Active Directory Federation Services Cross-Platform Interoperability

Windows Live@Edu – ADFS/Shibboleth

Agenda

Introduction Project Background Missouri, Oxford & Microsoft

Things we’ll cover: Overview of Technologies ADFS/Shibboleth Interoperability Demos

Project Background

Based on OCG White Paper: Achieving interoperability between Active Directory Federation

Services (ADFS) and Shibboleth

Demonstrate interoperability between ADFS and Shibboleth System 1.3c Release

Using ADFS plug-in for SAML 1.1 Identity and Service Providers

Support for WS-Federation Passive Requestor Interoperability Profile

Demonstrate interoperability with sample applications - Microsoft Office SharePoint Server 2007 and Windows Live IDs

Technology Overview Shibboleth

Standards-based, Open Source Middleware Software Project of Internet2/MACE (Middleware Architecture Committee for

Education) Internet2 – U.S. Advanced Networking Consortium led by the

education and research community (universities, partners, laboratories, government agencies, etc.)

URL: http://shibboleth.internet2.edu/about.html

Implements the OASIS SAML v1.1 specification December 2005 - Extension for ADFS support is developed Implemented in Shibboleth versions 1.3.c and later Platforms include: UNIX (Solaris, etc.), Linux (Fedora, Ubuntu, etc.),

Mac OS-X

Show of Hands

How many schools have a websso? How many use CAS? Pubcookie? Something else?

How many have a Shibboleth? How many have ADFS? How many run a websso & Shib or ADFS? Does anyone run both ADFS & Shib?

Project Credits Project Sponsors

Walter Harp, Microsoft Corporation John DuBois, Microsoft Corporation

Credits and Contributions Ryan Woodsmall, University of Missouri Brian Dourty, University of Missouri Edward D. McKinzie, University of Missouri Bryan W. Roesslet, University of Missouri Randy Wiemer, University of Missouri

Chris Calderon, Oxford Computer Group Jim Muir, Oxford Computer Group

Technology Overview Active Directory Federation Services (ADFS)

First introduced in Windows Server 2003 R2 to provide “Identity Federation”

Projecting user identity from a single logon… Providing single identity based entitlements… Connecting islands (across security, organizational or platform

boundaries) Result: Web single sign-on & simplified identity management

Web Services and WS-* Security Standards Specifically implementing the WS-Federation and WS-Federation

Passive Requestor Profile specifications

Language Translation

Demonstration OverviewEstablishing Federated Interoperability between ADFS

(Relying Party) and Shibboleth (Identity Provider)

Demonstration 1:Shib.org User will access Sample Claims-App that will display the set of claims, associated with that user.

Demonstration 1:Shib.org User will access Sample Claims-App that will display the set of claims, associated with that user.

Demonstration 2:Shib.org User will access MOSS 2007 Extranet Portal.

Demonstration 2:Shib.org User will access MOSS 2007 Extranet Portal.

Configuration Details ADFS Configuration Policy Requirements

Federation Service URI – This uniquely identifies a federated partner

Federation Service endpoint URL – The URL that partner organizations to send requests and responses.

Token Signing Certificate – Relying Party requires a signing certificate that is used to by the Identity Providers to digitally sign message exchanges.

ADFS Management Console - This is the primary management console for administrative management of Account Partners (Identity Providers)

Configuration Details Shibboleth Configuration Requirements

XML Metadata - Trust Policy Configuration idp.xml – (The main configuration file for the identity provider.)

Configures the Shibboleth ADFS extension Provides key information for relying parties Adds reference mapping support for identity claims (i.e. MS UPNs) Adds the XML attribute namespace=http://schema.xmlsoap.org/claims to attribute definitions

in resolver.xml for any attributes that should be sent to ADFS providers.

resolver.xml – (Attribute extraction) Defines the connection to attribute store

arp.site.xml– (Attribute release policy) Defines which attributes are available to relying parties Controls (Permits/Denies) attribute release rules

Demonstration OverviewWindows Live ID/Passport Interoperability

Demonstration 3:Shib.org User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.

Demonstration 3:Shib.org User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.

Configuration Details Windows Live ID Interoperability

WLIDs (Short-live Tokens) – Can be used to further extending SSO into Web Applications.

Benefits: Windows Live ID users can access resources typically only available

only for AD accounts (SharePoint Sites, etc.) Applications do not need to implement any Windows Live ID code Single Account Management (instead of AD and Windows Live)

Summary Successfully demonstrated the interoperability between

ADFS and Shibboleth: Straight forward configurations

No special software or customization required by either party.

Language Translation (Understanding component relations of each technology)

Lessons learned Federating with Windows Live IDs

Microsoft Office SharePoint Server 2007 Compatibility