Federation Services

Basics and considerations

Eguibar Information Services S.L. © 2015 1April 6th. 2015

What is Federation Services

AD FS is a standards-based service that allows

the secure sharing of identity information

between trusted business partners (known as a

federation) across an extranet by using a claim-

based system and policies. This is considered as

a “Trust Relationship” between companies.

Eguibar Information Services S.L. © 2015 2April 6th. 2015

Do I need Federation Services

�Single Sing On (SSO)

�Web Services

�Claim mapping

�Centralized federated partner management

�Extensible architecture

Eguibar Information Services S.L. © 2015 3April 6th. 2015

Components

Legend Component Description

Internet Internet

Public DMZ Demilitarized zone. Usually published services are located here.

Site LAN Internal Local Area Network

Site with

Federation Server

Site where a FS server will be located, usually part of a FS farm.

Potential site for

FS Proxy

Site without FS Server, but with a FS Proxy acting as an entrance

point to federate.

Site without FS

servers

No FS server or proxy, but potentialy candidate to become one

Federation

Services Proxy

FS Proxy server to enable external secured Access to the internal

Federation Services server.

Federation

Services Server

The server which host the Federation Services on the internal

network

Stateful Firewall Firewalle used to secure the internal network and control the DMZ

Eguibar Information Services S.L. © 2015 4April 6th. 2015

How does it Works (Internal)

1. User request Access to the

APP/Service

2. APP/Service request token

3. User request token to FS

4. FS request Authentication

to AD

5. AD Authenticates

6. FS Issues token

7. User send the token in

order to get Access.

Eguibar Information Services S.L. © 2015 5April 6th. 2015

How does it Works (External)

1. User request Access to the

APP/Service

2. APP/Service request token

to the FS Proxy

3. FS Proxy forward the

request to FS

4. FS request Authentication

to AD

5. AD Authenticates

6. FS Issues token to the

requesting FS Proxy

7. FS Proxy send the token to

the APP/Service

8. APP/Service grants Access.

Eguibar Information Services S.L. © 2015 6April 6th. 2015

Windows Internal Database

�Max 5 Federation Services.

�Only 1 database writable.

�Automatic pull replication of databases.

� 100 trust relationships or less

Federation Services using WID (Windows Internal Database)Primary

WIDRead &

Write

Secondary

WID Read

Secondary

WID Read

Pull every 5 mins Pull every 5 mins

Eguibar Information Services S.L. © 2015 7April 6th. 2015

SQL Server

� DB handled by SQL server

� All instances are writable and can support over 100 Trust Relationships

� SQL to provide fault tolerance and redundancy

� No Federation Server limit

� Support for token replay detection (a security feature) and artifact resolution (part

of the Security Assertion Markup Language (SAML) 2.0 protocol)

Federation Services using SQL Server

Federation Server

SQL Server

Federation Server Federation Server

SQL Server

SQL

Fault Tolerance

&

Redundancy

SQL

Fault Tolerance

&

RedundancySQL Server

Read & Write

Eguibar Information Services S.L. © 2015 8April 6th. 2015

Selecting and Utilizing a

Federation Service Name

� The Federation Service Name must never equal any machine name in the Active

Directory forest when you are deploying a AD FS 2.0 farm

� The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0

service account

� The subject of all SSL certificates in the farm, including all Federation Servers and

Federation Server Proxies, must utilize the Federation Service Name

� The subject of the Service Communications certificate must utilize the Federation

Service Name

� The Federation Service Name must be registered as a host record in DNS

� The Federation Service Name must be set in the Federation Service Properties

� When directing clients, whether passive (typically browser clients) or active (rich

clients), to the Federation Service, the host name the clients utilize must be the

Federation Service Name

Eguibar Information Services S.L. © 2015 9April 6th. 2015

Certificates

Certificate Type Description

Token-signing

certificate

A token-signing certificate is an X509 certificate. Federation

servers use associated public/private key pairs to digitally sign all

security tokens that they produce. This includes the signing of

published federation metadata and artifact resolution requests

Service

communication

certificate

Federation servers use a server authentication certificate, also

known as a service communication for Windows Communication

Foundation (WCF) Message Security. By default, this is the same

certificate that a federation server uses as the Secure Sockets

Layer (SSL) certificate in Internet Information Services (IIS).

Secure Sockets

Layer (SSL)

certificate

Federation servers use an SSL certificate to secure Web services

traffic for SSL communication with Web clients and with

federation server proxies.

Token-decryption

certificate

This certificate is used to decrypt tokens that are received by this

federation server.

Eguibar Information Services S.L. © 2015 10April 6th. 2015

The Big Picture

FS farm & FS proxy

Internal WANFS

Proxy

Firewall

FS

Proxy

Firewall

Site03

FS

Proxy

Firewall

FS

ProxyFirewall

Site05AD FS

Farm

AD FS

Farm

AD FS

Farm

Site 02

Site04

Site01

Site06

Eguibar Information Services S.L. © 2015 11April 6th. 2015