AD FS 2 & Claims-Based Identity<br />Laura E. Hunter<br />Identity Lady, AD FS Zealot<br />laura.hunter@lhaconsulting.com<...
The Problem? We Lack a Consistent Identity Layer for Applications<br />
The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change<br />
LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com<br />
filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))<br />
How many different ways can you authenticate to an app?<br />
Managing Application Identity – First Principles<br />1.  Identify the Caller<br />2.  Extract Information for AuthZ & Per...
Windows Integrated Authentication<br />Does Active Directory work everywhere?<br />
What’s the Solution?<br />
So What’s a Claim?<br />“I am a member of the Marketing group”<br />“My email address is …”<br />“I am over 21 years of ag...
<saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“><br /><saml:Co...
AD FS is all about the apps!<br />
Standards-based:<br />WS-Federation<br />WS-Trust<br />SAML 2.0<br />Use cases:<br />WebSSO<br />Web Services (WCF)<br />W...
What Can I do with this?<br />
Application Access in a Single Org<br />
Account Partner<br />(ADATUM)<br />Resource Partner<br />(CONTOSO)<br />A. Datum<br />Account Forest<br />Trey Research<br...
SSO to Service Providers<br />
Cloudy with a Chance of Federation<br />
So what does it look like?<br />
WS-Fed Passive Profile<br />Account Partner<br />(Users)<br />Resource Partner<br />(Resource)<br />A. Datum<br />Account ...
Something lost, something gained…<br />What about passwords?<br />What about deprovisioning?<br />
Liberty Alliance Results…<br />ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens<br />IdP Lite...
If you remember nothing else but this…<br />
I want the integrity of yourusers’ identity information when they access myresources…<br />
…to be at least as good…<br />
as the integrity of yourusers’ identity information when they access yourresources.<br />
AD FS components are Windows components<br />No additional server software costs<br />…but it’s all about the apps!<br />A...
AD Cookbook, 3rd  Edition<br />Best selling Active Directory title<br />What’s New?<br />Windows Server 2008 coverage: <br...
Thank You!<br />mailto: laura.hunter@lhaconsulting.com<br />blog: http://www.shutuplaura.com<br />twitter: @adfskitteh<br />
Upcoming SlideShare
Loading in...5
×

Adfs 2 & claims based identity

4,806

Published on

Laura E. Hunter

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,806
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
92
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Hard-coded dependencies
  • Re-inventing the wheel – asking our devs to be AD experts
  • Resistance to change – smart card, cloud, etc.
  • Identify the caller (AuthN)Grep information about the caller for AuthZ &amp; personalization
  • Partner fed
  • Fed with the cloud
  • Hide.Fedutil, pre-baked RP trust
  • For WinHIED
  • For WinHIED
  • Adfs 2 & claims based identity

    1. 1. AD FS 2 & Claims-Based Identity<br />Laura E. Hunter<br />Identity Lady, AD FS Zealot<br />laura.hunter@lhaconsulting.com<br />http://www.shutuplaura.com<br />@adfskitteh<br />
    2. 2. The Problem? We Lack a Consistent Identity Layer for Applications<br />
    3. 3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change<br />
    4. 4. LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com<br />
    5. 5. filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))<br />
    6. 6. How many different ways can you authenticate to an app?<br />
    7. 7. Managing Application Identity – First Principles<br />1. Identify the Caller<br />2. Extract Information for AuthZ & Personalization<br />
    8. 8. Windows Integrated Authentication<br />Does Active Directory work everywhere?<br />
    9. 9.
    10. 10.
    11. 11. What’s the Solution?<br />
    12. 12. So What’s a Claim?<br />“I am a member of the Marketing group”<br />“My email address is …”<br />“I am over 21 years of age”<br />Populated using information from<br />AD/ADAM/ADLDS<br />SQL<br />Expressed using the SAML format<br />
    13. 13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“><br /><saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"><br /><saml:Audience> https://contoso-dc1.contoso.com </saml:Audience><br /><saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"><br /><saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier><br /><saml:AttributeAttributeName="Group”<br /><saml:AttributeValue> Administrators</saml:AttributeValue><br /><Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature><br /></saml:Assertion><br />Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)<br />
    14. 14. AD FS is all about the apps!<br />
    15. 15. Standards-based:<br />WS-Federation<br />WS-Trust<br />SAML 2.0<br />Use cases:<br />WebSSO<br />Web Services (WCF)<br />What is this…“claims-aware” application of which you speak?<br />
    16. 16. What Can I do with this?<br />
    17. 17. Application Access in a Single Org<br />
    18. 18. Account Partner<br />(ADATUM)<br />Resource Partner<br />(CONTOSO)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />Federated Application Access<br />
    19. 19. SSO to Service Providers<br />
    20. 20. Cloudy with a Chance of Federation<br />
    21. 21. So what does it look like?<br />
    22. 22. WS-Fed Passive Profile<br />Account Partner<br />(Users)<br />Resource Partner<br />(Resource)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />
    23. 23. Something lost, something gained…<br />What about passwords?<br />What about deprovisioning?<br />
    24. 24. Liberty Alliance Results…<br />ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens<br />IdP Lite<br />SP Lite<br />EGov 1.5<br />Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/<br />
    25. 25.
    26. 26. If you remember nothing else but this…<br />
    27. 27. I want the integrity of yourusers’ identity information when they access myresources…<br />
    28. 28. …to be at least as good…<br />
    29. 29. as the integrity of yourusers’ identity information when they access yourresources.<br />
    30. 30. AD FS components are Windows components<br />No additional server software costs<br />…but it’s all about the apps!<br />AD FSv2 (was “Geneva”)<br />Release Candidate Available Now<br />RTM…“Soon”<br />Windows Identity Foundation<br />.NET Developer Platform<br />Free Download<br />Available now!<br />AD FS 2.0 Availability, Pricing<br />
    31. 31. AD Cookbook, 3rd Edition<br />Best selling Active Directory title<br />What’s New?<br />Windows Server 2008 coverage: <br />Read Only Domain Controllers (RODCs)<br />Fine Grained Password Policies (FGPPs)<br />Exchange 2007 integration & scripting<br />Identity Lifecycle Manager 2007<br />Windows PowerShell & Active Directory .NET programming<br />New user interface features <br />Always more than one way!<br />Learn More! http://oreilly.com/catalog/9780596521103/ <br />
    32. 32. Thank You!<br />mailto: laura.hunter@lhaconsulting.com<br />blog: http://www.shutuplaura.com<br />twitter: @adfskitteh<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×