Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

AD FS  XML over HTTP/S based authentication and "trust"  Replacement for AD trusts  Free download

AD FS vs. local user stores  Local user stores  AD LDS (LDAP), SQL, XML, …  you must manage the accounts  you know their passwords  you must reset and unlock and disable  AD FS  leaves account management on the account partner side  you never see their password

AD FS principles

Internal partners - most common

SharePoint WS Federation passive URL  This is the resulting redirection after client is authenticated and claims are processed and signed 

SharePoint realm  Used to identify the calling application  it is the thing that SharePoint sends to ADFS to identify itself  urn:something:something-else  urn:intranet.gopas.virtual:sharepoint

SharePoint incoming claim types ADFS Incoming Claim Type ADFS Outgoing Claim Type to SharePoint URI ID SAM-Account-NameName IDnameidentifier -Addresses Address address Token-GroupsRolerole Given-NameGiven Namegivenanme Surname surname User-Principal-NameWindows Account Namewindowsaccountname

Claim types and SharePoint  Only IdentifierClaim is saved in user's "settings" page  Other claim types can be used to authorize access to resources with People Picker  No lookup for account partner claim values

More groups as a single claim  c:[Type == ” groupsid”, Value == “S ”, Issuer == “AD AUTHORITY”]  && c1:[Type == ” groupsid”, Value == “S ”, Issuer == “AD AUTHORITY”]  && c2:[Type == ” groupsid”, Value == “S ”, Issuer == “AD AUTHORITY”]  => issue(Type = “ Value = “true”, Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

Active Directory Federation Services Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |