Date post: | 02-Apr-2018 |
Category: |
Documents |
Upload: | edmundo-lozada |
View: | 219 times |
Download: | 0 times |
of 27
7/27/2019 20417A_12.pdf
1/27
MicrosoftJump Start
M12: Implementing ActiveDirectory FederationServices
Rick Claus | Technical Evangelist | MicrosoftEd Liberman | Technical Trainer | Train Signal
7/27/2019 20417A_12.pdf
2/27
Jump Start Target Agenda | Day One
Day 1 Day 2
Module 1: Installing and ConfiguringServers Based on Windows Server2012
Module 7: Implementing FailoverClustering
Module 2: Monitoring andMaintaining Windows Server 2012
Module 8: Implementing Hyper-V
Module 3: Managing Windows Server2012 by Using PowerShell 3.0
Module 9: Implementing FailoverClustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage forWindows Server 2012
Module 10: Implementing DynamicAccess Control
Module 5: Implementing NetworkServices
Module 11: Implementing ActiveDirectory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing ActiveDirectory Federation Services
7/27/2019 20417A_12.pdf
3/27
Module Overview
Overview of Active Directory Federation Services Deploying Active Directory Federation Services
Implementing AD FS for a Single Organization
Deploying AD FS in a Business to BusinessFederation Scenario
7/27/2019 20417A_12.pdf
4/27
What Is Identity Federation?
Enables distributed identification, authentication, and
authorization across organizational and platformboundaries.
Requires a federated trust relationship between twoorganizations or entities.
Enables organizations to retain control over who canaccess resources.
Enables organizations to retain control of their user andgroup accounts.
7/27/2019 20417A_12.pdf
5/27
What is Claims-Based Identity?
ApplicationProvider
IdentityProvider
ApplicationSecurityTokenService
Claims provide information
about users who the identityprovider authenticates,and
which the applicationprovider accepts
7/27/2019 20417A_12.pdf
6/27
Web Services Overview
Web services use a set of open specifications to develop
applications that can interoperate across boundaries
Are developed using industry standards such as XML,SOAP, WSDL, and UDDI
Define the security specifications used by IdentityFederation systems
Define the SAML standard for exchanging claims betweenfederation partners
7/27/2019 20417A_12.pdf
7/27
What Is AD FS?
AD FS is the Microsoft identity federation solutionthat can use claims-based authentication
AD FS includes the following features:
Web SSO
Web services interoperability
Support for passive and smart clients
Extensible architecture
Enhanced security
7/27/2019 20417A_12.pdf
8/27
PerimeterNetwork
CorporateNetwork
External Client
Federation Server
FederationServiceProxy
Web Server
AD DS DomainController
1
2
3
4 5
6
8
7
7
T
AD FS and SSO in a Single Organization
7/27/2019 20417A_12.pdf
9/27
Federation Trust
Internal ClientComputer
ResourceFederation Server
AccountFederation Server
Web Server
Active Directory
1
3
4
5
6
7
8
9
10
11
2
AD FS and SSO in a B2B Federation
Trey Research A. Datum
7/27/2019 20417A_12.pdf
10/27
Federation Trust
Microsoft OnlineFederation Server
FederationServer
Outlook WebApp server
Active Directory
1
5
6
7
8
9
10
11
2
4
Client Computer
3
AD FS and SSO with Online Services
On Premises Exchange Online
7/27/2019 20417A_12.pdf
11/27
AD FS Components
Federation Server
Federation Server Proxy
Claims
Claim Rules
Attribute Store
Claims Providers
Relying Parties
Claims Provider Trust
Relying Party Trust
Certificates
Endpoints
7/27/2019 20417A_12.pdf
12/27
AD FS Prerequisites
Infrastructure critical to a successful AD FSdeployment include:
TCP/IP network connectivity
AD DS
Attribute stores
DNS
Compatible operating systems
7/27/2019 20417A_12.pdf
13/27
PKI and Certificate Requirements
AD FS federation services require:
Service Communication Certificates
Token-Signing Certificates
Token-Decrypting Certificates
When choosing certificates, ensure that theService Communication Certificate and the
Token-Signing Certificate are trusted by allfederation partners and clients
7/27/2019 20417A_12.pdf
14/27
Federation Server Roles
AD FS Server Role Description
Claims Provider federation
server
Authenticates internal users
Issues signed tokenscontaining user claims
Relying Party federationserver
Consumes tokens from theClaims Provider
Issues tokens for applicationaccess
Federation server proxy
Deployed in a perimeternetwork
Provides a layer of securityfor internal federation servers
7/27/2019 20417A_12.pdf
15/27
DEMO: Installing the AD FS Server Role
In this demonstration, you will see how to install and
configure the AD FS server role
7/27/2019 20417A_12.pdf
16/27
What are AD FS Claims?
Claims used to provide information about usersfrom the Claims Provider to the Relying Partner
AD FS:
Provides a default set of built-in claims
Enables the creation of custom claims
Requires that each claim have a unique URI
Claims can be:Retrieved from an attribute store
Calculated based on retrieved values
Transformed into alternate values
7/27/2019 20417A_12.pdf
17/27
What Are AD FS Claim Rules?
Claims rules define how claims are sent andconsumed by AD FS servers
Claims provider rules are acceptance transformrules
Relying party rules can be: Issuance transform rules
Issuance authorization rules
Delegation authorization rules
AD FS servers provide default claims rules,templates and a syntax for creating claims rules
7/27/2019 20417A_12.pdf
18/27
What Is a Claims Provider Trust?
Claims provider trusts:Are configured on the relying party federation server
Identify the claims provider
Configure the claims rules for the claims provider
In a single organization scenario, a claims providertrust called Active Directory defines how AD DSuser credentials are processed
Additional claims provider trusts can beconfigured:By importing the federation metadata
By importing a configuration file
By manually configuring the trust
7/27/2019 20417A_12.pdf
19/27
What is a Relying Party Trust?
Relying party trusts:Are configured on the claims provider federation server
Identify the relying party
Configure the claims rules for the relying party
In a single organization scenario, a relying partytrust defines the connection to internalapplications
Additional relying party trusts can be configured:By importing the federation metadata
By importing a configuration file
By manually configuring the trust
DEMO C fi i Cl i P id d R l i
7/27/2019 20417A_12.pdf
20/27
DEMO: Configuring Claims Provider and RelyingParty Trusts
In this demonstration, you will see how to:
Configure a claims provider trust Configure a Windows Identity Framework application
for AD FS
Configure a relying party trust
7/27/2019 20417A_12.pdf
21/27
Configuring an Account Partner
An account partner is a claims provider in a B2B
federation scenario
To configure an account partner:
1. Implement the physical topology2. Add an attribute store
3. Configure a relying party trust
4. Add a claim description5. Prepare client computers for federation
7/27/2019 20417A_12.pdf
22/27
Configuring a Resource Partner
An resource partner is a relying party in a B2B
federation scenario
To configure an relying party:
1. Implement the physical topology2. Add an attribute store
3. Configure a claims provider trust
4. Create claim rule sets for the claims providertrust
C fi i Cl i R l f B i t B i
7/27/2019 20417A_12.pdf
23/27
Configuring Claims Rules for Business to BusinessScenarios
Organization to organization scenarios mayrequire more complex claims rules
You can create claims rules by using the followingtemplates:
Send LDAP attributes as claimsSend group membership as a claim
Pass through or filter an incoming claim
Transform an incoming claim
Permit or deny users based on an incoming claim
You can also create custom rules by using the ADFS Claim Rule Language
7/27/2019 20417A_12.pdf
24/27
How Home Realm Discovery Works
Home realm discovery is required on the resourcepartner when it has configured AD FS federationswith account partners
To enable home realm discovery, you can:Prompt the user for home realm information
Modify the URL for the web application to specify thehome realm
Configure a SAML profile called IdPInitiated SSO todirect users to the account partner site first
7/27/2019 20417A_12.pdf
25/27
DEMO: Configuring Claims Rules
In this demonstration, you will see how to configure
claims rules
7/27/2019 20417A_12.pdf
26/27
7/27/2019 20417A_12.pdf
27/27
MicrosoftJump Start
BONUS SESSION
Rick Claus | Technical Evangelist | MicrosoftEd Liberman | Technical Trainer | Train Signal