Adfs 2 & claims based identity
-
Upload
nathan-winters -
Category
Technology
-
view
6.169 -
download
0
description
Transcript of Adfs 2 & claims based identity
AD FS 2 & Claims-Based IdentityLaura E. Hunter
Identity Lady, AD FS Zealot
http://www.shutuplaura.com
@adfskitteh
THE PROBLEM?
WE LACK A CONSISTENT IDENTITY LAYER FOR APPLICATIONS
THE RESULT?
HARD-CODED DEPENDENCIES, “CONTINUOUS WHEEL RE-INVENTION”RESISTANCE TO CHANGE
LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com
filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))
How many different ways can you authenticate to an app?
MANAGING APPLICATION IDENTITY – FIRST PRINCIPLES1. Identify the Caller
2. Extract Information for AuthZ & Personalization
Windows Integrated Authentication
Does Active Directory work everywhere?
What’s the Solution?
So What’s a Claim?
“I am a member of the Marketing group”
“My email address is …”
“I am over 21 years of age”
Populated using information from• AD/ADAM/ADLDS• SQL
Expressed using the SAML format
Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
<saml:Assertion AssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“>
<saml:Conditions NotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z">
<saml:Audience> https://contoso-dc1.contoso.com </saml:Audience>
<saml:AuthenticationStatement AuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows">
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">[email protected]</saml:NameIdentifier>
<saml:Attribute AttributeName="Group”
<saml:AttributeValue> Administrators </saml:AttributeValue>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature>
</saml:Assertion>
AD FS is all about the apps!
What is this…“claims-aware” application of which you speak?
• Standards-based:• WS-Federation• WS-Trust• SAML 2.0
• Use cases:• WebSSO• Web Services (WCF)
WHAT CAN I DO WITH THIS?
Application Access in a Single Org
Active Directory
SQL
AD LDS
AD FS 2.0Server
Web Servers
App Servers
DB Servers
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Account Partner(ADATUM)
Resource Partner(CONTOSO)
Federated Application Access
SSO to Service Providers
Cloudy with a Chance of Federation
SO WHAT DOES IT LOOK LIKE?
WS-Fed Passive Profile
`
Internal Client
Federation ServerFederation Server
Web Server
Active Directory
A. DatumAccount Forest
Trey ResearchResource Forest
Federation TrustFederation Trust
Account Partner(Users)
Resource Partner(Resource)
Something lost, something gained…
• What about passwords?
• What about deprovisioning?
Liberty Alliance Results…
ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens• IdP Lite• SP Lite• EGov 1.5
Matrix testing results: http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
If you remember nothing else but this…
I want the integrity of your users’ identity information when they access my resources…
…to be at least as good…
as the integrity of your users’ identity information when they access your resources.
AD FS 2.0 Availability, Pricing
• AD FS components are Windows components• No additional server software costs• …but it’s all about the apps!
• AD FSv2 (was “Geneva”)• Release Candidate Available Now• RTM…“Soon”
• Windows Identity Foundation• .NET Developer Platform• Free Download• Available now!
• What’s New?• Windows Server 2008 coverage:
• Read Only Domain Controllers (RODCs)• Fine Grained Password Policies (FGPPs)
• Exchange 2007 integration & scripting• Identity Lifecycle Manager 2007• Windows PowerShell & Active
Directory .NET programming• New user interface features • Always more than one way!
AD Cookbook, 3rd Edition
Learn More! http://oreilly.com/catalog/9780596521103/
Best selling Active Directory title