Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors, publisher and distributor assume will not be liable for errors or omissions, or for damages resulting from the use of the information presented and contained herein

Identity Provider (IP) Active Directory Security Token Service (STS) User / Subject /Principal Requests token for AppX Issues Security Token crafted for Appx Relying party (RP)/ Resource provider Issuer IP-STS Trusts the Security Token from the issuer The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) address of user address of manager Phone number Other attribute values Security Token “Authenticates” user to the application ST Signed by issuer AppX Authenticates user

User User trusts website and STS via SSL certificates Certificate path validated and CRL checked ST Sign with STS token signing certificate private key Validate with STS token signing certificate public key encrypt with RP encryption certificate public key Decrypt with RP encryption certificate private key STS RP CNG certificates are not supported

STS-IP Endpoint of STS for logon STS claims offered Name of STS STS Certificate to sign tokens (private key) Establishing the trust Endpoint of STS for logon STS claims offered Name of STS STS Certificate to validate tokens (public key) Federation metadata Web.configSTS-IP database

WAP ADFS AD FS configuration store Copied during WAP configuration uses supplied credentials Self-signed certificate Uses certificate authentication Copied to certificate store Used to create Certificate Trust List (CTL)

SLL Termination betweenpossibleImpact Client and WAPYes/NoBreaks Workplace join and client SSL authentication WAP and AD FSNoBreaks proxy trust with AD FS WAP and published serverYesNo impact on WAP/ADFS functionality

partner.xtseminars.com example.com Internet ISP DNS Client Client2 Proxy-p adfs1 dc1 srv1 adfs-p Proxy

AD FS STS Claims-aware app Active Directory Browse app Not authenticated Redirected to STS Authenticate Our user Query for user attributes Return security token Return cookies and page Send Token App trusts STS ST

Decoded redirect URL: wa=wsignin1.0& wtrealm= wctx=rm=0&id=passive&ru=%2fFederation%2f& wct= T15:12:28Z AD FS logon endpoint Action to perform Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp %2f decodes to /

Hidden form with POST method POST back URL defined via RP configuration in AD FS SAML claims Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request Begins / ends with saml:Assertion

AD FS

APP

BrowserWinINETFiddler Webserver Spoof certificate

Process token Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Return new ST Your AD FS STS Your Claims-aware app Active Directory Partner user Partner AD FS STS & IP Redirected to your STS Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your STS ST App trusts STS Your STS trusts your partner’s STS

Issuance Transform rules Issuance Authorization rules Acceptance Transform rules Relying Party Trusts Claims Provider Trusts STS AD Username, user & group SIDs Logon Issued claims Acceptance Transform rules Username user & group SIDs Token authentication ST Claims Deny ST

Web application ADFS Claims-aware web application Web application with Windows Authentication AD FS preauthentication Kerberos constrained delegation Publish applications and services to the Internet WAP Users are authenticated and authorized before gaining access to the corporate network Pass-through KCD

SAMLSWTJWT JSON Web Tokens (JWT)Simple Web Token ( Microsoft, Google, Yahoo) Security Assertion Markup Language SAML 1.1/2.0 Complex to: Create Parse Validate Transmit Easy to: Create Parse Validate Transmit Too simple! Time

Firewall WAP DC Web application using Windows Authentication (Kerberos) The SPN for the application must be registered on the service account running the application The WAP computer account must be configured for constrained delegation with protocol transition to the SPN of the web application AD FS preauthentication required

John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars.