Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Published byIrma Cunningham Modified over 8 years ago

Similar presentations

Presentation on theme: "Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group."— Presentation transcript:

1 Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group

2 Agenda Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”

3 Extranet Access with Identity Federation Active Directory Logon to Windows NETWORK Single Sign-on inside your NETWORK Exchange SQL/File Servers Web Servers App Servers Your SUPPLIERS and their NETWORKS Your EMPLOYEES on your NETWORK

4 ADFS Identity Federation Projecting user Identity from a single logon … Providing distributed authentication & claims-based authorization … Connecting islands (across security, organizational or platform boundaries) … Enabling web single sign-on & simplified identity management

5 ADFS Components

6 Authenticates users Manages attributes Windows 2000 or 2003 Active Directory or ADAM

7 ADFS Components Federation Service (FS) Security Token Service (STS) Maps user attributes to claims Issues security tokens Manages federation trust policy Requires IISv6 Windows 2003 R2

8 ADFS Components Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients Forms based auth Home realm discovery Requires IISv6 Windows 2003 R2

9 ADFS Components Web Agent Enforces user authentication Creates app authZ context from claims NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API Requires IISv6 Windows 2003 R2

10 A. Datum AccountForest Trey Research ResourceForest ADFS Authentication Flow

11 Centrify support for ADFS DirectControl provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS6 Apache and popular J2EE web servers BEA WebLogic Apache Tomcat IBM Websphere JBoss Web agent is a direct drop in for non Microsoft web servers Customer benefits Simple and cost effective entrance into the Federated identity world No modification of applications Uses existing deployed infrastructure (AD) Web SSO for non-IIS web servers

12 Quest support for ADFS ADFS supported in Vintela Single Sign-on for Java V3.1 Existing Java apps need no modifications VSJ 3.1 ADFS servlet filter will: Support ADFS authentication for Java applications in the resource domain Allow Java application servers to leverage an existing ADFS infrastructure Enable federation of Java/J2EE applications within ADFS-based trust fabric Support NTLM, SPNEGO & WS-Federation based authentication VSJ servlet filters work with any J2EE application server No change required to the Java application – it “just works” Web SSO for non-IIS web servers

13 Shibboleth Interoperability Standards based, open source Shibboleth System 1.3 release Developing plug-ins for SAML 1.1 Identity and Service Providers Support WS-Federation Passive Requestor Interoperability Profile Enables Interop with ADFS and other compliant vendor products Sponsored by Microsoft and ADFS

14 WS-Federation Web Services Federation Language Defines messages to enable security realms to federate & exchange security tokens BEA, IBM, Microsoft, RSA, VeriSign Two “profiles” of the model defined Passive (Browser) clients – HTTP/S Active (Smart) clients – SOAP SecurityTokenService HTTP Receiver HTTP messages SOAP messages SOAPReceiver

15 Passive Requestor Profile Binding of WS-Federation & WS-Trust for browser (passive) clients Implicitly adhere to policy by following redirects Implicitly acquire tokens via HTTP msgs Authentication requires secure transport (HTTPS) Client cannot provide “proof of possession” Tokens subject to replay Limited (time based) token caching Supported by ADFSv1 in W2K03 R2

16 Authentication Message Flow Browser ClientAccount STSWeb ServerResource STS GET (to Web Server) Detect user’s home realm 302 Redirect (to Resource STS) 302 Redirect (to Account STS) Authenticate User POST “Redirect” security token (to Resource STS) POST “Redirect” security token (to Web Server) 200 OK Response (from Web Server)

17 Active Requestor Profile Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients Explicitly determine token needs from policy Explicitly request tokens via SOAP msgs Strong authentication of all requests Client can provide “proof of possession” Supports delegation Client can provide token for use on its behalf Allows rich token caching at client Improved performance w/o security risk Future ADFS release

18 Sample Flow: Active Client Requesting Service Identity Provider STS Target ServiceService Provider STS Fetch IP policy Request token Return token Request tokenReturn token Send secured request Return secured response Fetch SP policyFetch service policy WS-Policy used to route client token requests

19 Review Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate” http://blogs.charteris.com/blogs/IvorB Ivor.Bright@Charteris.com

Download ppt "Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group."

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.

Bruce Cowper IT Pro Advisor Microsoft Canada. Agenda Windows Server™ 2003 R2 –Principal Scenarios Identity and Access Management Efficient Storage Management.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Active Directory Federation Services Architecture Drilldown

Active Directory Federation Services Architecture Drilldown
Implementing and Administering AD FS

Implementing and Administering AD FS
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
A claims-based Identity Metasystem

A claims-based Identity Metasystem
Access Management Rafal Lukawiecki

Access Management Rafal Lukawiecki
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ

EMEA Jürgen Pfeifer Architect Microsoft EMEA HQ Kevin Sangwell Architect Microsoft EMEA HQ
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Similar presentations

Ads by Google