SlideShare a Scribd company logo

Federation Services

Vicente Rodriguez Eguibar
Vicente Rodriguez Eguibar
1 of 11
Download to read offline
Federation Services Basics and considerations Eguibar Information Services S.L. © 2015 1April 6th. 2015
What is Federation Services AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet by using a claim- based system and policies. This is considered as a “Trust Relationship” between companies. Eguibar Information Services S.L. © 2015 2April 6th. 2015
Do I need Federation Services Single Sing On (SSO) Web Services Claim mapping Centralized federated partner management Extensible architecture Eguibar Information Services S.L. © 2015 3April 6th. 2015
Components Legend Component Description Internet Internet Public DMZ Demilitarized zone. Usually published services are located here. Site LAN Internal Local Area Network Site with Federation Server Site where a FS server will be located, usually part of a FS farm. Potential site for FS Proxy Site without FS Server, but with a FS Proxy acting as an entrance point to federate. Site without FS servers No FS server or proxy, but potentialy candidate to become one Federation Services Proxy FS Proxy server to enable external secured Access to the internal Federation Services server. Federation Services Server The server which host the Federation Services on the internal network Stateful Firewall Firewalle used to secure the internal network and control the DMZ Eguibar Information Services S.L. © 2015 4April 6th. 2015
How does it Works (Internal) 1. User request Access to the APP/Service 2. APP/Service request token 3. User request token to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token 7. User send the token in order to get Access. Eguibar Information Services S.L. © 2015 5April 6th. 2015
How does it Works (External) 1. User request Access to the APP/Service 2. APP/Service request token to the FS Proxy 3. FS Proxy forward the request to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token to the requesting FS Proxy 7. FS Proxy send the token to the APP/Service 8. APP/Service grants Access. Eguibar Information Services S.L. © 2015 6April 6th. 2015
Windows Internal Database Max 5 Federation Services. Only 1 database writable. Automatic pull replication of databases. 100 trust relationships or less Federation Services using WID (Windows Internal Database) Primary WID Read & Write Secondary WID Read Secondary WID Read Pull every 5 mins Pull every 5 mins Eguibar Information Services S.L. © 2015 7April 6th. 2015
SQL Server DB handled by SQL server All instances are writable and can support over 100 Trust Relationships SQL to provide fault tolerance and redundancy No Federation Server limit Support for token replay detection (a security feature) and artifact resolution (part of the Security Assertion Markup Language (SAML) 2.0 protocol) Federation Services using SQL Server Federation Server SQL Server Federation Server Federation Server SQL Server SQL Fault Tolerance & Redundancy SQL Fault Tolerance & Redundancy SQL Server Read & Write Eguibar Information Services S.L. © 2015 8April 6th. 2015
Selecting and Utilizing a Federation Service Name The Federation Service Name must never equal any machine name in the Active Directory forest when you are deploying a AD FS 2.0 farm The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0 service account The subject of all SSL certificates in the farm, including all Federation Servers and Federation Server Proxies, must utilize the Federation Service Name The subject of the Service Communications certificate must utilize the Federation Service Name The Federation Service Name must be registered as a host record in DNS The Federation Service Name must be set in the Federation Service Properties When directing clients, whether passive (typically browser clients) or active (rich clients), to the Federation Service, the host name the clients utilize must be the Federation Service Name Eguibar Information Services S.L. © 2015 9April 6th. 2015
Certificates Certificate Type Description Token-signing certificate A token-signing certificate is an X509 certificate. Federation servers use associated public/private key pairs to digitally sign all security tokens that they produce. This includes the signing of published federation metadata and artifact resolution requests Service communication certificate Federation servers use a server authentication certificate, also known as a service communication for Windows Communication Foundation (WCF) Message Security. By default, this is the same certificate that a federation server uses as the Secure Sockets Layer (SSL) certificate in Internet Information Services (IIS). Secure Sockets Layer (SSL) certificate Federation servers use an SSL certificate to secure Web services traffic for SSL communication with Web clients and with federation server proxies. Token-decryption certificate This certificate is used to decrypt tokens that are received by this federation server. Eguibar Information Services S.L. © 2015 10April 6th. 2015
The Big Picture FS farm & FS proxy Internal WAN FS Proxy Firewall FS Proxy Firewall Site03 FS Proxy Firewall FS Proxy Firewall Site05AD FS Farm AD FS Farm AD FS Farm Site 02 Site04 Site01 Site06 Eguibar Information Services S.L. © 2015 11April 6th. 2015

Recommended

Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API SecurityGanesh Ghag
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and LiferayMika Koivisto
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 aSelectedPresentations
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFSNatallia Makarevich
 

Recommended

Server to Server API Security
Server to Server API SecurityServer to Server API Security
Server to Server API SecurityGanesh Ghag
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
SAML Smackdown
SAML SmackdownSAML Smackdown
SAML SmackdownPat Patterson
 
SAML and Liferay
SAML and LiferaySAML and Liferay
SAML and LiferayMika Koivisto
 
Iam f42 a
Iam f42 aIam f42 a
Iam f42 aSelectedPresentations
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)Jay Simcox
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFSNatallia Makarevich
 
Ad fs
Ad fsAd fs
Ad fsIván Sanchez Vera
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015n|u - The Open Security Community
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingChris Adriaensen
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best PracticesSalesforce Developers
 
Proxies
ProxiesProxies
ProxiesProxies Rent
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupEPC Group
 
Proxies
ProxiesProxies
ProxiesProxies Rent
 
Proxies
ProxiesProxies
ProxiesProxies Rent
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study ForgeRock
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
Web-services
Web-services Web-services
Web-services webhostingguy
 

More Related Content

What's hot

Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderForgeRock
 
SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsJohn Bauer
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Anil Saldanha
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Andreas Åkre Solberg
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingChris Adriaensen
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?rlsoft
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...Brian Culver
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupEPC Group
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study ForgeRock
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 

What's hot (20)

Ad fs
Ad fsAd fs
Ad fs
 
Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015Saml sso by Tamil on nullblrmeet 21st July 2015
Saml sso by Tamil on nullblrmeet 21st July 2015
 
Shoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 ProviderShoot Me a Token: OpenAM as an OAuth2 Provider
Shoot Me a Token: OpenAM as an OAuth2 Provider
 
SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
SSO Strategy Implementation Considerations
SSO Strategy Implementation ConsiderationsSSO Strategy Implementation Considerations
SSO Strategy Implementation Considerations
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015Feide Connect – Standard Norge February 2015
Feide Connect – Standard Norge February 2015
 
UMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data SharingUMA - An Open Standard for Consent-Driven Personal Data Sharing
UMA - An Open Standard for Consent-Driven Personal Data Sharing
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Proxies
ProxiesProxies
Proxies
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
 
Proxies
ProxiesProxies
Proxies
 
Proxies
ProxiesProxies
Proxies
 
OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study OpenAM Best Practices - Corelio Media Case Study
OpenAM Best Practices - Corelio Media Case Study
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 

Similar to Federation Services

Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptxAlireza Vafi
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identitiesclounoud
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEdRobert Gabos
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...Nuno Árias Silva
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?Scott Hoag
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
The Internet Information Services tool enable in managing IIS componen.docx
The Internet Information Services tool enable in managing IIS componen.docxThe Internet Information Services tool enable in managing IIS componen.docx
The Internet Information Services tool enable in managing IIS componen.docxdelicecogupdyke
 

Similar to Federation Services (20)

Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Web-services
Web-services Web-services
Web-services
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Office 365 identity
Office 365 identityOffice 365 identity
Office 365 identity
 
MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
 
ad.ppt
ad.pptad.ppt
ad.ppt
 
Ad.Ppt
Ad.PptAd.Ppt
Ad.Ppt
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104Lotusphere 2011 SHOW104
Lotusphere 2011 SHOW104
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEd
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
SPSLisbon 2017 Office 365 Multi-factor Authentication with Microsoft Azure Ac...
 
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
SPS Sydney - Office 365 and Cloud Identity – What does it mean for me?
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
AzureAAD
AzureAADAzureAAD
AzureAAD
 
The Internet Information Services tool enable in managing IIS componen.docx
The Internet Information Services tool enable in managing IIS componen.docxThe Internet Information Services tool enable in managing IIS componen.docx
The Internet Information Services tool enable in managing IIS componen.docx
 

Federation Services

  • 1. Federation Services Basics and considerations Eguibar Information Services S.L. © 2015 1April 6th. 2015
  • 2. What is Federation Services AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet by using a claim- based system and policies. This is considered as a “Trust Relationship” between companies. Eguibar Information Services S.L. © 2015 2April 6th. 2015
  • 3. Do I need Federation Services Single Sing On (SSO) Web Services Claim mapping Centralized federated partner management Extensible architecture Eguibar Information Services S.L. © 2015 3April 6th. 2015
  • 4. Components Legend Component Description Internet Internet Public DMZ Demilitarized zone. Usually published services are located here. Site LAN Internal Local Area Network Site with Federation Server Site where a FS server will be located, usually part of a FS farm. Potential site for FS Proxy Site without FS Server, but with a FS Proxy acting as an entrance point to federate. Site without FS servers No FS server or proxy, but potentialy candidate to become one Federation Services Proxy FS Proxy server to enable external secured Access to the internal Federation Services server. Federation Services Server The server which host the Federation Services on the internal network Stateful Firewall Firewalle used to secure the internal network and control the DMZ Eguibar Information Services S.L. © 2015 4April 6th. 2015
  • 5. How does it Works (Internal) 1. User request Access to the APP/Service 2. APP/Service request token 3. User request token to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token 7. User send the token in order to get Access. Eguibar Information Services S.L. © 2015 5April 6th. 2015
  • 6. How does it Works (External) 1. User request Access to the APP/Service 2. APP/Service request token to the FS Proxy 3. FS Proxy forward the request to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token to the requesting FS Proxy 7. FS Proxy send the token to the APP/Service 8. APP/Service grants Access. Eguibar Information Services S.L. © 2015 6April 6th. 2015
  • 7. Windows Internal Database Max 5 Federation Services. Only 1 database writable. Automatic pull replication of databases. 100 trust relationships or less Federation Services using WID (Windows Internal Database) Primary WID Read & Write Secondary WID Read Secondary WID Read Pull every 5 mins Pull every 5 mins Eguibar Information Services S.L. © 2015 7April 6th. 2015
  • 8. SQL Server DB handled by SQL server All instances are writable and can support over 100 Trust Relationships SQL to provide fault tolerance and redundancy No Federation Server limit Support for token replay detection (a security feature) and artifact resolution (part of the Security Assertion Markup Language (SAML) 2.0 protocol) Federation Services using SQL Server Federation Server SQL Server Federation Server Federation Server SQL Server SQL Fault Tolerance & Redundancy SQL Fault Tolerance & Redundancy SQL Server Read & Write Eguibar Information Services S.L. © 2015 8April 6th. 2015
  • 9. Selecting and Utilizing a Federation Service Name The Federation Service Name must never equal any machine name in the Active Directory forest when you are deploying a AD FS 2.0 farm The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0 service account The subject of all SSL certificates in the farm, including all Federation Servers and Federation Server Proxies, must utilize the Federation Service Name The subject of the Service Communications certificate must utilize the Federation Service Name The Federation Service Name must be registered as a host record in DNS The Federation Service Name must be set in the Federation Service Properties When directing clients, whether passive (typically browser clients) or active (rich clients), to the Federation Service, the host name the clients utilize must be the Federation Service Name Eguibar Information Services S.L. © 2015 9April 6th. 2015
  • 10. Certificates Certificate Type Description Token-signing certificate A token-signing certificate is an X509 certificate. Federation servers use associated public/private key pairs to digitally sign all security tokens that they produce. This includes the signing of published federation metadata and artifact resolution requests Service communication certificate Federation servers use a server authentication certificate, also known as a service communication for Windows Communication Foundation (WCF) Message Security. By default, this is the same certificate that a federation server uses as the Secure Sockets Layer (SSL) certificate in Internet Information Services (IIS). Secure Sockets Layer (SSL) certificate Federation servers use an SSL certificate to secure Web services traffic for SSL communication with Web clients and with federation server proxies. Token-decryption certificate This certificate is used to decrypt tokens that are received by this federation server. Eguibar Information Services S.L. © 2015 10April 6th. 2015
  • 11. The Big Picture FS farm & FS proxy Internal WAN FS Proxy Firewall FS Proxy Firewall Site03 FS Proxy Firewall FS Proxy Firewall Site05AD FS Farm AD FS Farm AD FS Farm Site 02 Site04 Site01 Site06 Eguibar Information Services S.L. © 2015 11April 6th. 2015