1 / 42

Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id

SESSION CODE: SIA201. Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation. David Chappell Principal Chappell & Associates.

mathilde
Download Presentation

Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SESSION CODE: SIA201 Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation David Chappell Principal Chappell & Associates Claims-Based Identity: An Introduction to AD FS 2.0, Windows Identity Foundation, and CardSpace 2.0

  2. Agenda • Introducing Claims-Based Identity • Using Claims-Based Identity: Scenarios • Microsoft Technologies for Claims-Based Identity: A Closer Look

  3. Introducing Claims-Based Identity

  4. Claims-Based Identity The core Microsoft technologies • Active Directory Federation Services (AD FS) 2.0 • The newest version of AD FS • Windows Identity Foundation (WIF) 1.0 • Pronounced “Dub-I-F” • CardSpace 2.0 • The newest version of CardSpace

  5. What is Identity? • An identityis a set of information about some entity, such as a user • Most applications work with identity • Identity information drives important aspects of an application’s behavior, such as: • Determining what a user is allowed to do • Controlling how the application interacts with the user

  6. Defining the ProblemWorking with identity is too hard • Applications must use different identity technologies in different situations: • Active Directory (Kerberos) inside a Windows domain • Username/password on the Internet • WS-Federation and the Security Assertion Markup Language (SAML) between organizations • Why not define one approach that applications can use in all of these cases? • Claims-based identity allows this • It can make life simpler for developers

  7. Tokens and Claims Representing identity on the wire • A token is a set of bytes that expresses information about an identity • This information consists of one or more claims • Each claim contains some information about the entity to which this token applies Example Claims Token Claim 1 Name Claim 2 Indicates who created this token and guards against changes Group Claim 3 Age . . . Claim n Signature

  8. Identity Providers and STSs • An identity provider (or issuer) is an authority that makes claims about an entity • Example identity providers today: • On your company’s network: Your employer • On the Internet: Windows Live ID • An identity provider can implement a securitytokenservice(STS) • It’s software that issues tokens • Requests for tokens are made via WS-Trust • Many token formats can be used • The SAML format is popular

  9. Getting a TokenIllustrating an identity provider and an STS Identity Provider 2) Get information Security Token Service (STS) Account/ Attribute Store 3) Create and return token 1) Authenticate user and request token Token Browser or Client User

  10. Acquiring and Using a Token 4) Use claims in token Identity Provider Application 3) Verify token’s signature and check whether this STS is trusted STS Identity Library List of Trusted STSs 2) Submit token Token 1) Authenticate user and get token Token Browser or Client User

  11. Why Claims Are an Improvement • In today’s world, an application typically gets only simple identity information • Such as a user’s name • To get more, the application must query: • A remote database, e.g., a directory service • A local database • With claims-based identity, each application can ask for exactly the claims that it needs • The STS puts these in the token it creates

  12. How Applications Can Use ClaimsSome examples • A claim can identify a user • A claim can convey group or role membership • A claim can convey personalization information • Such as the user’s display name • A claim can grant or deny the right to do something • Such as access particular information or invoke specific methods • A claim can constrain the right to do something • Such as indicating the user’s purchasing limit

  13. Supporting Multiple IdentitiesUsing an identity selector: An option 5) Use claims in token Application Identity Providers STS Identity Library STS STS 1) Access application and learn token requirements 4) Submit token Token Token Browser or Client 3) Authenticate user and get token for selected identity Identity Selector 2) (Optionally) select an identity that matches those requirements User

  14. Claims-Based Identity for Windows 5) Use claims in token Identity Providers AD FS 2.0 Application STS Windows Identity Foundation STS STS 1) Access application and learn token requirements 4) Submit token Token Token 3) Authenticate user and get token for selected identity Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

  15. Using Claims-Based Identity: Scenarios

  16. An Enterprise Scenario Active Directory Domain Services 8) Use claims in token AD FS 2.0 Application STS WIF 5) Find claims required by application and create token 6) Receive token 7) Submit token 1) Login to domain and get Kerberos ticket 4) Present Kerberos ticket and request token for selected identity 2) Access application and learn token requirements Token Token Browser or Client CardSpace 2.0 3) (Optionally) select an identity that matches those requirements User

  17. Allowing Internet Access 5) Use claims in token Active Directory Domain Services AD FS 2.0 Application STS WIF 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

  18. Using an External Identity Provider Identity Providers 5) Use claims in token Windows Live ID Other Application WIF STS STS 4) Submit token Token Token Internet 3) Authenticate user and get token for selected identity 1) Access application and learn token requirements Browser or Client CardSpace 2.0 2) (Optionally) select an identity that matches those requirements User

  19. Identity Across OrganizationsDescribing the problem • A user in one Windows forest must access an application in another Windows forest • A user in a non-Windows world must access an application in a Windows forest (or vice-versa)

  20. Identity Across OrganizationsPossible solutions • One option: duplicate accounts • Requires separate login, extra administration • A better approach: identity federation • One organizations accepts identities provided by the other • No duplicate accounts • Single sign-on for users

  21. Identity Federation (1) Organization X Organization Y Active Directory Domain Services AD FS 2.0 STS STS 5) Use claims in token Token 3) Get token for selected identity 4) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements • Trusted STSs: • Organization Y • Organization X 2) (Optionally) select an identity that matches those requirements User

  22. Identity Federation (2) Organization X Organization Y 2) Access Organization Y STS and learn token requirements Active Directory Domain Services AD FS 2.0 Token for STS Y STS STS 5) Request token for application • Trusted STSs: • Organization X Token Token for STS Y 6) Issue token for application 8) Use claims in token 4) Get token for Organization Y STS 7) Submit token Token Application Browser or Client WIF CardSpace 2.0 1) Access application and learn token requirements 3) (Optionally) select an identity that matches those requirements • Trusted STSs: • Organization Y User

  23. Delegation Active Directory Domain Services AD FS 2.0 5) Check policy for user, application X, and application Y STS Token for X Token for X Token for Y 1) Get token for application X 4) Request token for application Y 6) If policy allows, issue token for application Y 8) Use claims in token 7) Submit token Browser or Client Application X Token for Y Application Y WIF WIF Token for X 3) Access application and learn token requirements User 2) Submit token

  24. Microsoft Technologies for Claims-Based Identity:A Closer Look

  25. Changes in AD FS 2.0From the previous release • AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation • And it doesn’t provide an STS • AD FS 2.0: • Supports both active and passive clients • Provides an STS • Supports both WS-Federation and the SAML 2.0 protocol • Improves management of trust relationships • By automating some exchanges

  26. Windows Identity FoundationA summary • The goal: Make it easier for developers to create claims-aware applications • WIF provides: • Support for verifying a token’s signature and extracting its claims • Classes for working with claims • Visual Studio project types • An STS for development and testing • Support for creating a custom STS • More

  27. CardSpace 2.0Selecting identities • CardSpace provides a standard user interface for choosing an identity • Using the metaphor of cards • Choosing a card selects an identity (i.e., a token)

  28. Information Cards • Behind each card a user sees is an information card • It’s an XML file that represents a relationship with an identity provider • It contains what’s needed to request a token for a particular identity • Information cards don’t contain: • Claims for the identity • Whatever is required to authenticate to the identity provider’s STS

  29. Information CardsAn illustration Identity Providers Browser or Client STS STS STS CardSpace 2.0 Information Card 1 Information Card 2 Information Card 3 Information Card 4 User

  30. Creating Industry Agreement • The Information Card Foundation is a multi-vendor group dedicated to making this technology successful • Its board members include Google, Microsoft, Novell, Oracle, and PayPal • A Web site can display a standard icon to indicate that it accepts card-based logins:

  31. Changes in CardSpace 2.0From the first CardSpace release • CardSpace 2.0 is available separately from the .NET Framework • It’s smaller and faster • CardSpace 2.0 contains optimizations for applications that users visit repeatedly • A Web site can display the card you last used to log in the site • The CardSpace screen needn’t appear • The self-issued identity provider has been dropped

  32. Shipping Status Today • WIF: Released November 2009 • AD FS 2.0: Released May 2010 • CardSpace 2.0: Currently in beta, release postponed • It’s a fast-moving technology area

  33. Conclusions • Changing how applications (and people) work with identity is not a small thing • Widespread adoption of claims-based identity will take time • Yet all of the pieces required to make claims-based identity real on Windows are here: • AD FS 2.0 • Windows Identity Framework • CardSpace 2.0 (on the way)

  34. References • Claims-Based Identity for Windows: An Introduction to Active Directory Federation Services 2.0, Windows CardSpace 2.0, and Windows Identity Foundation, David Chappell • http://www.davidchappell.com/writing/white_papers/Claims-Based_Identity_for_Windows_v2.pdf

  35. About the Speaker David Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in more than forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

  36. Related Content SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

  37. Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial

  38. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  39. Required Slide Complete an evaluation on CommNet and enter to win!

  40. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  41. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related