Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

 Jan Alexander Program Manager Microsoft Corporation BB43.
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
WebFTS as a first WLCG/HEP FIM pilot
A claims-based Identity Metasystem
Access Management Rafal Lukawiecki
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Claims Based Authentication
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
SWITCHaai Team Introduction to Shibboleth.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Single Sign-On for Professionals & Patients Phil Stradling.
Shibboleth: An Introduction
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Keith Brown Cofounder pluralsight.com SIA312 Outline What is identity? Challenges Federated identity How it works from a 10,000 foot view Terminology.
Windows Role-Based Access Control Longhorn Update
SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Enterprise Identity Steve Plank – Microsoft Hugh Simpson-Wells – Oxford Computer Group Dave Nesbitt – Oxford Computer Group.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.
Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation SESSION CODE: SIA302.
Gridshell Security Master Project Akylbek Zhumabayev Rochester Institute of Technology.
Web Services Security Patterns Alex Mackman CM Group Ltd
Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.
Copyright Microsoft Corp Sandeep Katyal TechnologistMicrosoft Solving the Identity Management problem using MIIS and ADFS.
Module 10: Identity and Access Services in Windows Server 2008 Active Directory.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Claims-based security with Windows Identity Foundation.
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
F5 APM & Security Assertion Markup Language ‘sam-el’
Authentication methods SharePoint Web Application Windows integrated Membership & Role Providers Web SSO Access control Roles protected Anonymous.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Introduction to Windows Azure AppFabric
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Windows Azure AppFabric
Office 365 Identity Management
AD FS Installation Active Directory Federation Services (AD FS) 7.1
Presentation transcript:

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group

Agenda Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”

Extranet Access with Identity Federation Active Directory Logon to Windows NETWORK Single Sign-on inside your NETWORK Exchange SQL/File Servers Web Servers App Servers Your SUPPLIERS and their NETWORKS Your EMPLOYEES on your NETWORK

ADFS Identity Federation Projecting user Identity from a single logon … Providing distributed authentication & claims-based authorization … Connecting islands (across security, organizational or platform boundaries) … Enabling web single sign-on & simplified identity management

ADFS Components

Authenticates users Manages attributes Windows 2000 or 2003 Active Directory or ADAM

ADFS Components Federation Service (FS) Security Token Service (STS) Maps user attributes to claims Issues security tokens Manages federation trust policy Requires IISv6 Windows 2003 R2

ADFS Components Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients Forms based auth Home realm discovery Requires IISv6 Windows 2003 R2

ADFS Components Web Agent Enforces user authentication Creates app authZ context from claims NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API Requires IISv6 Windows 2003 R2

A. Datum AccountForest Trey Research ResourceForest ADFS Authentication Flow

Centrify support for ADFS DirectControl provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS6 Apache and popular J2EE web servers BEA WebLogic Apache Tomcat IBM Websphere JBoss Web agent is a direct drop in for non Microsoft web servers Customer benefits Simple and cost effective entrance into the Federated identity world No modification of applications Uses existing deployed infrastructure (AD) Web SSO for non-IIS web servers

Quest support for ADFS ADFS supported in Vintela Single Sign-on for Java V3.1 Existing Java apps need no modifications VSJ 3.1 ADFS servlet filter will: Support ADFS authentication for Java applications in the resource domain Allow Java application servers to leverage an existing ADFS infrastructure Enable federation of Java/J2EE applications within ADFS-based trust fabric Support NTLM, SPNEGO & WS-Federation based authentication VSJ servlet filters work with any J2EE application server No change required to the Java application – it “just works” Web SSO for non-IIS web servers

Shibboleth Interoperability Standards based, open source Shibboleth System 1.3 release Developing plug-ins for SAML 1.1 Identity and Service Providers Support WS-Federation Passive Requestor Interoperability Profile Enables Interop with ADFS and other compliant vendor products Sponsored by Microsoft and ADFS

WS-Federation Web Services Federation Language Defines messages to enable security realms to federate & exchange security tokens BEA, IBM, Microsoft, RSA, VeriSign Two “profiles” of the model defined Passive (Browser) clients – HTTP/S Active (Smart) clients – SOAP SecurityTokenService HTTP Receiver HTTP messages SOAP messages SOAPReceiver

Passive Requestor Profile Binding of WS-Federation & WS-Trust for browser (passive) clients Implicitly adhere to policy by following redirects Implicitly acquire tokens via HTTP msgs Authentication requires secure transport (HTTPS) Client cannot provide “proof of possession” Tokens subject to replay Limited (time based) token caching Supported by ADFSv1 in W2K03 R2

Authentication Message Flow Browser ClientAccount STSWeb ServerResource STS GET (to Web Server) Detect user’s home realm 302 Redirect (to Resource STS) 302 Redirect (to Account STS) Authenticate User POST “Redirect” security token (to Resource STS) POST “Redirect” security token (to Web Server) 200 OK Response (from Web Server)

Active Requestor Profile Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients Explicitly determine token needs from policy Explicitly request tokens via SOAP msgs Strong authentication of all requests Client can provide “proof of possession” Supports delegation Client can provide token for use on its behalf Allows rich token caching at client Improved performance w/o security risk Future ADFS release

Sample Flow: Active Client Requesting Service Identity Provider STS Target ServiceService Provider STS Fetch IP policy Request token Return token Request tokenReturn token Send secured request Return secured response Fetch SP policyFetch service policy WS-Policy used to route client token requests

Review Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.