AD FS 2 & Claims-Based IdentityLaura E. Hunter

Identity Lady, AD FS Zealot

laura.hunter@lhaconsulting.com

http://www.shutuplaura.com

@adfskitteh

THE PROBLEM?

WE LACK A CONSISTENT IDENTITY LAYER FOR APPLICATIONS

THE RESULT?

HARD-CODED DEPENDENCIES, “CONTINUOUS WHEEL RE-INVENTION”RESISTANCE TO CHANGE

LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com

filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))

How many different ways can you authenticate to an app?

MANAGING APPLICATION IDENTITY – FIRST PRINCIPLES1. Identify the Caller

2. Extract Information for AuthZ & Personalization

Windows Integrated Authentication

Does Active Directory work everywhere?

What’s the Solution?

So What’s a Claim?

“I am a member of the Marketing group”

“My email address is …”

“I am over 21 years of age”

Populated using information from• AD/ADAM/ADLDS• SQL

Expressed using the SAML format

Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)

<saml:Assertion AssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“>

<saml:Conditions NotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z">

<saml:Audience> https://contoso-dc1.contoso.com </saml:Audience>

<saml:AuthenticationStatement AuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows">

<saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier>

<saml:Attribute AttributeName="Group”

<saml:AttributeValue> Administrators </saml:AttributeValue>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature>

</saml:Assertion>

AD FS is all about the apps!

What is this…“claims-aware” application of which you speak?

• Standards-based:• WS-Federation• WS-Trust• SAML 2.0

• Use cases:• WebSSO• Web Services (WCF)

WHAT CAN I DO WITH THIS?

Application Access in a Single Org

Active Directory

SQL

AD LDS

AD FS 2.0Server

Web Servers

App Servers

DB Servers

`

Internal Client

Federation ServerFederation Server

Web Server

Active Directory

A. DatumAccount Forest

Trey ResearchResource Forest

Federation TrustFederation Trust

Account Partner(ADATUM)

Resource Partner(CONTOSO)

Federated Application Access

SSO to Service Providers

Cloudy with a Chance of Federation

SO WHAT DOES IT LOOK LIKE?

WS-Fed Passive Profile

`

Internal Client

Federation ServerFederation Server

Web Server

Active Directory

A. DatumAccount Forest

Trey ResearchResource Forest

Federation TrustFederation Trust

Account Partner(Users)

Resource Partner(Resource)

Something lost, something gained…

• What about passwords?

• What about deprovisioning?

Liberty Alliance Results…

ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens• IdP Lite• SP Lite• EGov 1.5

Matrix testing results: http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/

If you remember nothing else but this…

I want the integrity of your users’ identity information when they access my resources…

…to be at least as good…

as the integrity of your users’ identity information when they access your resources.

AD FS 2.0 Availability, Pricing

• AD FS components are Windows components• No additional server software costs• …but it’s all about the apps!

• AD FSv2 (was “Geneva”)• Release Candidate Available Now• RTM…“Soon”

• Windows Identity Foundation• .NET Developer Platform• Free Download• Available now!

• What’s New?• Windows Server 2008 coverage:

• Read Only Domain Controllers (RODCs)• Fine Grained Password Policies (FGPPs)

• Exchange 2007 integration & scripting• Identity Lifecycle Manager 2007• Windows PowerShell & Active

Directory .NET programming• New user interface features • Always more than one way!

AD Cookbook, 3rd Edition

Learn More! http://oreilly.com/catalog/9780596521103/

Best selling Active Directory title

Thank You!mailto: laura.hunter@lhaconsulting.com

blog: http://www.shutuplaura.com

twitter: @adfskitteh