7/27/2019 20417A_12.pdf

1/27

MicrosoftJump Start

M12: Implementing ActiveDirectory FederationServices

Rick Claus | Technical Evangelist | MicrosoftEd Liberman | Technical Trainer | Train Signal

7/27/2019 20417A_12.pdf

2/27

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and ConfiguringServers Based on Windows Server2012

Module 7: Implementing FailoverClustering

Module 2: Monitoring andMaintaining Windows Server 2012

Module 8: Implementing Hyper-V

Module 3: Managing Windows Server2012 by Using PowerShell 3.0

Module 9: Implementing FailoverClustering with Hyper-V

- MEAL BREAK - - MEAL BREAK -

Module 4: Managing Storage forWindows Server 2012

Module 10: Implementing DynamicAccess Control

Module 5: Implementing NetworkServices

Module 11: Implementing ActiveDirectory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing ActiveDirectory Federation Services

7/27/2019 20417A_12.pdf

3/27

Module Overview

Overview of Active Directory Federation Services Deploying Active Directory Federation Services

Implementing AD FS for a Single Organization

Deploying AD FS in a Business to BusinessFederation Scenario

7/27/2019 20417A_12.pdf

4/27

What Is Identity Federation?

Enables distributed identification, authentication, and

authorization across organizational and platformboundaries.

Requires a federated trust relationship between twoorganizations or entities.

Enables organizations to retain control over who canaccess resources.

Enables organizations to retain control of their user andgroup accounts.

7/27/2019 20417A_12.pdf

5/27

What is Claims-Based Identity?

ApplicationProvider

IdentityProvider

ApplicationSecurityTokenService

Claims provide information

about users who the identityprovider authenticates,and

which the applicationprovider accepts

7/27/2019 20417A_12.pdf

6/27

Web Services Overview

Web services use a set of open specifications to develop

applications that can interoperate across boundaries

Are developed using industry standards such as XML,SOAP, WSDL, and UDDI

Define the security specifications used by IdentityFederation systems

Define the SAML standard for exchanging claims betweenfederation partners

7/27/2019 20417A_12.pdf

7/27

What Is AD FS?

AD FS is the Microsoft identity federation solutionthat can use claims-based authentication

AD FS includes the following features:

Web SSO

Web services interoperability

Support for passive and smart clients

Extensible architecture

Enhanced security

7/27/2019 20417A_12.pdf

8/27

PerimeterNetwork

CorporateNetwork

External Client

Federation Server

FederationServiceProxy

Web Server

AD DS DomainController

1

2

3

4 5

6

8

7

7

T

AD FS and SSO in a Single Organization

7/27/2019 20417A_12.pdf

9/27

Federation Trust

Internal ClientComputer

ResourceFederation Server

AccountFederation Server

Web Server

Active Directory

1

3

4

5

6

7

8

9

10

11

2

AD FS and SSO in a B2B Federation

Trey Research A. Datum

7/27/2019 20417A_12.pdf

10/27

Federation Trust

Microsoft OnlineFederation Server

FederationServer

Outlook WebApp server

Active Directory

1

5

6

7

8

9

10

11

2

4

Client Computer

3

AD FS and SSO with Online Services

On Premises Exchange Online

7/27/2019 20417A_12.pdf

11/27

AD FS Components

Federation Server

Federation Server Proxy

Claims

Claim Rules

Attribute Store

Claims Providers

Relying Parties

Claims Provider Trust

Relying Party Trust

Certificates

Endpoints

7/27/2019 20417A_12.pdf

12/27

AD FS Prerequisites

Infrastructure critical to a successful AD FSdeployment include:

TCP/IP network connectivity

AD DS

Attribute stores

DNS

Compatible operating systems

7/27/2019 20417A_12.pdf

13/27

PKI and Certificate Requirements

AD FS federation services require:

Service Communication Certificates

Token-Signing Certificates

Token-Decrypting Certificates

When choosing certificates, ensure that theService Communication Certificate and the

Token-Signing Certificate are trusted by allfederation partners and clients

7/27/2019 20417A_12.pdf

14/27

Federation Server Roles

AD FS Server Role Description

Claims Provider federation

server

Authenticates internal users

Issues signed tokenscontaining user claims

Relying Party federationserver

Consumes tokens from theClaims Provider

Issues tokens for applicationaccess

Federation server proxy

Deployed in a perimeternetwork

Provides a layer of securityfor internal federation servers

7/27/2019 20417A_12.pdf

15/27

DEMO: Installing the AD FS Server Role

In this demonstration, you will see how to install and

configure the AD FS server role

7/27/2019 20417A_12.pdf

16/27

What are AD FS Claims?

Claims used to provide information about usersfrom the Claims Provider to the Relying Partner

AD FS:

Provides a default set of built-in claims

Enables the creation of custom claims

Requires that each claim have a unique URI

Claims can be:Retrieved from an attribute store

Calculated based on retrieved values

Transformed into alternate values

7/27/2019 20417A_12.pdf

17/27

What Are AD FS Claim Rules?

Claims rules define how claims are sent andconsumed by AD FS servers

Claims provider rules are acceptance transformrules

Relying party rules can be: Issuance transform rules

Issuance authorization rules

Delegation authorization rules

AD FS servers provide default claims rules,templates and a syntax for creating claims rules

7/27/2019 20417A_12.pdf

18/27

What Is a Claims Provider Trust?

Claims provider trusts:Are configured on the relying party federation server

Identify the claims provider

Configure the claims rules for the claims provider

In a single organization scenario, a claims providertrust called Active Directory defines how AD DSuser credentials are processed

Additional claims provider trusts can beconfigured:By importing the federation metadata

By importing a configuration file

By manually configuring the trust

7/27/2019 20417A_12.pdf

19/27

What is a Relying Party Trust?

Relying party trusts:Are configured on the claims provider federation server

Identify the relying party

Configure the claims rules for the relying party

In a single organization scenario, a relying partytrust defines the connection to internalapplications

Additional relying party trusts can be configured:By importing the federation metadata

By importing a configuration file

By manually configuring the trust

DEMO C fi i Cl i P id d R l i

7/27/2019 20417A_12.pdf

20/27

DEMO: Configuring Claims Provider and RelyingParty Trusts

In this demonstration, you will see how to:

Configure a claims provider trust Configure a Windows Identity Framework application

for AD FS

Configure a relying party trust

7/27/2019 20417A_12.pdf

21/27

Configuring an Account Partner

An account partner is a claims provider in a B2B

federation scenario

To configure an account partner:

1. Implement the physical topology2. Add an attribute store

3. Configure a relying party trust

4. Add a claim description5. Prepare client computers for federation

7/27/2019 20417A_12.pdf

22/27

Configuring a Resource Partner

An resource partner is a relying party in a B2B

federation scenario

To configure an relying party:

1. Implement the physical topology2. Add an attribute store

3. Configure a claims provider trust

4. Create claim rule sets for the claims providertrust

C fi i Cl i R l f B i t B i

7/27/2019 20417A_12.pdf

23/27

Configuring Claims Rules for Business to BusinessScenarios

Organization to organization scenarios mayrequire more complex claims rules

You can create claims rules by using the followingtemplates:

Send LDAP attributes as claimsSend group membership as a claim

Pass through or filter an incoming claim

Transform an incoming claim

Permit or deny users based on an incoming claim

You can also create custom rules by using the ADFS Claim Rule Language

7/27/2019 20417A_12.pdf

24/27

How Home Realm Discovery Works

Home realm discovery is required on the resourcepartner when it has configured AD FS federationswith account partners

To enable home realm discovery, you can:Prompt the user for home realm information

Modify the URL for the web application to specify thehome realm

Configure a SAML profile called IdPInitiated SSO todirect users to the account partner site first

7/27/2019 20417A_12.pdf

25/27

DEMO: Configuring Claims Rules

In this demonstration, you will see how to configure

claims rules

7/27/2019 20417A_12.pdf

26/27

7/27/2019 20417A_12.pdf

27/27

MicrosoftJump Start

BONUS SESSION

Rick Claus | Technical Evangelist | MicrosoftEd Liberman | Technical Trainer | Train Signal