Adfs 2 & claims based identity

AD FS 2 & Claims-Based Identity
Laura E. Hunter
Identity Lady, AD FS Zealot
laura.hunter@lhaconsulting.com
http://www.shutuplaura.com
@adfskitteh

The Problem? We Lack a Consistent Identity Layer for Applications

The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change

LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com

filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))

How many different ways can you authenticate to an app?

Managing Application Identity – First Principles
1. Identify the Caller
2. Extract Information for AuthZ & Personalization

Windows Integrated Authentication
Does Active Directory work everywhere?

What’s the Solution?

So What’s a Claim?
“I am a member of the Marketing group”
“My email address is …”
“I am over 21 years of age”
Populated using information from
AD/ADAM/ADLDS
SQL
Expressed using the SAML format

<saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“>
<saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z">
<saml:Audience> https://contoso-dc1.contoso.com </saml:Audience>
<saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows">
<saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier>
<saml:AttributeAttributeName="Group”
<saml:AttributeValue> Administrators</saml:AttributeValue>
<Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature>
</saml:Assertion>
Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)

AD FS is all about the apps!

Standards-based:
WS-Federation
WS-Trust
SAML 2.0
Use cases:
WebSSO
Web Services (WCF)
What is this…“claims-aware” application of which you speak?

What Can I do with this?

Application Access in a Single Org

Account Partner
(ADATUM)
Resource Partner
(CONTOSO)
A. Datum
Account Forest
Trey Research
Resource Forest
Federation Trust
Federated Application Access

SSO to Service Providers

Cloudy with a Chance of Federation

So what does it look like?

WS-Fed Passive Profile
Account Partner
(Users)
Resource Partner
(Resource)
A. Datum
Account Forest
Trey Research
Resource Forest
Federation Trust

Something lost, something gained…
What about passwords?
What about deprovisioning?

Liberty Alliance Results…
ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens
IdP Lite
SP Lite
EGov 1.5
Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/

If you remember nothing else but this…

I want the integrity of yourusers’ identity information when they access myresources…

…to be at least as good…

as the integrity of yourusers’ identity information when they access yourresources.

AD FS components are Windows components
No additional server software costs
…but it’s all about the apps!
AD FSv2 (was “Geneva”)
Release Candidate Available Now
RTM…“Soon”
Windows Identity Foundation
.NET Developer Platform
Free Download
Available now!
AD FS 2.0 Availability, Pricing

AD Cookbook, 3rd Edition
Best selling Active Directory title
What’s New?
Windows Server 2008 coverage:
Read Only Domain Controllers (RODCs)
Fine Grained Password Policies (FGPPs)
Exchange 2007 integration & scripting
Identity Lifecycle Manager 2007
Windows PowerShell & Active Directory .NET programming
New user interface features
Always more than one way!
Learn More! http://oreilly.com/catalog/9780596521103/

Thank You!
mailto: laura.hunter@lhaconsulting.com
blog: http://www.shutuplaura.com
twitter: @adfskitteh

Adfs 2 & claims based identity

by Nathan Winters

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 29

Statistics

Adfs 2 & claims based identity Presentation Transcript

http://www.slideshare.net	28
http://www.unscatter.com	1