active directory federation services 2 0 overview n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Active Directory Federation Services 2.0 Overview PowerPoint Presentation
Download Presentation
Active Directory Federation Services 2.0 Overview

Loading in 2 Seconds...

play fullscreen
1 / 16

Active Directory Federation Services 2.0 Overview - PowerPoint PPT Presentation


  • 265 Views
  • Uploaded on

Active Directory Federation Services 2.0 Overview. InCommon Service Provider Training. What is it?. A SAML implementation (both IdP and SP) from Microsoft A WS-Fed implementation (Passive Requester) An AD-based single signon system A server role in Windows Server 2008. Some Terminology….

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Active Directory Federation Services 2.0 Overview' - kasen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
active directory federation services 2 0 overview

Active Directory Federation Services 2.0 Overview

InCommon Service Provider Training

what is it
What is it?
  • A SAML implementation (both IdP and SP) from Microsoft
  • A WS-Fed implementation (Passive Requester)
  • An AD-based single signon system
  • A server role in Windows Server 2008
some terminology
Some Terminology…
  • Security token – This refers to the assertion from the IdP.
  • Claim – a “claim” is just an attribute from the IdP’s assertion.
  • Claims Provider – This is just the ADFS term for an IdP.
  • Relying Party – This is just the ADFS term for an SP (a consumer of claims).
  • Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example).
  • More:
    • http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx
what can it do
What can it do?
  • Act as an IdP (Claims Provider)
  • Act as an SP (Relying Party)
  • Seamlessly integrate with growing list of apps:
    • Sharepoint 2010:
      • http://blogs.msdn.com/b/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx
    • Microsoft Unified Access Gateway (proxy):
      • http://technet.microsoft.com/en-us/library/gg470578.aspx
    • Citrix:
      • http://support.citrix.com/servlet/KbServlet/download/9932-102-15146/WI%20for%20ADFS%20FAQ.pdf
  • Interoperate with other SAML 2.0 solutions (like Shibboleth)
what are the limitations
What are the limitations?
  • Metadata support
  • Certificate support
  • WAYF/DS support
  • Forced Authentication support
  • Other?
resources
Resources
  • ADFS Home:
    • http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx
  • Using ADFS with Shibboleth and InCommon:
    • http://go.microsoft.com/fwlink/?LinkId=204784
  • More How-To Guides:
    • http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(WS.10).aspx
  • Claims Rule syntax:
    • http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx
  • Shibboleth wiki on ADFS interop:
    • https://spaces.internet2.edu/display/SHIB2/MicrosoftInterop
adding shibboleth claims providers
Adding Shibboleth Claims Providers
  • ADFS can’t deal with a federation metadata file
    • No support for <EntitiesDescriptor>
  • This can be handled via script/app
    • Uses MS PowerShell to import into ADFS
    • Import one at a time
    • Must force only one encryption cert
    • No other entity can use the same encryption cert
  • The Microsoft ADFS/InCommon doc has code for a python script
    • Dealing with multiple federations?
how to integrate sharepoint
How to Integrate Sharepoint
  • Install ADFS according to documentation
  • Create a new Relying Party on the ADFS server
    • Configure the RP manually
    • SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2)
    • The identifier/entityID is https://<yourFQDN>/_trust/
    • For claims rules, you can just use “Pass-Through” rules (since Shibb-sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed)
  • On the Sharepoint server, use PowerShell to add a new Security Token Service (STS):
    • Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below)
    • Consider adding some custom code to sync SP profiles
      • Hook the “OnSignedIn” event of the “federatedAuthentication” module
      • Use SP’s UserProfileManager class
  • http://shannonbray.wordpress.com/2010/10/02/claims-based-authentication-made-simple/
how to integrate your own app
How to Integrate Your Own App
  • Developer’s machine:
    • Install WIF runtime (KB974405)
    • Install WIF SDK (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504&displaylang=en)
  • Web Server
    • Install WIF runtime (KB974405)
    • Set your app’s App Pool property for “loadUserProfile” to ‘true’
how to integrate your own app cont
How to Integrate Your Own App (cont)
  • For the app itself (assuming VS2008):
    • Ensure that build target is .NET 3.5 (or greater)
    • Check out (from source control) the app’s web.config file (next step needs to write to it)
    • Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’
      • Choose your app’s web.config file
      • Use your app’s URL as the application URI, making sure to include the trailing slash (Ex. https://serverFQDN/app/)
      • Choose to “Use an Existing STS” and point to your ADFS server’s metadata
        • https://<yourADFS-FQDN>/FederationMetadata/2007-06/FederationMetadata.xml
      • Accept other defaults
how to integrate your own app cont1
How to Integrate Your Own App (cont)
  • Edit the attributes/claims that your app requests
    • Web site: Edit the <microsoft.identitymodel> section of web.config, uncomment needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer
    • Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at <app root>/FederationMetadata/2007-06/FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option:
      • Look for the <fed:ClaimsTypesRequested> section
      • Add new <auth:ClaimType> elements as needed
      • Name and Role enabled by default, consider adding these:
        • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        • <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
how to integrate your own app cont2
How to Integrate Your Own App (cont)
  • On ADFS Server
    • Add a new Relying Party
      • Auto-configure from metadata:
        • https://<WebServerFQDN>/app/FederationMetadata/2007-06/FederationMetadata.xml
    • Create ‘Pass-Through’ Claims Rules for new RP. Consider pass-through rules for these claims (as so-named in the ADFS RP Claim Rules GUI)
      • “Name” is the userID/sAMAccountName/ePPN
      • “Given Name” is the user’s first name
      • “Surname” is the user’s last name
      • “E-Mail Address” is the user’s email address
      • “Role” is the user’s role (or eduPersonAffiliation, etc)
how to integrate your own app cont3
How to Integrate Your Own App (cont)
  • App code references:
    • Add reference to Microsoft.IdentityModel (after installing WIF runtime)
  • App Code:
    • using Microsoft.IdentityModel.Claims;
    • using System.Threading;
  • In Page.Load()
    • IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];
  • Microsoft Reference:
    • http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BB9AB270-473B-4852-B26E-031A88EDD113
how to integrate your own app cont4
How to Integrate Your Own App (cont)

string GIVENNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";

string SURNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";

string EMAIL_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";

string ROLE_CLAIM_TYPE = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";

string UID,FName, LName, EmailAddr, Role = "";

bool AuthOK,roleFound = false;

if (claimsIdentity != null)

{

AuthOK = claimsIdentity.IsAuthenticated;

UID = claimsIdentity.Name;

foreach (Claim c in claimsIdentity.Claims)

{

if (c.ClaimType == GIVENNAME_CLAIM_TYPE)

FName = c.Value;

if (c.ClaimType == SURNAME_CLAIM_TYPE)

LName = c.Value;

if (c.ClaimType == EMAIL_CLAIM_TYPE)

EmailAddr = c.Value;

if (c.ClaimType == ROLE_CLAIM_TYPE)

{

//role is mutlivalued, so build one semicolon-delimited string

if (roleFound)

Role += ";" + c.Value;

else

{

Role += c.Value;

roleFound = true;

}

}

}

}

discoveryservice wayf
DiscoveryService/WAYF??
  • ADFS does not support the OASIS DiscoveryService profile
  • To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery”
  • This is very customizable, as it is just a .NET page (.aspx)
    • Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.*
    • Search-as-you-type
    • Cookie name
    • Multi-Fed Selector
slide16
Demo
  • Claims Provider Properties
  • Claims Provider Claims Rules
  • Relying Party Properties
  • Relying Party Claims Rules
  • Sharepoint Login
    • Custom code to sync SP profiles
      • Hooks the “OnSignedIn” event of the “federatedAuthentication” module
      • Uses SP’s UserProfileManager class
  • Custom app integration