Adfs Shib Interop Um Oxford


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Walk audience through demonstrations 3Windows Live IDs will be populated as a claim by the IdP. This claims is then transformed to generate a short-lived token and redirected to Windows Live mail.
  • Walk audience through demonstrations 1 and 2. Demo 1: Show attribute extraction using Sample Claims-Aware ApplicationDemo 2: Show compatibility with MOSS 2007
  • Adfs Shib Interop Um Oxford

    1. 1. Active Directory Federation Services Cross-Platform Interoperability Windows Live@Edu – ADFS/Shibboleth
    2. 2. Agenda Introduction  Project Background  Missouri, Oxford & Microsoft  Things we’ll cover:  Overview of Technologies  ADFS/Shibboleth Interoperability Demos 
    3. 3. Project Background Based on OCG White Paper:  Achieving interoperability between Active Directory Federation  Services (ADFS) and Shibboleth Demonstrate interoperability between ADFS and  Shibboleth System 1.3c Release Using ADFS plug-in for SAML 1.1 Identity and Service Providers  Support for WS-Federation Passive Requestor Interoperability Profile  Demonstrate interoperability with sample applications  - Microsoft Office SharePoint Server 2007 and Windows Live IDs
    4. 4. Technology Overview Shibboleth  Standards-based, Open Source Middleware Software  Project of Internet2/MACE (Middleware Architecture Committee for  Education) Internet2 – U.S. Advanced Networking Consortium led by the  education and research community (universities, partners, laboratories, government agencies, etc.) URL:  Implements the OASIS SAML v1.1 specification  December 2005 - Extension for ADFS support is developed  Implemented in Shibboleth versions 1.3.c and later  Platforms include: UNIX (Solaris, etc.), Linux (Fedora, Ubuntu, etc.),  Mac OS-X
    5. 5. Show of Hands How many schools have a websso?   How many use CAS?  Pubcookie?  Something else? How many have a Shibboleth?  How many have ADFS?  How many run a websso & Shib or ADFS?  Does anyone run both ADFS & Shib? 
    6. 6. Project Credits Project Sponsors  Walter Harp, Microsoft Corporation  John DuBois, Microsoft Corporation  Credits and Contributions  Ryan Woodsmall, University of Missouri  Brian Dourty, University of Missouri  Edward D. McKinzie, University of Missouri  Bryan W. Roesslet, University of Missouri  Randy Wiemer, University of Missouri  Chris Calderon, Oxford Computer Group  Jim Muir, Oxford Computer Group 
    7. 7. Technology Overview Active Directory Federation Services (ADFS)  First introduced in Windows Server 2003 R2 to provide “Identity  Federation”  Projecting user identity from a single logon…  Providing single identity based entitlements…  Connecting islands (across security, organizational or platform boundaries)  Result: Web single sign-on & simplified identity management Web Services and WS-* Security Standards  Specifically implementing the WS-Federation and WS-Federation  Passive Requestor Profile specifications
    8. 8. Language Translation
    9. 9. Demonstration Overview Establishing Federated Interoperability between ADFS (Relying Party) and Shibboleth (Identity Provider) Demonstration 2: User will access MOSS 2007 Extranet Portal. Demonstration 1: User will access Sample Claims- App that will display the set of claims, associated with that user.
    10. 10. Configuration Details ADFS Configuration Policy Requirements  Federation Service URI – This uniquely identifies a federated partner  Federation Service endpoint URL – The URL that partner organizations to send  requests and responses. Token Signing Certificate – Relying Party requires a signing certificate that is used to  by the Identity Providers to digitally sign message exchanges. ADFS Management Console - This is the primary management console for  administrative management of Account Partners (Identity Providers)
    11. 11. Configuration Details Shibboleth Configuration Requirements  XML Metadata - Trust Policy Configuration  idp.xml – (The main configuration file for the identity provider.) Configures the Shibboleth ADFS extension  Provides key information for relying parties  Adds reference mapping support for identity claims (i.e. MS UPNs)  Adds the XML attribute namespace= to attribute definitions in  resolver.xml for any attributes that should be sent to ADFS providers. resolver.xml – (Attribute extraction)  Defines the connection to attribute store – (Attribute release policy)  Defines which attributes are available to relying parties  Controls (Permits/Denies) attribute release rules 
    12. 12. Demonstration Overview Windows Live ID/Passport Interoperability Demonstration 3: User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.
    13. 13. Configuration Details Windows Live ID Interoperability  WLIDs (Short-live Tokens) – Can be used to further extending SSO into  Web Applications. Benefits:  Windows Live ID users can access resources typically only available  only for AD accounts (SharePoint Sites, etc.) Applications do not need to implement any Windows Live ID code  Single Account Management (instead of AD and Windows Live) 
    14. 14. Summary Successfully demonstrated the interoperability between  ADFS and Shibboleth: Straight forward configurations  No special software or customization required by either party.  Language Translation (Understanding component relations of each  technology) Lessons learned  Federating with Windows Live IDs  Microsoft Office SharePoint Server 2007 Compatibility 