Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 225 times |
Download: | 1 times |
AD FS-2A claims-based Identity
Metasystem
Henk Den BaesTechnology AdvisorMicrosoft BeLux
Agenda
• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …
• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)
Agenda
• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …
• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)
ADDB
App1
DB
App2
AD
App4
App6
AD
App5
Intranet Intranet Extranet
Extranet
Cloud
AD
App3
DB
DB
SSO
SeparateSign-in
SeparateSign-in
SeparateSign-in
SeparateSign-in
SeparateSign-in
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
ILM
Defining the ProblemWorking with identity is hard
• Applications must use different identity technologies in different situations:– Active Directory (Kerberos) inside a Windows domain– Username/password on the Internet– WS-Federation and the Security Assertion Markup
Language (SAML) between organizations• Why not define one approach that can be used in
all of these cases?– Claims-based identity allows this– It can make life simpler for developers
SSO
App1 App2
App4
App6
App5
Intranet Intranet Extranet
Extranet
Cloud
App3
FIM 2010
SSO andClaims
SSO andClaims
SSO andClaims
SSO and Claims
SSOand
Claims
SSO andClaims
“AD FS-2” enables apps and infrastructure to be more easily plugged together
Authentication problem statement
• Every connected app must handle two functions– Authenticate user– Get information about user to drive app behavior
• Many different technologies to do this– Name/password, X.509, Kerberos, SAML, LDAP, …– Scenario drives technology choice
• Application bound to constraints of technology– But modern apps face increasing requirements: federation, strong authentication,
SOA, cloud…• Solution: claims-based identity
– Abstraction layer hides detail of authenticating user, getting information about user
– Application logic exposed to claims only; claims = information about the user
– Change details after deployment without changing application code
Agenda
• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …
• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)
Identities
• Information about a person or object, i.e. Users
• Traverses the network as an array of bytes – referred to as a token– In a Claims-based scenario, the array of bytes
carry Claims
Claims
• Claims carry pieces of information about the user
Claim
Claim
Claim
Claim
Signature
Name
Age
Location
Token
Issuer
• Tokens are issued by Security Token Service (STS) software
• Identity providers (IP) can include Directory Services, Windows Live Id, etc.
Application Server
Claims Based Identity access
End User
Claims Provider
4. Send claims
1. Authentica
te
3. Retu
rn cl
aims
ClaimsFramework
Your App
5. Use claims
2. Look up claims, transform for app
trust
Claims Provider
Introducing AD FS-2
End User
4. Send claims
1. Authentica
te
2. Look up claims, transform for app
3. Retu
rn cl
aims
Application Server
ClaimsFramework
WIFFramework
Your App
trustAD ADFS-2 Server
FIM
5. Use claims
What is AD FS 2.0?
• Active Directory Federation Services 2.0 Server – Claims provider server– Federation trust manager
• Windows Identity Foundation– Framework for claims aware applications
• Windows CardSpace– Identity client for claims aware applications
Client Sends Token from IP to RP
Identity Provider (IP) Relying Party (RP)
ClientClient tries to access a resource
RP provides identity requirements policy
1
2
User
3 CardSpace shows which IPs can satisfy RP’s policy
User selects a Card4
5Request Security Tokensent to IP by CardSpace
6
IP returns security token
7 User approves release of token
8 CardSpace releases Token to RP
AD FS-2 Server
Management APIs and UX
Card Issuance
Token Issuance
Metadata
AD FS-2 Server Components
Account Store
AD FS-2 Proxy
Token Issuance
Proxy
Metadata Proxy
Internet Client
Policy Store
Intranet Client
Geneva Server
Management APIs and UX
Card Issuance
Token Issuance
Metadata
Geneva Server Components
Account Store
Geneva Proxy
Token Issuance
Proxy
Metadata Proxy
Internet Client
Policy Store
Intranet Client
Geneva Clients:• Web Browsers• Windows CardSpace and OtherIdentity Selectors• WS-* Aware Clients (WCF, etc.)
AD FS-2 Server
Management APIs and UX
Card Issuance
Token Issuance
Metadata
AD FS-2 Server Components
Account Store
AD FS-2 Proxy
Token Issuance
Proxy
Metadata Proxy
Internet Client
Policy Store
Intranet Client
Geneva Policy Store:• SQL Server
AD FS-2 Server
Management APIs and UX
Card Issuance
Token Issuance
Metadata
AD FS-2 Server Components
Account Store
AD FS-2 Proxy
Token Issuance
Proxy
Metadata Proxy
Internet Client
Policy Store
Intranet Client
Geneva Server:• Security Token Service for SOAP and browser clients• Information card issuance web site• Policy and service management
What's Involved for the Developer?
1. Who are you?
<federatedAuthentication enabled="true"> <wsFederation
issuer="https://sts1.contoso.com/FederationPassive/" realm = “http://web1.contoso.com/MyApp” passiveRedirectEnabled = "true"/></federatedAuthentication>
2. What can you do?
IClaimsIdentity caller = Thread.CurrentPrincipal.Identity as IClaimsIdentity;string Role = (from c in caller.Claims where c.ClaimType == MyClaimTypes.Role select c.Value).Single();
Windows CardSpaceSelecting identities
• CardSpace provides a standard user interface for choosing an identity– Using the metaphor of cards– Choosing a card selects an identity (i.e., a token)
Geneva (ADFS) project is one of the most significant enhancements for future use and dissemination of the Identity Federation. -Kuppinger Cole“
Extend Access Across Organizations
EMPOWER BUSINESS• Ability to move seamlessly between
applications using a single identity
• Collaboration across organizations
EMPOWER IT• No need to manage external accounts
• Simplified and flexible claims-based federation
• Common authentication controls for building custom applications
Source: Awards for Outstanding Identity Management Projects. Kuppinger Cole, May 2009. http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/
Simplifying Access Management with Active Directory Federation Services 2
• Streamline User Access Management
• Enhance Application Security
• Interoperable & Adaptable
• Quick roll out of high value projects
• Manage Compliance• Reduce TCO and
leverage the cloud
• Simplify User Access• Increase productivity• Reduce password burden
• Improve Developer Productivity
• Enhance Application Security• Open and Extensible
Security Considerations
• Treat your AD FS-2 servers like domain controllers• Your AD FS-2 Server admins are like domain administrators• AD FS-2 includes claims policy language, which is extremely powerful
• Manage your certificates– Token signing protects from man-in-the-middle attacks– SSL validates the end-points
Server Token Crypto Administrator
Domain Controller Kerberos or NTLM Shared Secret Domain Admin
Certificate Authority x.509 certificate Trusted chain Certificate Admin
Federation Server SAML x.509 certificate ???
Skills Required for Engagement considerations
• ADFS (obviously)• PKI• IIS• HTTP• Probably some development (WIF, custom STS)
WS-* Protocol Support
AD FS1 AD FS2
WS-Federation 1.0 (Passive Requestor Interop Profile) Y Y
WS-Federation 1.2 (Min Passive Requestor Subset) n/a Y
POST (push) Binding Y
WS-Trust 2005 and 1.3 ( aka Active Requestor Profile) n/a Y
Issue Y
Issue “OnBehalfOf” (proxy support) Y
Issue “ActAs” (identity delegation) Y
WS-SecurityPolicy 1.2 n/a Y
SAML Token Support
AD FS1 AD FS2
SAML 1.1 Tokens Y Y
Authentication & Attribute Statements Y Y
Signed tokens Y Y
Encrypted tokens N Y
SAML 2.0 tokens N Y
Authentication & Attribute Statements Y
Extensible claim type (any URI) Y
Signed tokens Y
Encrypted tokens Y
Proof tokens (symmetric/asymmetric keys) Y
Authentication Context Y
Federation/SSO Futures
• Authorization– Authorization Manager (AzMan) v.Next– Authorization server
• “U-Prove”: minimal disclosure tokens– Issued tokens that don’t inescapably contain
correlation handles– Users can prove properties of encoded claims
• Disclose subset of claims• Derived claims: age > 21 proof instead of disclosing DoB• Prove claim not equal to value (name not on deny list)
– Offline/disconnected scenarios• Identity selector for mobile platform
Agenda
• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …
• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)
How AD FS-2 is Changing Our Game
ADFSServer
ADFS Partners
SQL AuthzStore
AD FS-2 Server Microsoft Federation Gateway
trust
trust
Relying party
Corporate User
SharePointOnline
On-premise MicrosoftOnline
Federation with MS Online
ExchangeOnline
CRM Online
…
“Microsoft Federation Gateway Utility”
Authentication and Sign-On
How it works today How it will work
Users have separate password for cloud services
Sign-in tool stores password to achieve SSO for Outlook
Users log in to cloud services with domain credentials
No Outlook sign-in tool required
Token-based referral
ADFS 2.0 (Geneva)
Sign-in tool
AD FS-2 Server connects AD to the cloud for single sign-on
Federated Identity using AD FS 2
User benefits• Same identity on-premises and in the cloud• No need to manage separate passwords
Administrator benefits• No sign-on application to manage across desktops• Passwords not synchronized to the cloud• Security control retained over user accounts• No need to manually de-provision cloud users• No changes to enterprise deployment of AD
Other benefits• Supports multi-factor authentication for OWA• Allows you to customize the OWA login page
Windows Server 2008
2. Configure federated trust with Microsoft Online Services
1. Install AD FS 2
Users are authenticated by local AD FS-2 server
AD FS-2
1. User opens Outlook or clicks OWA URL – is taken to AD FS-2 server for authentication
2. AD FS-2 server validates credentials with Active Directory
3. AD FS-2 server issues login token and posts it to Federation Gateway
Desktop
Browser
Outlook
Apps
Enterprise
GenevaActive
Directory
Microsoft Federation Gateway
CloudExchange
Online
4. Federation Gateway validates token and transforms claims
5. Federation Gateway issues service token and posts it to service
6. User accesses service
User Login Process with AD FS 2
Comparing User Experiences:
With and Without ADFS 2.0
Outlook2010
Win 7 Vista/XP
With ADFS 2.0
OWA
(No prompt)**Each session*
ActiveSync, POP, IMAP
Entourage 2008 WS Ed.
Once at setup (No prompt)**
Once at setup
Outlook 2007
*Teams are investigating patches for Outlook and Windows that would eliminate this prompt
Each session*
Outlook 2007 or 2010
Win 7
AD credentials AD credentials AD credentialsAD credentials
• With AD FS 2.0 in place, users access Online services using their domain credentials• Password prompts are eliminated in some scenarios• If AD FS 2.0 is not deployed, users access Online services using a LiveID• The Microsoft Online Services Sign-in Tool will be retired
**No prompt if logged on to the corporate network. Internet-based users will be prompted.
Without ADFS 2.0 Each session Once at setup Once at setupEach session* Each session* Each session*
LiveIDLiveIDLiveIDLiveIDLiveIDLiveID
Agenda
• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …
• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Subject to Change
Earlier CY 2009H2
CY 2010H1
Managem
ent
Pro
tect
ion &
A
ccess
Solu
tions
Pla
tform
Active Directory® Domain Services DirectAccess
Active Directory® Domain Services
Business Ready Security: The Road Ahead