1 / 42

Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0

Required Slide. SESSION CODE: SIA302. Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0. Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation. Agenda.

mayten
Download Presentation

Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA302 Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation

  2. Agenda “Provide a secure identity management infrastructure which enables both on-premise and cloud applications to use common authentication and authorization foundations, regardless of the users source” • Identity Principles • Federated Identity • Deploying Active Directory Federation Services 2.0 • On-Premise Applications • Cloud/Hosted Applications

  3. MSIT Identity & Access Strategy

  4. Identity Principles • MSIT is responsible for security of our data, regardless of where authentication or authorization policies occur • Manage consistency of data within the metasystem • Deliver services which ensure compliance with policy • Authentication and Authorization are independent • Provide Solutions to improve business, but don’t “be” the solution • Whoever owns the data, owns the Authorization policy • Drive policies as close to the data as possible • Some identity services are just for convenience, and that’s ok • Common infrastructure and application models regardless of location

  5. Deploying Active Directory Federation Services 2.0

  6. Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery

  7. Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery • Plan your namespace for multiple federation services

  8. Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery • Plan your namespace for multiple federation services • Choose your URI carefully Use a URL format Use HTTPS format

  9. Federated Identity (the bouncy slide) Microsoft (Users) E-Company Store (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust

  10. Authorization Infrastructure • Works well when scoped at application STS • Not intended for fine-grained data authorization • Requires in-application policy enforcement • Delegated Access solves KCD/NTLM problems • Chaining STS scopes tokens with performance impact • Improved authentication consolidated at STS LOBApplication 1 LOBApplication …2 LOBApplication …N SharePointSites File Servers AuthorizationComponents AuthenticationInfrastructure Services

  11. Authorization Infrastructure • Works well when scoped at application STS • Not intended for fine-grained data authorization • Requires in-application policy enforcement • Delegated Access solves KCD/NTLM problems • Chaining STS scopes tokens with performance impact • Improved authentication consolidated at STS LOBApplication 1 LOBApplication …2 LOBApplication …N SharePointSites File Servers Authentication and AuthorizationInfrastructure Services

  12. Authorization Example Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create new contractsSales Rep: Edit contracts they own Application Roles: CreateRead Update How do you build the token for Ariel? <102>Read</102>??? This doesn’t work <roles>Create</roles> - doesn’t reflect the policy<roles>Read</roles> <role>Create~102/Read~103/Update~104/Update~105/Read</role> Token bloat with too many values

  13. STS Architecture How many STS’s do I need? Exactly as many as you need. App Suite STS - Augmented claims- Authorization tokens Identity STS - Authentication- Partner Federation - Identity Normalization- Immutable Identifiers

  14. Authentication Transitivity Application 1 Service Provider Contoso ADFS issues authentication tickets to the PARTNER REALM, not to any specific application Application 2 Application 3 Once a user is authenticated by ADFS, the PARTNER ADFS SERVER will issue tokens for any application which trusts it without going back for authorization Application 4

  15. Authentication Transitivity Application 1 Service Provider Contoso Application 2 Application 3 App 4 is actuallyanother STS

  16. Authentication TransitivityBusiness to Business Relationships Application 1 Service Provider Contoso Application 2 Application 3 Application 4

  17. Authentication TransitivityBusiness to Business Relationships Application 1 Service Provider Contoso Application 2 X Application 3 X Policy does not allow service to issue a token based on the SERVICE PROVIDERS policy(ex. Subscription to services) Application 4

  18. Authentication TransitivityBusiness to Business Relationships This RelationshipequalsThis relationship Application 1 Service Provider Contoso Application 2 X Application 3 X Application 4

  19. Authentication TransitivityFederation Broker This is theRelationship Microsoft BPOS Exchange Online Windows Live ID Contoso Sharepoint Online SkyDrive Policy must reflect the application access CONTOSO has for it’s users, but is enforced at the federation broker STS HealthVault

  20. It’s 11:30, do you know where your ID’s are? Challenge with federation transitivity, is the breadth of applications which your users can access • Loss of personal/confidential data • Recoverability after termination • The enterprise should not have to provide access to corporate ID’s • Users should not have to find and re-permission their data to a new account

  21. Personal Data vs. Business Data 3 Examples • Customer access to enterprise applications • Easy provisioning • Hybrid access to corporate applications • Family access to corporate benefits • Convenient access to personal data • W2, 401k, etc…

  22. It’s 11:30, do you know where your ID’s are? Challenge with federation brokers, is the breadth of applications which your users can access • Corporate reputation for “business inappropriate” use of corporate brand

  23. It’s 11:30, do you know where your ID’s are? Challenge with federation brokers, is the breadth of applications which your users can access • Data islands

  24. Data Islands • When you begin to investigate the cloud, find out if your users have beat you to it… http://www.google.com/a/cpanel/premier/new

  25. Online Services Authentication Exchange Online Microsoft FederationGateway Corporate Network

  26. Online Services Authentication Provision Accts&ACL Mailboxes Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com Directory Sync ID: 12345UPN: joe@foo.local Corporate Network

  27. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network

  28. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 Basic Auth - UPN & PW PUID: E0A178MAIL: joe@corp.com SSL TUNNEL ID: 12345UPN: joe@foo.local Corporate Network

  29. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN & PW Home Realm Discovery STS URL ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network

  30. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN & PW ID: 12345 UPN: joe@foo.localPUID: E0A178 joe@foo.local & 12345 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network

  31. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 Joe@foo.local & 12345 E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network

  32. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178PWD: P@ssword ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN: joe@foo.localPUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network

  33. Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178PWD: P@ssword ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com RPC/HTTPS ID: 12345UPN: joe@foo.local Corporate Network

  34. Online Service Authentication • Federated namespace is UPN namespace not the email namespace • UPN’s are used as logon name • Renames allowed • Immutable ID’s map to the WLID account • ID changes = new account • Authentication via ADFS Proxies • Active Authentication endpoints • User confusion when UPN != SMTP

  35. Summary • Plan for a successful deployment of ADFS 2.0 • Authentication determines identity • Authorization policy determines access • Common infrastructure for premise and cloud • Policy data doesn’t always fit inside the token • Controls over where and how ID’s can be used

  36. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT  SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • Hands-On Labs • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Product Demo Stations • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution

  37. Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial

  38. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  39. Required Slide Complete an evaluation on CommNet and enter to win!

  40. Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year

  41. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  42. Required Slide

More Related