for AD Identity and federation provider Federation trust manager Automates trust management using metadata Standards-based and interoperable WS-* & SAML 2.0 protocols SAML 1.1 & 2.0 tokens Managed information card provider for AD CardSpace and 3 rd party identity selectors
Geneva Server Management APIs and UX Card Issuance Token Issuance MetadataMetadata Geneva Server Components Account Store Geneva Proxy Token Issuance Proxy Metadata Proxy Internet Client Policy Store Intranet Client
Geneva Server Management APIs and UX Card Issuance Token Issuance MetadataMetadata Geneva Server Components Account Store Geneva Proxy Token Issuance Proxy Metadata Proxy Internet Client Policy Store Intranet Client Geneva Clients: Web Browsers Windows CardSpace and Other Identity Selectors WS-* Aware Clients (WCF, etc.)
Geneva Server Management APIs and UX Card Issuance Token Issuance MetadataMetadata Geneva Server Components Account Store Geneva Proxy Token Issuance Proxy Metadata Proxy Internet Client Policy Store Intranet Client Geneva Policy Store: SQL Server
Geneva Server Management APIs and UX Card Issuance Token Issuance MetadataMetadata Geneva Server Components Account Store Geneva Proxy Token Issuance Proxy Metadata Proxy Internet Client Policy Store Intranet Client Geneva Server: Security Token Service for SOAP and browser clients Information card issuance web site Policy and service management
Agenda Federating identities Microsoft IT Federation environment Introducing Geneva Server Migrating from ADFS to Geneva Identity management when federating Microsoft IT Federation scenarios
Migrating from ADFS v1 to Geneva Identity Provider 1. Deploy parallel to ADFS 2. Configure Trust Policy using Powershell 3. Use client HOSTS files to test applications 4. Update DNS records Proxies look to internal Internet clients to proxie Internal Network Partner 1 Partner 2 Perimeter Network Geneva ADFS
Internal Network Perimeter Network Microsoft IT Federation Ecosystem
Agenda Federating Identities Microsoft IT Federation Environment Introducing Geneva Server Migrating from ADFS to Geneva Identity Management when Federating Microsoft IT Federation Scenarios
10 Things when troubleshooting federations
10. Network Connectivity & NLB 9. SQL Availability 8. URI’s 7. Event ID Fiddler or HTTP Watch
5. Enabling Logging 4. Dirty Data 3. Immutable ID’s
Troubleshooting Federation “If your ADFS is broken, it’s PKI. If it’s not PKI, you’ve got a typo. If it’s not a typo, it’s PKI.” - Laura Hunter
Troubleshooting Federation PKI issues: CRL Validation (CDP’s not discoverable) Elliptical curve key algorithm Managing Certificate Renewals Certificates – They expire! Configuration issues: Case sensitivity counts where you’d least expect it Geneva needs both ports 80 and 443 Make your life simple with Metadata Exchange!
Demo
Security Considerations ServerTokenCryptoAdministrator Domain ControllerKerberos or NTLMShared SecretDomain Admin
Security Considerations ServerTokenCryptoAdministrator Domain ControllerKerberos or NTLMShared SecretDomain Admin Certificate Authorityx.509 certificateTrusted chainCertificate Admin
Security Considerations Treat your Geneva servers like domain controllers Your Geneva Server admins are like domain administrators Geneva includes claims policy language, which is extremely powerful Manage your certificates Token signing protects from man-in-the-middle attacks SSL validates the end-points ServerTokenCryptoAdministrator Domain ControllerKerberos or NTLMShared SecretDomain Admin Certificate Authorityx.509 certificateTrusted chainCertificate Admin Federation ServerSAMLx.509 certificate???
Agenda Federating Identities Microsoft IT Federation Environment Introducing Geneva Server Migrating from ADFS to Geneva Identity Management when Federating Microsoft IT Federation Scenarios
Geneva Server How Geneva is Changing Our Game
Geneva Server ADFS Partners
How Geneva is Changing Our Game Geneva Server ADFS Partners
How Geneva is Changing Our Game Geneva Server ADFS Partners SQL Authz Store
How Geneva is Changing Our Game Geneva Server ADFS Partners SQL Authz Store
How Geneva is Changing Our Game Geneva Server ADFS Partners SQL Authz Store Windows Live ID
Summary Federating identities is the path to SaaS Geneva is a lot more than just ADFS v2 Policy processing language Metadata Exchange SAML 2.0 Protocol Support Federation with Live ID Services
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide