Speech title here - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Speech title here

Description:

Login. Return identity token. Return resource token. Return ... http://groups.yahoo.com/group/WS-Security-Workshops/ WS-Federation vendor workshop (3/29/04) ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 39
Provided by: sangerOf
Category:
Tags: here | login | mail | speech | title | yahoo

less

Transcript and Presenter's Notes

Title: Speech title here


1
(No Transcript)
2
Active Directory Federation Services
  • Don Schmidt
  • Senior Program Manager
  • Distributed Systems Group
  • Microsoft Corporation

3
Agenda
  • Federated Identity Access Management
  • Definition and terminology
  • Active Directory Federation Services
  • Architecture Components
  • Managing Access with Claims (User Attributes)
  • Deployment Programming Models
  • Demos
  • ADFS WS- Specifications Heritage
  • Multi-vendor Interoperability

4
Federated Identity and Access Management
  • Industry Definition of FIAM
  • Standards-based technology IT processes
  • Distributed identification, authentication
    authorization
  • Across boundaries (security, departmental,
    organizational or platform boundaries)
  • ADFS Vision
  • Log on once, secure access to everything
  • Leverage Windows identity and services as broadly
    as possible

5
Federated Identity and Access Management
  • Industry Definition
  • Standards-based technology IT processes
  • Distributed identification, authentication
    authorization
  • Across boundaries (security, departmental,
    organizational or platform boundaries)
  • ADFS Vision
  • Log on once, secure access to everything
  • Leverage Windows identity and services as broadly
    as possible

6
Security Tokens ClaimsDistributed
authentication/authorization
Security tokens assert claims Claims Statements
authorities make about security principals (name,
identity, key, group, privilege, capability, etc).
7
Security Token Service
A security token service issues security tokens
Key Distribution Center
Security Token Service
STSs can swap tokens as a request crosses
security domain boundaries
8
Federated IAM in Action X-organization,
X-platform Web SSO
Federation Claims
Application Claims
SIDs
Trey Research Inc.
A.Datum Corp.
  • User clicks A. Datum portal link to Trey
    Research order processing application
  • User redirected to A.Datum STS
  • Seamlessly authenticated via Kerberos (Windows
    integrated AuthN AD)
  • User obtains SAML security token from A.Datum
    STS for Trey Research STS
  • Federation claims per business agreement
  • User obtains SAML security token from Trey
    Research STS for application
  • Federation application-specific claims
  • User accesses Trey Research order processing
    application

9
Active Directory Federation Services
10
ADFS Architecture
  • Active Directory
  • Authenticates users
  • Manages attributes used to populate claims
  • Federation Service (FS)
  • STS Issues security tokens
  • Manages federation trust policy
  • FS Proxy (FS-P)
  • Client proxy for token requests
  • Provides UI for browser clients
  • Web Server SSO Agent
  • Enforces user authentication
  • Creates user authorization context

Windows Authentication/LDAP
LPC/Web Methods
HTTPS
Note ADFS supports both W2K W2K3 forests FS
FS-P co-located by default, Can be separate
boxes FS, FS-P SSO agent require IISv6 W2K03
R2 Browser clients only for ADFSv1 (W2K03 R2
release)
11
Federation Service
  • ASP.NET-hosted service running on IISv6 - W2K3
    Server R2
  • Federation Policy management
  • Establishes trust for signed security tokens by
    certificate-based key distribution
  • Defines token/claim types shared namespace for
    Federated security realms
  • Security token generation
  • Retrieves user attributes for claim generation
    from AD (or ADAM) via LDAP
  • Transforms claims (if required) between internal
    federation namespaces
  • Builds signed SAML security token sends to LS
  • Builds User SSO cookie contents sends to LS
  • User authentication
  • Validates ID/Password via LDAP Bind for
    Forms-based authentication

12
Federation Service Proxy
  • ASP.NET-hosted service running on IISv6 - W2K03
    Sever R2
  • User authentication
  • Provides UI for Home Realm Discovery
    Forms-based Logon
  • Authenticates users for Windows Integrated
    Client SSL authentication
  • Writes User SSO cookie to Browser (similar to
    Kerberos TGT)
  • Security token processing
  • Requests security token for client from FS
  • Routes token to web server via POST redirect
    through Browser

13
Web Server SSO Agent
  • ISAPI extension for IISv6 - W2K3 Server R2
  • User authentication
  • Intercepts URL GET requests Redirects
    un-authenticated clients to LS
  • Writes Web Server SSO cookie to Browser
    (similar to Kerberos service ticket)
  • Windows Service
  • User authorization
  • Creates NT Token for impersonation (AD users
    only)
  • Managed Web Module
  • Security token processing
  • Validates users security token and parses claims
    in token
  • User authorization
  • Populates ASP.NET GenericPrincipal context from
    claims to support IsInRole()
  • Provides raw claims to app

14
ADFS Trust Message Flows
STS Trust claims policy setup (out of
band) Browser Application and security token
requests (HTTPS)
15
ADFS Identity Federation for IAMProjects AD
Identities to other security realms
Federation Servers
  • Manage
  • Trust -- Keys
  • Security -- Claims required
  • Privacy -- Claims allowed
  • Audit -- Identities , authorities

Federation Server
Federation Server
16
ADFS Claim Token Processing
17
ADFS Supported Security Tokens
  • Currently only issue SAML tokens
  • Tokens are not encrypted
  • All messages are over HTTPS
  • Tokens are signed
  • (default) Signed with RSA Private key and
    signature verified with public key from X.509
    certificate
  • (optional) Can be signed with Kerberos session
    key
  • FS-R tokens for Web server SSO Agent
  • NT service component of Web server SSO Agent must
    run as a domain service account and must have an
    SPN configure

18
ADFS Supported Claim Types
  • WS-Federation interoperable claim types
  • Identity
  • User Principal Name (UPN)
  • Email Address
  • Common Name (any string value)
  • Group
  • Custom
  • name/value pair (eg SSN / 123-45-6789)
  • ADFS-to-ADFS only authZ data
  • SIDs
  • Sent to avoid employee shadow accounts in
    extranet DMZ
  • Sent in SAML token Advice element (not a standard
    claim type)
  • Organizational claims
  • Common set of claims across account stores and
    partners
  • Mark organizational claims as sensitive (not
    audited/logged)

19
ADFS Claims Processing Extensibility
  • Interface allows plug-in modules to be developed
    for Custom Claim Transformation
  • ADFS v1 FS supports one claim transform module,
    Not a pipeline for multiple modules
  • Further lookups to a LDAP or SQL store
  • Complex claim transformations requiring
    computation

20
ADFS Federation Claims Flow
21
ADFS Deployment Programming Models
22
B2B Federated Web SSO Partners do NOT need
local (shadow) accounts
  • Web-based Purchasing Inventory Control apps
  • Partner employees use their corporate AD accounts
  • Intranet UX Web SSO after Windows desktop logon
  • Internet UX Web SSO after Forms-based logon or
    SSL client authN

23
B2E Web SSO Windows TrustSingle sign-on for
HQ Road Warrior users
  • Web-based Wholesale Order Entry app in DMZ
  • All employees have accounts in intranet AD
  • Intranet UX Web SSO after Windows desktop logon
  • Internet UX Web SSO after Forms-based logon or
    SSL client authN

24
B2C Classic Web SSOClassic Web SSO for Internet
customers
  • Web-based Retail Order Entry Customer Service
    apps
  • Customers issued user accounts in DMZ (AD or
    ADAM)
  • Internet UX Web SSO after Forms-based logon

25
ADFS App Programming Model
  • Web Server SSO Agent
  • Authenticates users for app
  • Creates authorization context for app
  • NT Impersonation and ACLs
  • ASP.NET IsInRole()
  • String match, You do all the authorization logic
  • AzMan RBAC integration
  • App can add Role/Group claims to AzMan context
  • ASP.NET Raw Claims API
  • System.Web.Security.SingleSignOn.Authorization

26
Federated IAM via Claims RBACADFS
Authorization Manager integration
Federation Domain
Web Server
Resource Domain
Account Domain
27
ADFS Supply Chain Purchasing
  • Derek Del ConteADFS Program Manager
  • DSG

28
ADFS WSS Document Collaboration
  • Mike Neuburger
  • ADFS Program Manager
  • DSG

29
ADFS Web Services Specifications Heritage
Interoperability Extensibility
30
Web Services Specifications
Connected Applications
P2P
EAI
B2B
Grid
Business Process
Devices
Mobile
Management

ReliableDelivery
Security
Transactions
Metadata
Messaging
XML
Transports
31
WS-Federation
  • Web Services Federation Language
  • Defines messages to enable security realms to
    federate exchange security tokens
  • BEA, IBM, Microsoft, RSA, VeriSign
  • Two profiles of the model defined
  • Passive (Browser) clients HTTP/S
  • Active (Smart) clients SOAP

32
Passive Requestor Profile Supported by ADFSv1 in
W2K03 R2
  • Binding of WS-Federation WS-Trust for browser
    (passive) clients
  • Implicitly adhere to policy by following
    redirects
  • Implicitly acquire tokens via HTTP msgs
  • Authentication Requires secure transport (HTTPS)
  • Cannot provide proof of possession for tokens
  • Limited (time based) token caching
  • Tokens can be replayed

33
Sample Flow Browser client
Requesting Browser
Requestors IP/STS
Target Resource
Targets IP/STS
Get resource
34
Active Requestor ProfileFuture ADFS release in
Longhorn wave
  • Binding of WS-Federation WS-Trust for SOAP/XML
    aware (active) clients
  • Explicitly determine token needs from policy
  • Explicitly request tokens via SOAP msgs
  • Strong authentication of all requests
  • Can provide proof of possession for tokens
  • Supports delegation
  • Client can provide token for web service to use
    on its behalf
  • Allows rich token caching at client
  • Improved user experience performance

35
Sample Flow Active SOAP ClientWS-Policy used to
route client token requests
Requesting Service
Requestors IP/STS
Target Service
Targets IP/STS
36
WS-Federation Interoperability
  • WS- public workshops/mailing list prepare specs
    for submission to standards bodies
  • http//groups.yahoo.com/group/WS-Security-Workshop
    s/
  • WS-Federation vendor workshop (3/29/04)
  • Passive Requestor Profile SAML token
  • Microsoft, IBM, RSA, Oblix, OpenNetwork,
    Netegrity, PingID
  • 100 interop achieved by all participants
  • WS-Federation product previews at TechEd
  • Interop pavilion Vendor panel

37
ADFS Vendor Interoperability via WS-Federation
  • For more information
  • ADFS White Paper
  • WS-Federation White Paper - with links to
    specifications
  • WS-Federation Interoperability Workshop White
    Paper - with link to interoperability profile
    download

38
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com