Download presentation
Presentation is loading. Please wait.
1
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |
2
AD FS XML over HTTP/S based authentication and "trust" Replacement for AD trusts Free download
3
AD FS vs. local user stores Local user stores AD LDS (LDAP), SQL, XML, … you must manage the accounts you know their passwords you must reset and unlock and disable AD FS leaves account management on the account partner side you never see their password
4
AD FS principles
7
Internal partners - most common
8
SharePoint WS Federation passive URL This is the resulting redirection after client is authenticated and claims are processed and signed https://intranet.gopas.cz/_trust/
9
SharePoint realm Used to identify the calling application it is the thing that SharePoint sends to ADFS to identify itself urn:something:something-else urn:intranet.gopas.virtual:sharepoint
10
SharePoint incoming claim types ADFS Incoming Claim Type ADFS Outgoing Claim Type to SharePoint URI ID SAM-Account-NameName IDnameidentifier E-Mail-AddressesE-Mail Addressemailaddress Token-GroupsRolerole Given-NameGiven Namegivenanme Surname surname User-Principal-NameWindows Account Namewindowsaccountname http://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes.aspx
11
Claim types and SharePoint Only IdentifierClaim is saved in user's "settings" page Other claim types can be used to authorize access to resources with People Picker No lookup for account partner claim values
12
More groups as a single claim c:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1037”, Issuer == “AD AUTHORITY”] && c1:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1185”, Issuer == “AD AUTHORITY”] && c2:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1139”, Issuer == “AD AUTHORITY”] => issue(Type = “http://schemas.sp.local/canDoIt”, Value = “true”, Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);
![More groups as a single claim c:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] && c1:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] && c2:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] => issue(Type = , Value = true , Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);](http://images.slideplayer.com/14/4254313/slides/slide_12.jpg "More groups as a single claim c:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] && c1:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] && c2:[Type == groupsid , Value == S , Issuer == AD AUTHORITY ] => issue(Type = , Value = true , Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);")
13
Active Directory Federation Services Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |
Similar presentations
