slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id PowerPoint Presentation
Download Presentation
Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id

Loading in 2 Seconds...

play fullscreen
1 / 42

Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id - PowerPoint PPT Presentation


  • 193 Views
  • Uploaded on

SESSION CODE: SIA201. Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation. David Chappell Principal Chappell & Associates.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Id' - mathilde


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

SESSION CODE: SIA201

Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation

David Chappell

Principal

Chappell & Associates

Claims-Based Identity: An Introduction to AD FS 2.0, Windows Identity Foundation, and CardSpace 2.0

agenda
Agenda
  • Introducing Claims-Based Identity
  • Using Claims-Based Identity: Scenarios
  • Microsoft Technologies for Claims-Based Identity: A Closer Look
claims based identity the core microsoft technologies
Claims-Based Identity The core Microsoft technologies
  • Active Directory Federation Services (AD FS) 2.0
    • The newest version of AD FS
  • Windows Identity Foundation (WIF) 1.0
    • Pronounced “Dub-I-F”
  • CardSpace 2.0
    • The newest version of CardSpace
what is identity
What is Identity?
  • An identityis a set of information about some entity, such as a user
  • Most applications work with identity
    • Identity information drives important aspects of an application’s behavior, such as:
      • Determining what a user is allowed to do
      • Controlling how the application interacts with the user
defining the problem working with identity is too hard
Defining the ProblemWorking with identity is too hard
  • Applications must use different identity technologies in different situations:
    • Active Directory (Kerberos) inside a Windows domain
    • Username/password on the Internet
    • WS-Federation and the Security Assertion Markup Language (SAML) between organizations
  • Why not define one approach that applications can use in all of these cases?
    • Claims-based identity allows this
    • It can make life simpler for developers
tokens and claims representing identity on the wire
Tokens and Claims Representing identity on the wire
  • A token is a set of bytes that expresses information about an identity
    • This information consists of one or more claims
    • Each claim contains some information about the entity to which this token applies

Example Claims

Token

Claim 1

Name

Claim 2

Indicates who created this token and guards against changes

Group

Claim 3

Age

. . .

Claim n

Signature

identity providers and stss
Identity Providers and STSs
  • An identity provider (or issuer) is an authority that makes claims about an entity
    • Example identity providers today:
      • On your company’s network: Your employer
      • On the Internet: Windows Live ID
  • An identity provider can implement a securitytokenservice(STS)
    • It’s software that issues tokens
      • Requests for tokens are made via WS-Trust
    • Many token formats can be used
      • The SAML format is popular
getting a token illustrating an identity provider and an sts
Getting a TokenIllustrating an identity provider and an STS

Identity Provider

2) Get information

Security Token Service (STS)

Account/ Attribute Store

3) Create and return token

1) Authenticate user and request token

Token

Browser or Client

User

acquiring and using a token
Acquiring and Using a Token

4) Use claims in token

Identity Provider

Application

3) Verify token’s signature and check whether this STS is trusted

STS

Identity

Library

List of Trusted STSs

2) Submit token

Token

1) Authenticate user and get token

Token

Browser or Client

User

why claims are an improvement
Why Claims Are an Improvement
  • In today’s world, an application typically gets only simple identity information
    • Such as a user’s name
  • To get more, the application must query:
    • A remote database, e.g., a directory service
    • A local database
  • With claims-based identity, each application can ask for exactly the claims that it needs
    • The STS puts these in the token it creates
how applications can use claims some examples
How Applications Can Use ClaimsSome examples
  • A claim can identify a user
  • A claim can convey group or role membership
  • A claim can convey personalization information
    • Such as the user’s display name
  • A claim can grant or deny the right to do something
    • Such as access particular information or invoke specific methods
  • A claim can constrain the right to do something
    • Such as indicating the user’s purchasing limit
supporting multiple identities using an identity selector a n option
Supporting Multiple IdentitiesUsing an identity selector: An option

5) Use claims in token

Application

Identity Providers

STS

Identity

Library

STS

STS

1) Access application and learn token requirements

4) Submit token

Token

Token

Browser or Client

3) Authenticate user and get token for selected identity

Identity Selector

2) (Optionally) select an identity that matches those requirements

User

claims based identity for windows
Claims-Based Identity for Windows

5) Use claims in token

Identity Providers

AD FS 2.0

Application

STS

Windows Identity Foundation

STS

STS

1) Access application and learn token requirements

4) Submit token

Token

Token

3) Authenticate user and get token for selected identity

Browser or Client

CardSpace 2.0

2) (Optionally) select an identity that matches those requirements

User

an enterprise scenario
An Enterprise Scenario

Active Directory Domain Services

8) Use claims in token

AD FS 2.0

Application

STS

WIF

5) Find claims required by application and create token

6) Receive token

7) Submit token

1) Login to domain and get Kerberos ticket

4) Present Kerberos ticket and request token for selected identity

2) Access application and learn token requirements

Token

Token

Browser or Client

CardSpace 2.0

3) (Optionally) select an identity that matches those requirements

User

allowing internet access
Allowing Internet Access

5) Use claims in token

Active Directory Domain Services

AD FS 2.0

Application

STS

WIF

4) Submit token

Token

Token

Internet

3) Authenticate user and get token for selected identity

1) Access application and learn token requirements

Browser or Client

CardSpace 2.0

2) (Optionally) select an identity that matches those requirements

User

using an external identity provider
Using an External Identity Provider

Identity Providers

5) Use claims in token

Windows Live ID

Other

Application

WIF

STS

STS

4) Submit token

Token

Token

Internet

3) Authenticate user and get token for selected identity

1) Access application and learn token requirements

Browser or Client

CardSpace 2.0

2) (Optionally) select an identity that matches those requirements

User

identity across organizations describing the problem
Identity Across OrganizationsDescribing the problem
  • A user in one Windows forest must access an application in another Windows forest
  • A user in a non-Windows world must access an application in a Windows forest (or vice-versa)
identity across organizations possible solutions
Identity Across OrganizationsPossible solutions
  • One option: duplicate accounts
    • Requires separate login, extra administration
  • A better approach: identity federation
    • One organizations accepts identities provided by the other
      • No duplicate accounts
      • Single sign-on for users
identity federation 1
Identity Federation (1)

Organization X

Organization Y

Active Directory Domain Services

AD FS 2.0

STS

STS

5) Use claims in token

Token

3) Get token for selected identity

4) Submit token

Token

Application

Browser or Client

WIF

CardSpace 2.0

1) Access application and learn token requirements

  • Trusted STSs:
  • Organization Y
  • Organization X

2) (Optionally) select an identity that matches those requirements

User

identity federation 2
Identity Federation (2)

Organization X

Organization Y

2) Access Organization Y STS and learn token requirements

Active Directory Domain Services

AD FS 2.0

Token for STS Y

STS

STS

5) Request token for application

  • Trusted STSs:
  • Organization X

Token

Token for STS Y

6) Issue token for application

8) Use claims in token

4) Get token for Organization Y STS

7) Submit token

Token

Application

Browser or Client

WIF

CardSpace 2.0

1) Access application and learn token requirements

3) (Optionally) select an identity that matches those requirements

  • Trusted STSs:
  • Organization Y

User

delegation
Delegation

Active Directory Domain Services

AD FS 2.0

5) Check policy for user, application X, and application Y

STS

Token for X

Token for X

Token for Y

1) Get token for application X

4) Request token for application Y

6) If policy allows, issue token for application Y

8) Use claims in token

7) Submit token

Browser or Client

Application X

Token for Y

Application Y

WIF

WIF

Token for X

3) Access application and learn token requirements

User

2) Submit token

changes in ad fs 2 0 from the previous release
Changes in AD FS 2.0From the previous release
  • AD FS 1.1 supports only passive clients (i.e., browsers) using WS-Federation
    • And it doesn’t provide an STS
  • AD FS 2.0:
    • Supports both active and passive clients
    • Provides an STS
    • Supports both WS-Federation and the SAML 2.0 protocol
    • Improves management of trust relationships
      • By automating some exchanges
windows identity foundation a summary
Windows Identity FoundationA summary
  • The goal: Make it easier for developers to create claims-aware applications
  • WIF provides:
    • Support for verifying a token’s signature and extracting its claims
    • Classes for working with claims
    • Visual Studio project types
    • An STS for development and testing
    • Support for creating a custom STS
    • More
cardspace 2 0 selecting identities
CardSpace 2.0Selecting identities
  • CardSpace provides a standard user interface for choosing an identity
    • Using the metaphor of cards
    • Choosing a card selects an identity (i.e., a token)
information cards
Information Cards
  • Behind each card a user sees is an information card
    • It’s an XML file that represents a relationship with an identity provider
    • It contains what’s needed to request a token for a particular identity
  • Information cards don’t contain:
    • Claims for the identity
    • Whatever is required to authenticate to the identity provider’s STS
information cards an illustration
Information CardsAn illustration

Identity Providers

Browser or Client

STS

STS

STS

CardSpace 2.0

Information Card 1

Information Card 2

Information Card 3

Information Card 4

User

creating industry agreement
Creating Industry Agreement
  • The Information Card Foundation is a multi-vendor group dedicated to making this technology successful
    • Its board members include Google, Microsoft, Novell, Oracle, and PayPal
  • A Web site can display a standard icon to indicate that it accepts card-based logins:
changes in cardspace 2 0 from the first cardspace release
Changes in CardSpace 2.0From the first CardSpace release
  • CardSpace 2.0 is available separately from the .NET Framework
    • It’s smaller and faster
  • CardSpace 2.0 contains optimizations for applications that users visit repeatedly
    • A Web site can display the card you last used to log in the site
    • The CardSpace screen needn’t appear
  • The self-issued identity provider has been dropped
shipping status today
Shipping Status Today
  • WIF: Released November 2009
  • AD FS 2.0: Released May 2010
  • CardSpace 2.0: Currently in beta, release postponed
    • It’s a fast-moving technology area
conclusions
Conclusions
  • Changing how applications (and people) work with identity is not a small thing
    • Widespread adoption of claims-based identity will take time
  • Yet all of the pieces required to make claims-based identity real on Windows are here:
    • AD FS 2.0
    • Windows Identity Framework
    • CardSpace 2.0 (on the way)
references
References
  • Claims-Based Identity for Windows: An Introduction to Active Directory Federation Services 2.0, Windows CardSpace 2.0, and Windows Identity Foundation, David Chappell
    • http://www.davidchappell.com/writing/white_papers/Claims-Based_Identity_for_Windows_v2.pdf
about the speaker
About the Speaker

David Chappell is Principal of Chappell & Associates (www.davidchappell.com) in San Francisco, California. Through his speaking, writing, and consulting, he helps people around the world understand, use, and make better decisions about new technology. David has been the keynote speaker for events and conferences on five continents, and his seminars have been attended by tens of thousands of IT decision makers, architects, and developers in more than forty countries. His books have been published in a dozen languages and used regularly in courses at MIT, ETH Zurich, and other universities. In his consulting practice, he has helped clients such as Hewlett-Packard, IBM, Microsoft, Stanford University, and Target Corporation adopt new technologies, market new products, train their sales staffs, and create business plans. Earlier in his career, David wrote networking software, chaired a U.S. national standards working group, and played keyboards with the Peabody-award-winning Children’s Radio Theater. He holds a B.S. in Economics and an M.S. in Computer Science, both from the University of Wisconsin-Madison.

related content
Related Content

SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution

SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation

SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0

SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure

SIA304 | Identity and Access Management: Windows Identity Foundation Overview

SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove

SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin

SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT 

SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM

SIA319 | Microsoft Forefront Identity Manager 2010: In Production

SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown

SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager

SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0

SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager

SIA06-INT | Identity and Access Management Solution Demos

  • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview
  • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory
  • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
track resources
Track Resources

Learn more about our solutions:

http://www.microsoft.com/forefront

Try our products:

http://www.microsoft.com/forefront/trial

resources

Required Slide

Resources

Learning

  • Sessions On-Demand & Community
  • Microsoft Certification & Training Resources

www.microsoft.com/teched

www.microsoft.com/learning

  • Resources for IT Professionals
  • Resources for Developers

http://microsoft.com/technet

http://microsoft.com/msdn

slide39

Required Slide

Complete an evaluation on CommNet and enter to win!

slide40

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st

http://northamerica.msteched.com/registration

You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

slide41

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.