Active Directory Federation Services, Part 1: How Do They Really Work?

John Craddock (john.craddock@xtseminars.co.uk)Infrastructure and Security Architect XTSeminars Ltd

SIM402

Application Authentication

Within your environment Windows Authentication provides single sign-on for all applications

Windows Authentication provides details of the authenticated user and group membership

Developer Challenges

If the developer wants Active Directory held information about the user, it requires attribute value extraction

Developer must understand ADHardcoded LDAP query stringsContinual reinvention of the wheel

Add something about SQL

Access from the Internet

Without a VPN, DirectAccess or authentication proxy solution

Kerberos failsRequires developers to use a different authentication model

Kerberos, NTLM, Basic, Digest,

Forms?

Application in the Cloud

How do we handle authentication if we move an enterprise application to the Cloud?The Microsoft BPOS dedicated service co-locates the organisation’s AD directory

Your DCs are hosted in the Microsoft datacentre

Allowing Access by Partners

Requires YOU to hold account and profile details for all of your partner’s users that need to access the application

YOU must manage the life-cycle of those usersDoes your partner keep you informed of changes?

The partner’s users need to remember yet another password

Your OrganizationPartner organization

The Answer

Create an identity (includes authentication) framework that can be consumed by all applications regardless of their locationAllow an identity token to carry more information than just the user and group membershipsTrust your partners to authenticate their usersSolution based on industry standard protocolsMake it work for browsers and web services

The Solution

Many players in the game…Microsoft solution

Active Directory Federation ServicesThe latest release AD FS v 2.0

Federation of Identity

Key Concepts Identity Provider (IP)

ActiveDirectory

Security Token Service (STS)

User / Subject /Principal Requests token for AppX

Issues Security Tokencrafted for Appx

Relying party (RP)/Resource provider

Issuer IP-STS

Trusts the Security Tokenfrom the issuer

The Security TokenContains claims about the user

For example:• Name• Group membership• User Principal Name (UPN)• Email address of user• Email address of manager• Phone number• Other attribute values

Security Token “Authenticates” user to the application

ST

Signed by issuer

AppX

Authenticates user

Claims-Aware Application

The application makes authorization decisions based on the claims contained in the security token

No longer required to make authentication decisions

Same authorisation logic for Application deployed on the Intranet or as a Cloud service

Receiving claims from its own organization’s users or users from trusted partners

Building Claims-Aware Applications

Window Identity Foundation (WIF) provides a common programming model for claims

Used by Windows Communication Foundation (WCF) and ASP.NET applicationsValidates the incoming security token and parses the claims that are inside

SharePoint Services and SharePoint 2010 can be enabled to support claims-based identity

Configured via wizard and PowerShell

Standards and Protocols

ADFS v 2.0 supports both active and passive clientsActive clients interact via web servicesPassive clients interact via browser requests

Support for Industry standard protocols allows interoperability with third-party solutions

WS-FederationSharePoint requires WS-Federation v 2

WS-TrustSAML SAML refers to both a format for the security token and a protocol (SAML-P)

SAML tokens 1.1 and 2.0 tokens can be transported by WS*

demo

Federation the user experience

Passive ClientADFS STSClaims-aware app Active Directory

Browse app

Not authenticated

Redirected to STS Authenticate

Our user

Query for user attributesReturn Security Token

Return cookiesand page

Send Token

App trusts STS

ST

ST

Process token

Home realm discovery

Redirected to partner STS requesting ST for partner user

Return ST for consumption by your STS

Return new ST

Working with PartnersYour

ADFS STSYour

Claims-aware app

ActiveDirectory

Partneruser

PartnerADFS STS & IP

Redirected to your STS

Authenticate

Send Token

Return cookiesand page

Browse app

Not authenticated

Redirect to your STS

ST

ST

ST

ST

App trusts STS Your STStrusts your

partner’s STS

X.509 Certificates

Trust is managed through certificatesCertificates for

HTTPS CommunicationsSecurity token signing and encryption

Require PKI for A & B certificates, C & D can be self-signed

CommunicationA

Signing

Relying party Issuer

ST

Encryption ST

B

Public key of C C

Public key of DD

Root for ARoot for B

Federation Metadata

During the establishment of the issuer / relying party trust, both parties will require configuration which includes

End-points for communicationClaims offered by issuer Claims accepted by replying partyPublic keys for signing and encryption

This information can be configured manually or automatically via the exchange of federation metadata

Federation metadata can be automatically updated

Installing ADFS

Requires Windows Server 2008 / 2008 R2Requires IIS 7, .NET 3.5 SP1, WIFSee deployment guide for required hot fixes and updates

Issue and install server certificates for HTTPSDownload and install ADFS 2.0

Simple WizardNew / farm member / Proxy – SSL certMore details later

Configuration

Relationships between APP1 and STS1 established through the exchange of federation metadata

Can be manually configured

Claims-awareapplication

ADFS 2.0 Active Directory

Define AD as claims provider

APP1

Define STS1 as claims provider

STS1

Define APP1 as Relying party

demo

Configuring WSS 3.0 as a relying party

Requirements

SharePoint Services SP2 or Microsoft Office SharePoint Server (MOSS) 2007 SP2Microsoft Federation Extensions for SharePoint 3.0

Processing Claims Rules

Claims Pipeline

AD

Issuance Transform rules

Issuance Authorization rules

Permit or Deny

RP

ST

Acceptance Transform rules

Relying Party Trusts

Claims Provider Trusts

Specify the users that are permitted to access the

relying party

Specify incoming claims that will be accepted from the

claims provider and passed to the pipeline

Permit: specifies claims that will be sent to the relying party

Deny: Not processed

Claims Provider Trusts

Claim Rules

Rule templates simplify the creation of rulesExamples of rules are:

Permit / deny user based on incoming claim valueTransform the incoming claim valuePass through / filter an incoming claim

Multiple claim rules can be specified and are processed in top to bottom order

Results from previously processed claims can be used as the input for subsequent rules

Creating Rules

A claim rule consists of two parts, condition and issuance statement

Condition

Issuance Statement

Custom Claims

Capabilities of custom rules includeSending claims from a SQL attribute storeSending claims from an LDAP attribute store using a custom LDAP filterSending claims from a custom attribute storeSending claims only when 2 or more incoming claims are metSending claims only when an incoming claim matches a complex valueSending claims with complex changes to an incoming claim valueCreating claims for use in later rules

Claim Rule Language

The claim rule language consists of Condition => Issuance Statement

Pass through all role Claims c:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”]Þ issue(claim = c);

Change the value of the Role Claim SalesStaff to Purchasersc:[Type == “http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Value =~ “^(?i)SalesStaff$”]=> issue(“http://schema.microsoft.com/ws/2008/06/identity/claims/role”, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = “Purchasers”, ValueType = c.ValueType)

demo

Creating rules to allow access to SharePoint

How do we Let Partners in?

So far we have looked at supporting claims aware apps within your organization

Creating an identity (includes authentication) framework that can be consumed by all applications regardless of their locationAllowing the identity token to carry more information than just the user and group memberships

To allow partners to access our systems we must trust them to authenticate their users

Federated Identity

Your STS now trusts your partner to provide a security token containing claims for their usersYour STS is no longer responsible for identifying the user but still processes the claims from the partner as previously described

Claims Trust

RelyingParty x

Relying Party Trust

Claims Trust

Your ADFSSTS

Partner ADFSSTS & IP

Relying Party Trust

Partner organization Your organization

SummaryPartner user

Client request token for access to relying party x

Your Organization ADFS

Claims Trust

Relying Party Trust

RelyingParty x

ProcessesAcceptance

Transform Rules

ProcessesIssuance

Authorization Rules

If allowed processesIssuance Rules

STReturns tokenfor Relying Party x

If denied Processing ends

Security Token Service (STS)

ST from PartnerSTST Trusted

Partner

ST

Process token

Home realm discovery

ST

ST

Redirected to partner STS requesting ST for partner user

Return ST for consumption by your STS

Return new ST

ST

Passive ClientYour

ADFS STSYour

Claims-aware app

ActiveDirectory

Partner user

PartnerADFS STS & IP

Redirected to your STS

ST

Authenticate

Send Token

Return pageand cookie

Browse app

Not authenticated

Redirect to your STS

Remember the Benefits

Claims provide a framework that can be consumed by all applications regardless of their locationAllows the identity token to carry more information than just the user and group membershipsYour trusted partners manage the identity and authentication of their usersThe solution is based on industry standard protocolsWorks for browsers and web services

What Next?

Build a test lab and try the Microsoft ADFS step-by-step guides

How To Set Up The AD FS 2.0 Lab Environment for Federated Collaboration

Hyper-V images available for download

Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0

Read the ADFS Design and Deployment guidesRead AD FS blogs

More on ADFS and Federation

XTSeminars one-day event:Federation and Federated Identityinfo@xtseminars.co.uk for more information

Get your local Microsoft subsidiary to run the event!

Consulting Services on Request

John.craddock@xtseminars.co.uk

John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

Related Content

SIM401 | Active Directory Federation Services 2.0 Deep Dive: Deploying a Highly Available InfrastructureOSP308 | Claims Identity in Microsoft SharePoint 2010

MID342-HOL | Use the Windows Azure Appfabric Access Control Service to Federate with Multiple Business Identity ProvidersSIM399-HOL | Managing Claims Authentication Using Microsoft Forefront Identity Manager 2010

SIM377-INT | Claims-Based Identity

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile