Title: Speech title here
1(No Transcript)
2Active Directory Federation Services
- Don Schmidt
- Senior Program Manager
- Distributed Systems Group
- Microsoft Corporation
3Agenda
- Federated Identity Access Management
- Definition and terminology
- Active Directory Federation Services
- Architecture Components
- Managing Access with Claims (User Attributes)
- Deployment Programming Models
- Demos
- ADFS WS- Specifications Heritage
- Multi-vendor Interoperability
4Federated Identity and Access Management
- Industry Definition of FIAM
- Standards-based technology IT processes
- Distributed identification, authentication
authorization - Across boundaries (security, departmental,
organizational or platform boundaries) - ADFS Vision
- Log on once, secure access to everything
- Leverage Windows identity and services as broadly
as possible
5Federated Identity and Access Management
- Industry Definition
- Standards-based technology IT processes
- Distributed identification, authentication
authorization - Across boundaries (security, departmental,
organizational or platform boundaries) - ADFS Vision
- Log on once, secure access to everything
- Leverage Windows identity and services as broadly
as possible
6Security Tokens ClaimsDistributed
authentication/authorization
Security tokens assert claims Claims Statements
authorities make about security principals (name,
identity, key, group, privilege, capability, etc).
7Security Token Service
A security token service issues security tokens
Key Distribution Center
Security Token Service
STSs can swap tokens as a request crosses
security domain boundaries
8Federated IAM in Action X-organization,
X-platform Web SSO
Federation Claims
Application Claims
SIDs
Trey Research Inc.
A.Datum Corp.
- User clicks A. Datum portal link to Trey
Research order processing application
- User redirected to A.Datum STS
- Seamlessly authenticated via Kerberos (Windows
integrated AuthN AD)
- User obtains SAML security token from A.Datum
STS for Trey Research STS - Federation claims per business agreement
- User obtains SAML security token from Trey
Research STS for application - Federation application-specific claims
- User accesses Trey Research order processing
application
9Active Directory Federation Services
10ADFS Architecture
- Active Directory
- Authenticates users
- Manages attributes used to populate claims
- Federation Service (FS)
- STS Issues security tokens
- Manages federation trust policy
- FS Proxy (FS-P)
- Client proxy for token requests
- Provides UI for browser clients
- Web Server SSO Agent
- Enforces user authentication
- Creates user authorization context
Windows Authentication/LDAP
LPC/Web Methods
HTTPS
Note ADFS supports both W2K W2K3 forests FS
FS-P co-located by default, Can be separate
boxes FS, FS-P SSO agent require IISv6 W2K03
R2 Browser clients only for ADFSv1 (W2K03 R2
release)
11Federation Service
- ASP.NET-hosted service running on IISv6 - W2K3
Server R2 - Federation Policy management
- Establishes trust for signed security tokens by
certificate-based key distribution - Defines token/claim types shared namespace for
Federated security realms - Security token generation
- Retrieves user attributes for claim generation
from AD (or ADAM) via LDAP - Transforms claims (if required) between internal
federation namespaces - Builds signed SAML security token sends to LS
- Builds User SSO cookie contents sends to LS
- User authentication
- Validates ID/Password via LDAP Bind for
Forms-based authentication
12Federation Service Proxy
- ASP.NET-hosted service running on IISv6 - W2K03
Sever R2 - User authentication
- Provides UI for Home Realm Discovery
Forms-based Logon - Authenticates users for Windows Integrated
Client SSL authentication - Writes User SSO cookie to Browser (similar to
Kerberos TGT) - Security token processing
- Requests security token for client from FS
- Routes token to web server via POST redirect
through Browser
13Web Server SSO Agent
- ISAPI extension for IISv6 - W2K3 Server R2
- User authentication
- Intercepts URL GET requests Redirects
un-authenticated clients to LS - Writes Web Server SSO cookie to Browser
(similar to Kerberos service ticket) - Windows Service
- User authorization
- Creates NT Token for impersonation (AD users
only) - Managed Web Module
- Security token processing
- Validates users security token and parses claims
in token - User authorization
- Populates ASP.NET GenericPrincipal context from
claims to support IsInRole() - Provides raw claims to app
14ADFS Trust Message Flows
STS Trust claims policy setup (out of
band) Browser Application and security token
requests (HTTPS)
15ADFS Identity Federation for IAMProjects AD
Identities to other security realms
Federation Servers
- Manage
- Trust -- Keys
- Security -- Claims required
- Privacy -- Claims allowed
- Audit -- Identities , authorities
Federation Server
Federation Server
16ADFS Claim Token Processing
17ADFS Supported Security Tokens
- Currently only issue SAML tokens
- Tokens are not encrypted
- All messages are over HTTPS
- Tokens are signed
- (default) Signed with RSA Private key and
signature verified with public key from X.509
certificate - (optional) Can be signed with Kerberos session
key - FS-R tokens for Web server SSO Agent
- NT service component of Web server SSO Agent must
run as a domain service account and must have an
SPN configure
18ADFS Supported Claim Types
- WS-Federation interoperable claim types
- Identity
- User Principal Name (UPN)
- Email Address
- Common Name (any string value)
- Group
- Custom
- name/value pair (eg SSN / 123-45-6789)
- ADFS-to-ADFS only authZ data
- SIDs
- Sent to avoid employee shadow accounts in
extranet DMZ - Sent in SAML token Advice element (not a standard
claim type) - Organizational claims
- Common set of claims across account stores and
partners - Mark organizational claims as sensitive (not
audited/logged)
19ADFS Claims Processing Extensibility
- Interface allows plug-in modules to be developed
for Custom Claim Transformation - ADFS v1 FS supports one claim transform module,
Not a pipeline for multiple modules - Further lookups to a LDAP or SQL store
- Complex claim transformations requiring
computation
20ADFS Federation Claims Flow
21ADFS Deployment Programming Models
22B2B Federated Web SSO Partners do NOT need
local (shadow) accounts
- Web-based Purchasing Inventory Control apps
- Partner employees use their corporate AD accounts
- Intranet UX Web SSO after Windows desktop logon
- Internet UX Web SSO after Forms-based logon or
SSL client authN
23B2E Web SSO Windows TrustSingle sign-on for
HQ Road Warrior users
- Web-based Wholesale Order Entry app in DMZ
- All employees have accounts in intranet AD
- Intranet UX Web SSO after Windows desktop logon
- Internet UX Web SSO after Forms-based logon or
SSL client authN
24B2C Classic Web SSOClassic Web SSO for Internet
customers
- Web-based Retail Order Entry Customer Service
apps - Customers issued user accounts in DMZ (AD or
ADAM) - Internet UX Web SSO after Forms-based logon
25ADFS App Programming Model
- Web Server SSO Agent
- Authenticates users for app
- Creates authorization context for app
- NT Impersonation and ACLs
- ASP.NET IsInRole()
- String match, You do all the authorization logic
- AzMan RBAC integration
- App can add Role/Group claims to AzMan context
- ASP.NET Raw Claims API
- System.Web.Security.SingleSignOn.Authorization
26Federated IAM via Claims RBACADFS
Authorization Manager integration
Federation Domain
Web Server
Resource Domain
Account Domain
27ADFS Supply Chain Purchasing
- Derek Del ConteADFS Program Manager
- DSG
28ADFS WSS Document Collaboration
- Mike Neuburger
- ADFS Program Manager
- DSG
29ADFS Web Services Specifications Heritage
Interoperability Extensibility
30Web Services Specifications
Connected Applications
P2P
EAI
B2B
Grid
Business Process
Devices
Mobile
Management
ReliableDelivery
Security
Transactions
Metadata
Messaging
XML
Transports
31WS-Federation
- Web Services Federation Language
- Defines messages to enable security realms to
federate exchange security tokens - BEA, IBM, Microsoft, RSA, VeriSign
- Two profiles of the model defined
- Passive (Browser) clients HTTP/S
- Active (Smart) clients SOAP
32Passive Requestor Profile Supported by ADFSv1 in
W2K03 R2
- Binding of WS-Federation WS-Trust for browser
(passive) clients - Implicitly adhere to policy by following
redirects - Implicitly acquire tokens via HTTP msgs
- Authentication Requires secure transport (HTTPS)
- Cannot provide proof of possession for tokens
- Limited (time based) token caching
- Tokens can be replayed
33Sample Flow Browser client
Requesting Browser
Requestors IP/STS
Target Resource
Targets IP/STS
Get resource
34Active Requestor ProfileFuture ADFS release in
Longhorn wave
- Binding of WS-Federation WS-Trust for SOAP/XML
aware (active) clients - Explicitly determine token needs from policy
- Explicitly request tokens via SOAP msgs
- Strong authentication of all requests
- Can provide proof of possession for tokens
- Supports delegation
- Client can provide token for web service to use
on its behalf - Allows rich token caching at client
- Improved user experience performance
35Sample Flow Active SOAP ClientWS-Policy used to
route client token requests
Requesting Service
Requestors IP/STS
Target Service
Targets IP/STS
36WS-Federation Interoperability
- WS- public workshops/mailing list prepare specs
for submission to standards bodies - http//groups.yahoo.com/group/WS-Security-Workshop
s/ - WS-Federation vendor workshop (3/29/04)
- Passive Requestor Profile SAML token
- Microsoft, IBM, RSA, Oblix, OpenNetwork,
Netegrity, PingID - 100 interop achieved by all participants
- WS-Federation product previews at TechEd
- Interop pavilion Vendor panel
37ADFS Vendor Interoperability via WS-Federation
- For more information
- ADFS White Paper
- WS-Federation White Paper - with links to
specifications - WS-Federation Interoperability Workshop White
Paper - with link to interoperability profile
download
38(No Transcript)