1 / 32

WIN322 利用 Windows Server 2003 R2 中的 Active Directory Federation Services 实现 Web SSO 和联合身份验证

WIN322 利用 Windows Server 2003 R2 中的 Active Directory Federation Services 实现 Web SSO 和联合身份验证. Feifei Qian Technical Solution Professional Microsoft China ffqian@microsoft.com. 目标听众. 那些需要实现 Web Single Sign On(SSO) 和 联合身份验证 (Identity Federation) 并希望了解微软解决方案的技术决策人和 IT 专业人士

claire-crawford
Download Presentation

WIN322 利用 Windows Server 2003 R2 中的 Active Directory Federation Services 实现 Web SSO 和联合身份验证

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WIN322利用Windows Server 2003 R2中的Active Directory Federation Services实现Web SSO和联合身份验证 Feifei Qian Technical Solution Professional Microsoft China ffqian@microsoft.com

  2. 目标听众 • 那些需要实现Web Single Sign On(SSO)和联合身份验证(Identity Federation)并希望了解微软解决方案的技术决策人和IT专业人士 • 本课程将介绍什么是ADFS以及ADFS能够解决什么问题: • 什么是ADFS? • ADFS如何帮助我?

  3. 希望您能够有下列收获 使用微软的身份管理和访问控制平台来解决您的企业在Web单点登陆和联合身份验证方面的问题 将您的Windows用户身份扩展到企业/组织网络以外 为您开始设计和开发基于这一平台的解决方案获取足够信息

  4. 内容 • 企业面临的问题概述 • 身份联合(Identity Federation)如何帮助我们解决问题 • ADFS应用场景 • ADFS工作原理 • Demo:通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO • 问题/解答

  5. 扩展身份验证和访问控制: Vision • 一次登陆,安全访问 • 两个基本的,缺一不可的原则 • Leverage identity and services as broadly as possible • Extend to “unreachables” via integration solutions like MIIS

  6. Exchange 活动目录 Windows Integrated Applications 文件共享 Web应用 Windows集成身份验证 登陆到 Windows 灵活多样的验证方法: Kerberos X.509 v3/Smartcard/PKI VPN/802.1x/RADIUS LDAP Passport/Digest/Basic (Web) SSPI/SPNEGO 单点登陆(SSO)到: Windows File/Print servers Microsoft applications 390/AS400 (Host Integration Server) ERP (BizTalk, SharePoint ESSO) Third-Party Integrated Apps Web Applications via IIS Unix/J2EE (Services for Unix, Vintela)

  7. 您的供应商 您的客户 您的远程和虚拟用户 您的合作伙伴 企业/组织希望将访问进行扩展 Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles; process automation Value chain 您的公司和员工 M&A Mobile/global workforce Flexible/temp workforce

  8. 将访问进行扩展时所面临的挑战 IT/Helpdesk效率 IT/Developer架构 最终用户生产力 安全性 法规执行力 Account provisioning requests Password reset requests Account proliferation Service levels Redundancy Centralized policy management Inflexibility Integration and heterogeneity Scalability Forgotten passwords Logon frequency Provisioning latency Mobile access Orphaned or inaccurate accounts Compromised passwords Hackers Firewall Least access Privacy protection SOX, HIPAA, etc. Auditing and reporting

  9. 解决问题现行的方法

  10. 身份管理(IdM)的愿景通过Web services将访问控制进行扩展 过去 现在 未来 Application Silos ID for Each System Internally Focused Limit to Biz Value Custom Integration Identity Integration Internal & External High cost to value Connected Systems Identity Federation Built to Extend Low cost to value Identity Integration Products and Services Platform Capabilities Web Services Interop The Transition

  11. Active Directory Federation Services将AD扩展到Forest(森林)之外 • 使得客户/合作伙伴/供应商/雇员都能够按全的访问位于其自身Domain/Forest之外的Web应用 • 提供IT人员、开发人员以及最终用户的效率 • 提高安全性和法律法规执行力 • AD为SOA架构提供服务的第一步

  12. 内容 • 企业面临的问题概述 • 身份联合(Identity Federation)如何帮助我们解决问题 • ADFS应用场景 • ADFS工作原理 • Demo:通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO • 问题/解答

  13. ADFS应用场景 • Web单点登陆 (SSO) • Business to employee (B2E) • Business to consumer (B2C) • 身份联合 (Identity Federation ) • Business to business (B2E) • Business unit to business unit (B2B)

  14. 客户 商业合作伙伴 企业员工 应用场景: Web SSO • 在资源方(Resource Side),身份数据在AD/ADAM中存储和管理 • 多种身份验证手段:forms, Basic, client-side certs • 多种授权方案:AzMan, ASP.NET Roles, NT Impersonation & ACLs, raw claims • 为Web服务器场提供SSO

  15. Business Partners 应用场景: Identity Federation • Credentials, authentication managed in “home realm” by partner organization, in AD or other solution • 多种身份验证手段:forms, Basic, client-side certs • 多种授权方案:AzMan, ASP.NET Roles, NT Impersonation & ACLs, raw claims • 跨安全边界的SSO

  16. Organization A Organization B PrivateNamespace Private Namespace ADFS Identity FederationProjects AD Identities to other security realms Federation Servers Federation Server Federation Server • Manage: • Trust – Keys • Security – Claims required • Privacy – Claims allowed • Audit – Identities, authorities

  17. WS-FederationCross-organization, multi-vendor interoperability • Web Services Federation Language • Defines messages to enable security realms to federate and exchange security tokens • Built upon WS-Security, WS-Trust • Wide industry support • Authors: BEA, IBM, Microsoft, RSA, VeriSign • 3/04 Workshop: IBM, OpenNetwork, Oblix, Netegrity, RSA, PingID • Two “profiles” of the model defined • Passive (Web browser) clients – HTTP/S • Active (smart/rich) clients – SOAP ADFS v1 ADFS v2 HTTP messages HTTPReceiver Security Token Service SOAP Receiver SOAP messages

  18. 内容 • 企业面临的问题概述 • 身份联合(Identity Federation)如何帮助我们解决问题 • ADFS应用场景 • ADFS工作原理 • Demo:通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO • 问题/解答

  19. ADFS组件

  20. ADFS组件 Active Directory or ADAM Windows 2000/2003 Authenticates users Manages attributes

  21. ADFS组件 Federation Server (FS) Security token service (STS) Issues security tokens Manages federation trust policy • Populates claims • Statements an authoritymakes about securityprincipals

  22. ADFS组件 Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients

  23. ADFS组件 Web Server (WS) SSO Agent Application Enforces user authentication Creates user authorization context NT Impersonation and ACLs ASP.NET IsInRole() AzMan RBAC integration ASP.NET Raw Claims API

  24. Federated B2B Flow Federation Trust

  25. 通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO

  26. IT/Helpdesk “Native delegation”: one identity used for all web access; no extranet directory mgmt 集中化策略管理 和AD, ADAM, AzMan, IIS集成 一套密码 = 减少IT Helpdesk的负担 基于业界标准的跨平台交互能力 将用户身份验证的工作从应用开发中剥离出来 通过AzMan和ASP.NET Roles集成来减少授权管理的复杂度和工作量 默认支持传统的应用授权方法(NT Token) 开发人员 只需要记住一套用户名和密码登陆到Windows,就可以实现到其它内部外部资源和应用的单点登陆(SSO) 没有Privisioning的延迟 最终用户 ADFS价值: 提升企业/组织效率

  27. Regulatory 实现跨安全边界数据共享的精细访问控制,只共享关于访问所必需的设置 Logging of all access requests (including outbound) addresses non-repudiation issues 通过WS-Federation实现联合访问控制的规范化 ADFS价值: 增强安全性以及法律法规的执行力度 Security 通过Federation实现跨Extranet访问权限的自动de-provisioning,避免遗留orphaned accounts 基于证书的 通讯集中在HTTPS – 443,无需额外的防火墙设置 通过SSL/TLS所有ADFS相关组件之间的通讯

  28. 立刻行动起来: • 体验ADFS • ADFS动手实验! • ADFS in R2 Beta 2 • Encourage claims-aware application development today; get federation “for free” when R2 ships • Authorization Manager • ASP.NET IsInRole

  29. 更多资源 Visit Microsoft.com Identity Management -http://www.microsoft.com/IDM AD -http://www.microsoft.com/AD Windows Server System -http://www.microsoft.com/windowsserversystem View Microsoft’s .NET Show on ADFS http://msdn.microsoft.com/theshow/episode047/default.asp Get familiar with Web Services security and identity model http://msdn.microsoft.com/webservices/ Attend WS-* workshops http://msdn.microsoft.com/webservices/community/workshops/default.aspx Get started with WS-* using Web Services Enhancements http://msdn.microsoft.com/webservices/building/security/ 技术白皮书: http://www.microsoft.com/idm “Federation of Identities in a Web Services World” “Federated Identity Management Interoperability” 视频: http://msdn.microsoft.com/theshow/episode047/default.asp

More Related