More Related Content
Similar to Federation Services
Similar to Federation Services (20)
Federation Services
- 2. What is Federation Services
AD FS is a standards-based service that allows
the secure sharing of identity information
between trusted business partners (known as a
federation) across an extranet by using a claim-
based system and policies. This is considered as
a “Trust Relationship” between companies.
Eguibar Information Services S.L. © 2015 2April 6th. 2015
- 3. Do I need Federation Services
Single Sing On (SSO)
Web Services
Claim mapping
Centralized federated partner management
Extensible architecture
Eguibar Information Services S.L. © 2015 3April 6th. 2015
- 4. Components
Legend Component Description
Internet Internet
Public DMZ Demilitarized zone. Usually published services are located here.
Site LAN Internal Local Area Network
Site with
Federation Server
Site where a FS server will be located, usually part of a FS farm.
Potential site for
FS Proxy
Site without FS Server, but with a FS Proxy acting as an entrance
point to federate.
Site without FS
servers
No FS server or proxy, but potentialy candidate to become one
Federation
Services Proxy
FS Proxy server to enable external secured Access to the internal
Federation Services server.
Federation
Services Server
The server which host the Federation Services on the internal
network
Stateful Firewall Firewalle used to secure the internal network and control the DMZ
Eguibar Information Services S.L. © 2015 4April 6th. 2015
- 5. How does it Works (Internal)
1. User request Access to the
APP/Service
2. APP/Service request token
3. User request token to FS
4. FS request Authentication
to AD
5. AD Authenticates
6. FS Issues token
7. User send the token in
order to get Access.
Eguibar Information Services S.L. © 2015 5April 6th. 2015
- 6. How does it Works (External)
1. User request Access to the
APP/Service
2. APP/Service request token
to the FS Proxy
3. FS Proxy forward the
request to FS
4. FS request Authentication
to AD
5. AD Authenticates
6. FS Issues token to the
requesting FS Proxy
7. FS Proxy send the token to
the APP/Service
8. APP/Service grants Access.
Eguibar Information Services S.L. © 2015 6April 6th. 2015
- 7. Windows Internal Database
Max 5 Federation Services.
Only 1 database writable.
Automatic pull replication of databases.
100 trust relationships or less
Federation Services using WID (Windows Internal Database)
Primary
WID
Read &
Write
Secondary
WID Read
Secondary
WID Read
Pull every 5 mins Pull every 5 mins
Eguibar Information Services S.L. © 2015 7April 6th. 2015
- 8. SQL Server
DB handled by SQL server
All instances are writable and can support over 100 Trust Relationships
SQL to provide fault tolerance and redundancy
No Federation Server limit
Support for token replay detection (a security feature) and artifact resolution (part
of the Security Assertion Markup Language (SAML) 2.0 protocol)
Federation Services using SQL Server
Federation Server
SQL Server
Federation Server Federation Server
SQL Server
SQL
Fault Tolerance
&
Redundancy
SQL
Fault Tolerance
&
Redundancy
SQL Server
Read & Write
Eguibar Information Services S.L. © 2015 8April 6th. 2015
- 9. Selecting and Utilizing a
Federation Service Name
The Federation Service Name must never equal any machine name in the Active
Directory forest when you are deploying a AD FS 2.0 farm
The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0
service account
The subject of all SSL certificates in the farm, including all Federation Servers and
Federation Server Proxies, must utilize the Federation Service Name
The subject of the Service Communications certificate must utilize the Federation
Service Name
The Federation Service Name must be registered as a host record in DNS
The Federation Service Name must be set in the Federation Service Properties
When directing clients, whether passive (typically browser clients) or active (rich
clients), to the Federation Service, the host name the clients utilize must be the
Federation Service Name
Eguibar Information Services S.L. © 2015 9April 6th. 2015
- 10. Certificates
Certificate Type Description
Token-signing
certificate
A token-signing certificate is an X509 certificate. Federation
servers use associated public/private key pairs to digitally sign all
security tokens that they produce. This includes the signing of
published federation metadata and artifact resolution requests
Service
communication
certificate
Federation servers use a server authentication certificate, also
known as a service communication for Windows Communication
Foundation (WCF) Message Security. By default, this is the same
certificate that a federation server uses as the Secure Sockets
Layer (SSL) certificate in Internet Information Services (IIS).
Secure Sockets
Layer (SSL)
certificate
Federation servers use an SSL certificate to secure Web services
traffic for SSL communication with Web clients and with
federation server proxies.
Token-decryption
certificate
This certificate is used to decrypt tokens that are received by this
federation server.
Eguibar Information Services S.L. © 2015 10April 6th. 2015
- 11. The Big Picture
FS farm & FS proxy
Internal WAN
FS
Proxy
Firewall
FS
Proxy
Firewall
Site03
FS
Proxy
Firewall
FS
Proxy
Firewall
Site05AD FS
Farm
AD FS
Farm
AD FS
Farm
Site 02
Site04
Site01
Site06
Eguibar Information Services S.L. © 2015 11April 6th. 2015