Date post: | 14-Jan-2017 |
Category: |
Documents |
Upload: | vicente-rodriguez-eguibar |
View: | 207 times |
Download: | 0 times |
Federation Services
Basics and considerations
Eguibar Information Services S.L. © 2015 1April 6th. 2015
What is Federation Services
AD FS is a standards-based service that allows
the secure sharing of identity information
between trusted business partners (known as a
federation) across an extranet by using a claim-
based system and policies. This is considered as
a “Trust Relationship” between companies.
Eguibar Information Services S.L. © 2015 2April 6th. 2015
Do I need Federation Services
�Single Sing On (SSO)
�Web Services
�Claim mapping
�Centralized federated partner management
�Extensible architecture
Eguibar Information Services S.L. © 2015 3April 6th. 2015
Components
Legend Component Description
Internet Internet
Public DMZ Demilitarized zone. Usually published services are located here.
Site LAN Internal Local Area Network
Site with
Federation Server
Site where a FS server will be located, usually part of a FS farm.
Potential site for
FS Proxy
Site without FS Server, but with a FS Proxy acting as an entrance
point to federate.
Site without FS
servers
No FS server or proxy, but potentialy candidate to become one
Federation
Services Proxy
FS Proxy server to enable external secured Access to the internal
Federation Services server.
Federation
Services Server
The server which host the Federation Services on the internal
network
Stateful Firewall Firewalle used to secure the internal network and control the DMZ
Eguibar Information Services S.L. © 2015 4April 6th. 2015
How does it Works (Internal)
1. User request Access to the
APP/Service
2. APP/Service request token
3. User request token to FS
4. FS request Authentication
to AD
5. AD Authenticates
6. FS Issues token
7. User send the token in
order to get Access.
Eguibar Information Services S.L. © 2015 5April 6th. 2015
How does it Works (External)
1. User request Access to the
APP/Service
2. APP/Service request token
to the FS Proxy
3. FS Proxy forward the
request to FS
4. FS request Authentication
to AD
5. AD Authenticates
6. FS Issues token to the
requesting FS Proxy
7. FS Proxy send the token to
the APP/Service
8. APP/Service grants Access.
Eguibar Information Services S.L. © 2015 6April 6th. 2015
Windows Internal Database
�Max 5 Federation Services.
�Only 1 database writable.
�Automatic pull replication of databases.
� 100 trust relationships or less
Federation Services using WID (Windows Internal Database)Primary
WIDRead &
Write
Secondary
WID Read
Secondary
WID Read
Pull every 5 mins Pull every 5 mins
Eguibar Information Services S.L. © 2015 7April 6th. 2015
SQL Server
� DB handled by SQL server
� All instances are writable and can support over 100 Trust Relationships
� SQL to provide fault tolerance and redundancy
� No Federation Server limit
� Support for token replay detection (a security feature) and artifact resolution (part
of the Security Assertion Markup Language (SAML) 2.0 protocol)
Federation Services using SQL Server
Federation Server
SQL Server
Federation Server Federation Server
SQL Server
SQL
Fault Tolerance
&
Redundancy
SQL
Fault Tolerance
&
RedundancySQL Server
Read & Write
Eguibar Information Services S.L. © 2015 8April 6th. 2015
Selecting and Utilizing a
Federation Service Name
� The Federation Service Name must never equal any machine name in the Active
Directory forest when you are deploying a AD FS 2.0 farm
� The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0
service account
� The subject of all SSL certificates in the farm, including all Federation Servers and
Federation Server Proxies, must utilize the Federation Service Name
� The subject of the Service Communications certificate must utilize the Federation
Service Name
� The Federation Service Name must be registered as a host record in DNS
� The Federation Service Name must be set in the Federation Service Properties
� When directing clients, whether passive (typically browser clients) or active (rich
clients), to the Federation Service, the host name the clients utilize must be the
Federation Service Name
Eguibar Information Services S.L. © 2015 9April 6th. 2015
Certificates
Certificate Type Description
Token-signing
certificate
A token-signing certificate is an X509 certificate. Federation
servers use associated public/private key pairs to digitally sign all
security tokens that they produce. This includes the signing of
published federation metadata and artifact resolution requests
Service
communication
certificate
Federation servers use a server authentication certificate, also
known as a service communication for Windows Communication
Foundation (WCF) Message Security. By default, this is the same
certificate that a federation server uses as the Secure Sockets
Layer (SSL) certificate in Internet Information Services (IIS).
Secure Sockets
Layer (SSL)
certificate
Federation servers use an SSL certificate to secure Web services
traffic for SSL communication with Web clients and with
federation server proxies.
Token-decryption
certificate
This certificate is used to decrypt tokens that are received by this
federation server.
Eguibar Information Services S.L. © 2015 10April 6th. 2015