1 / 55

Matt Steele Senior Program Manager Microsoft Corporation

SESSION CODE: SIA326. Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown. Matt Steele Senior Program Manager Microsoft Corporation. Agenda. Overview Deploying AD FS 2.0

duff
Télécharger la présentation

Matt Steele Senior Program Manager Microsoft Corporation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SESSION CODE: SIA326 Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown Matt Steele Senior Program Manager Microsoft Corporation

  2. Agenda • Overview • Deploying AD FS 2.0 • AD FS 2.0 Interoperability • Claim Transformation Engine

  3. Business Ready SecurityHelp securely enable business by managing risk and empowering people Across on-premises & cloud Access Protection Identity Protect everywhere, access anywhere Integrate and extend security across the enterprise Management Highly Secure & Interoperable Platform Simplify the security experience, manage compliance from: to: Block Enable Cost Value Siloed Seamless

  4. Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provide more secure, always-on access • Enable access from virtually any device • Control access across organizations • Provide standards-based interoperability • Extend powerful self-service capabilities to users • Automate and simplify management tasks

  5. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

  6. Current Challenges with Federated Identity • Managing trust relationships is hard • Setup is complex and error prone • Manual changes cause outages • Requirements for claim transformation vary • Many organizations need the ability to perform complex claim transforms • Standards do not guarantee interoperability • WS-Federation widely supported • SAML widely implemented, but not in AD FS 1.x

  7. Challenges with Identity in the Cloud • SSO with corporate credentials • Painful to manage separate corporate and cloud credentials • Password policy • Role-based administration • Strong authentication

  8. What is AD FS 2.0? • Security Token Service for AD • Identity & federation provider • Federation Trust Manager • Automates trust management using metadata • Robust claims transformation capabilities • Standards Based and Interoperable • WS-* & SAML 2.0 protocols • SAML 1.1 & 2.0 tokens • SAML and W-Federation Metadata • Enables SSO across organizations and to the cloud

  9. Typical Cross-Org Deployment Online Services in the Cloud AD FS 2.0 AD FS 2.0 trust trust 1. Authenticate 3. Send claims /Get claims 2. Get Claims Application WIF Smart Client or Browser WCF ASP.Net 4. Send claims

  10. End User SSO Experience Matt Steele Program Manager Microsoft DEMO

  11. AD FS 2.0 Components AD FS 2.0 Management APIs and UX AD FS 2.0Proxy Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Metadata Token Issuance Attribute Stores Configuration Database

  12. AD FS 2.0 Clients: • Web Browsers • WS-* Aware Clients (WCF, CardSpace 2.0 RC, etc.) AD FS 2.0 Management APIs and UX AD FS 2.0 Proxy Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Attribute Stores Configuration Database Metadata Token Issuance

  13. AD FS 2.0 Management APIs and UX AD FS 2.0 Proxy • AD FS 2.0 Attribute Stores: • Active Directory (AD DS) • Active Directory Lightweight Directory Services (AD LDS) • SQL Database Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Attribute Stores Configuration Database Metadata Token Issuance

  14. AD FS 2.0 Configuration Database: • Windows Internal Database, or • SQL Server AD FS 2.0 Management APIs and UX AD FS 2.0 Proxy Client Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Attribute Stores Configuration Database Metadata Token Issuance

  15. AD FS 2.0 • AD FS 2.0: • Security Token Service for SOAP & Browser Clients • Policy and Service Management Management APIs and UX AD FS 2.0 Proxy Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Attribute Stores Configuration Database Metadata Token Issuance

  16. AD FS 2.0 Proxy: • Perimeter Network Client Proxy for Token Requests • Supports Transport Layer Mutual Auth SSL • Exposes Separate WSDL AD FS 2.0 Management APIs and UX AD FS 2.0 Proxy Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Attribute Stores Configuration Database Metadata Token Issuance

  17. Agenda • Overview • Deploying AD FS 2.0 • AD FS 2.0 Interoperability • Claim Transformation Engine

  18. AD FS Deployment Goals SSO for internal use SSO to outsourced services or the cloud • Providing outsourced services Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services Provide Your Active Directory Users Access to the Applications and Services of Other Organizations Provide External Users in Another Organization Access to Your Claims-Aware Applications and Services

  19. Implementing Deployment Goals • Bing “AD FS 2.0 Deployment” for the AD FS 2.0 Design and Deployment Guides • Farm and Config DB Deployment Considerations • Need H/W fault tolerance? • How much capacity is required? • Is the full AD FS 2.0 feature set required? • Other Deployment Considerations • Will users need access from the internet through a perimeter network? • What Applications must be supported? • Must an existing PKI be leveraged? • Detailed capacity planning guidance coming soon • For an 8 core 2.2 Ghz machine most profiles are ~200 tokens per second

  20. Farm and Config DB Options • WID Single Machine • Lab Deployment • WID Farm • Multiple Front Ends • Hardware Fault Tolerant • No SAML Artifact support • Limited scale (5 machines / 100 RPs / 100 CPs) • SQL Farm • Multiple Front Ends • Hardware Fault Tolerant • Full Feature Set • No Scale limits

  21. Proxy Deployment • Required for SSL client authentication from a perimeter network • Must have same DNS name as internal AD FS 2.0 (requires split dns) • Has a separate set of web pages for customization • Enabled WS-Trust endpoints are controlled from the intranet AD FS 2.0

  22. Account Side AD FS 2.0 Deployment All Intranet Servers Domain Joined Intranet AD FS 2.0 Farm Perimeter Network Proxy Farm Active Directory Load Balancer Load Balancer Configuration SQL Cluster

  23. Service Side AD FS 2.0 Deployment All Intranet Servers Domain Joined Intranet AD FS 2.0 Farm Active Directory Woodgrove User Data Load Balancer Configuration SQL Cluster

  24. Intranet Client AD FS 2.0 Farm Intranet AD FS 2.0 Farm Woodgrove User Data Perimeter Network Proxy Farm Active Directory Load Balancer Configuration SQL Cluster Active Directory Trust Load Balancer Load Balancer Configuration SQL Cluster App 1 Intranet Client App 2

  25. Internet Client AD FS 2.0 Farm Intranet AD FS 2.0 Farm Woodgrove User Data Perimeter Network Proxy Farm Active Directory Load Balancer Configuration SQL Cluster Active Directory Trust Load Balancer Load Balancer Configuration SQL Cluster App 1 Internet Client App 2

  26. Applications • Only Web based apps are currently supported • SOAP based services (e.g. built on WCF) • Browser based apps (e.g. built on ASP.NET) • Supported application platforms • WS-Federation • AD FS 1.x claims aware Web agent • Windows Identity Foundation (WIF) • SharePoint 2007 (with WIF providers) • SharePoint 2010 • WS-Security • WCF apps • SAML 2.0

  27. Certificates • AD FS 2.0 certs (private key required) • Token Signing • Encryption • Service Communications & SSL • Certs maintained about other parties (no private key) • Identity Provider • Signature Verification - REQUIRED • Encryption • Relying Party • Signature Verification • Encryption

  28. Web Page Customization • Branding and user specific text drive the need for customization • Web page customizations also provide a developer extensibility point to insert custom logic • For SAML and WS-Federation user authentication, customers may want to • Default the auth type, or allow users to choose auth type • Customize pages on proxy differently • For home realm discovery, customers may want to change how home realm discovery is done

  29. Initial Configuration Matt Steele Program Manager Microsoft DEMO

  30. Agenda • Overview • Deploying AD FS 2.0 • AD FS 2.0 Interoperability • Claim Transformation Engine

  31. WS-Federation Interoperability • Interoperable with AD FS v1.x, shipping in • Windows Server 2003 R2 • Windows Server 2008 • Windows Server 2008 R2 • WS-Federation interop partners: • IBM Tivoli Federated Identity Manager • CA eTrustSiteminder 6 SP5 • Oracle Identity Federation • Ping Identity PingFederate • Novell Access Manager 3.1 • Shibboleth System 1.3 • Sun OpenSSO Enterprise

  32. Interoperability with AD FS 1.x • Protocol interoperates • Cookies do not! • When migrating use a whole new deployment, switch using DNS • Web Agent Interoperability • Supported: • AD FS 1.x Claims Aware Web Agent • WIF based applications (Including SharePoint) • Using NT token web agent -> WIF C2WTS • Claims Aware MOSS 2007 -> WIF

  33. SAML 2.0 Protocol • SAML 2.0 interoperability tested and certified by the Liberty Alliance, tested with: • Entrust • IBM • Novell • Ping Identity • SAP • Siemens • AD FS 2.0 supports the following “SAML Operational Modes” • IdP Lite • SP Lite • eGov Profile 1.5

  34. Additional SAML 2.0 Protocol Options • Message Signing • What to send • What to expect • Signature Algorithm • Certificates • Name ID encryption • RPs and CPs • Requires encryption certificate • HTTP POST Requests • Authentication Context Order • Artifact Service

  35. Using SAML Artifact Service AD FS 2.0 AD FS 2.0 4. Send Artifact /Get claims trust trust 3. Send Artifact 1. Authenticate 5. Get claims 2. Get Claims Application WIF Smart Client or Browser WCF ASP.Net 4. Send claims

  36. SAML Protocol – Artifact Service • Helps with • Clients with low bandwidth • Clients with no JavaScript support • Logout sensitive scenarios • Artifacts are stored in database locally • Configure for a relying party by specifying “artifact” binding on the Assertion Consumer endpoint • Configure for an identity provider by specifying an Artifact Resolution endpoint

  37. WS-Trust Endpoints • Each endpoint has: • A client credential type • A security mode • Crypto algorithm suite • Use UI / PSh to control auth methods available to rich clients and to view/control server surface area

  38. Exploring SAML 2.0 Properties in PowerShell Matt Steele Program Manager Microsoft DEMO

  39. Agenda • Overview • Deploying AD FS 2.0 • AD FS 2.0 Interoperability • Claim Transformation Engine

  40. Claims • Identity providers need to know what claims to send • Relying parties need to know what claims to expect to receive • Agreement must largely take place out of band, though metadata allows us to simplify • In AD FS 2.0: • The expected claims are codified into acceptance rules • The claims to send are codified into issuance rules

  41. Claims Processing Pipeline Stages Authz • Input claims • Acceptance Rules • Issuance Rules • Output Claims

  42. Rules Processing with a Transform Rule Set • Rules determine what goes into output claim set • Not all claims are output • Use rule chaining to construct complex claims • Output of Rule 1 can be used as the input to Rule 2 • Temporary claims can be used for complex constructs • Rules can pull data from attribute stores • Complex mapping should be left to a SQL database

  43. Using the Rule Language • All rules are encoded into the rule language • No UI templates for: • Multiple conditions • SQL queries • Custom LDAP filters • Custom regular expressions • Using custom attribute stores • Using temporary claims • Rules are text that always take the following form: [Condition] => [Issuance Statement]

  44. Rule Language Samples Pass through any claim with a given claim type: c:[Type == "http://foo/windowsaccountname"] => issue(claim = c); Pass through any claim with a given claim type and claim value: c:[Type == "http://foo/windowsaccountname", Value == “Redmond\MattStee”] => issue(claim = c); Given one claim type/value, issue another: c:[Type == "http://foo/windowsaccountname", Value == “Redmond\MattStee”] => issue(Type = “http://foo/Role”, Value = “Admin”);

  45. Attribute Stores • SQL • Select queries may be specified in rules (no UI) • Connection string stored in the clear • LDAP • Filters may be specified in rules (no UI) • Connection string stored in the clear

  46. Custom Attribute Stores • Allow custom code to be plugged in for retrieving attributes • Process • .NET assembly is created by developer • Developer gives admin assembly, class reference, and connection string format • IT Pro copies assembly to each machine and places in the GAC • IT Pro adds custom attribute store using UI/PowerShell and inputting the class reference provided • IT Pro authors rules by passing claims to the attribute store in the expected connection string format

  47. Using Claim Rules Matt Steele Program Manager Microsoft DEMO

  48. Thank You! • To learn more, the best place to start is our team blog at Http://blogs.msdn.com/card

  49. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content COS206 | Microsoft Online Services: Identity and access solutions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

  50. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

More Related