Adfs 2 & claims based identity
Upcoming SlideShare
Loading in...5
×
 

Adfs 2 & claims based identity

on

  • 6,021 views

Laura E. Hunter

Laura E. Hunter

Statistics

Views

Total Views
6,021
Views on SlideShare
5,990
Embed Views
31

Actions

Likes
0
Downloads
82
Comments
0

3 Embeds 31

http://www.slideshare.net 28
http://minasiconference.wordpress.com 2
http://www.unscatter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Hard-coded dependencies
  • Re-inventing the wheel – asking our devs to be AD experts
  • Resistance to change – smart card, cloud, etc.
  • Identify the caller (AuthN)Grep information about the caller for AuthZ & personalization
  • Partner fed
  • Fed with the cloud
  • Hide.Fedutil, pre-baked RP trust
  • For WinHIED
  • For WinHIED

Adfs 2 & claims based identity Adfs 2 & claims based identity Presentation Transcript

  • AD FS 2 & Claims-Based Identity
    Laura E. Hunter
    Identity Lady, AD FS Zealot
    laura.hunter@lhaconsulting.com
    http://www.shutuplaura.com
    @adfskitteh
  • The Problem? We Lack a Consistent Identity Layer for Applications
  • The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change
  • LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com
  • filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))
  • How many different ways can you authenticate to an app?
  • Managing Application Identity – First Principles
    1. Identify the Caller
    2. Extract Information for AuthZ & Personalization
  • Windows Integrated Authentication
    Does Active Directory work everywhere?
  • What’s the Solution?
  • So What’s a Claim?
    “I am a member of the Marketing group”
    “My email address is …”
    “I am over 21 years of age”
    Populated using information from
    AD/ADAM/ADLDS
    SQL
    Expressed using the SAML format
  • <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“>
    <saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z">
    <saml:Audience> https://contoso-dc1.contoso.com </saml:Audience>
    <saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows">
    <saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier>
    <saml:AttributeAttributeName="Group”
    <saml:AttributeValue> Administrators</saml:AttributeValue>
    <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature>
    </saml:Assertion>
    Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
  • AD FS is all about the apps!
  • Standards-based:
    WS-Federation
    WS-Trust
    SAML 2.0
    Use cases:
    WebSSO
    Web Services (WCF)
    What is this…“claims-aware” application of which you speak?
  • What Can I do with this?
  • Application Access in a Single Org
  • Account Partner
    (ADATUM)
    Resource Partner
    (CONTOSO)
    A. Datum
    Account Forest
    Trey Research
    Resource Forest
    Federation Trust
    Federated Application Access
  • SSO to Service Providers
  • Cloudy with a Chance of Federation
  • So what does it look like?
  • WS-Fed Passive Profile
    Account Partner
    (Users)
    Resource Partner
    (Resource)
    A. Datum
    Account Forest
    Trey Research
    Resource Forest
    Federation Trust
  • Something lost, something gained…
    What about passwords?
    What about deprovisioning?
  • Liberty Alliance Results…
    ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens
    IdP Lite
    SP Lite
    EGov 1.5
    Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
  • If you remember nothing else but this…
  • I want the integrity of yourusers’ identity information when they access myresources…
  • …to be at least as good…
  • as the integrity of yourusers’ identity information when they access yourresources.
  • AD FS components are Windows components
    No additional server software costs
    …but it’s all about the apps!
    AD FSv2 (was “Geneva”)
    Release Candidate Available Now
    RTM…“Soon”
    Windows Identity Foundation
    .NET Developer Platform
    Free Download
    Available now!
    AD FS 2.0 Availability, Pricing
  • AD Cookbook, 3rd Edition
    Best selling Active Directory title
    What’s New?
    Windows Server 2008 coverage:
    Read Only Domain Controllers (RODCs)
    Fine Grained Password Policies (FGPPs)
    Exchange 2007 integration & scripting
    Identity Lifecycle Manager 2007
    Windows PowerShell & Active Directory .NET programming
    New user interface features
    Always more than one way!
    Learn More! http://oreilly.com/catalog/9780596521103/
  • Thank You!
    mailto: laura.hunter@lhaconsulting.com
    blog: http://www.shutuplaura.com
    twitter: @adfskitteh