Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adfs Shib Interop Um Oxford


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Adfs Shib Interop Um Oxford

  1. 1. Active Directory Federation Services Cross-Platform Interoperability Windows Live@Edu – ADFS/Shibboleth
  2. 2. Agenda Introduction  Project Background  Missouri, Oxford & Microsoft  Things we’ll cover:  Overview of Technologies  ADFS/Shibboleth Interoperability Demos 
  3. 3. Project Background Based on OCG White Paper:  Achieving interoperability between Active Directory Federation  Services (ADFS) and Shibboleth Demonstrate interoperability between ADFS and  Shibboleth System 1.3c Release Using ADFS plug-in for SAML 1.1 Identity and Service Providers  Support for WS-Federation Passive Requestor Interoperability Profile  Demonstrate interoperability with sample applications  - Microsoft Office SharePoint Server 2007 and Windows Live IDs
  4. 4. Technology Overview Shibboleth  Standards-based, Open Source Middleware Software  Project of Internet2/MACE (Middleware Architecture Committee for  Education) Internet2 – U.S. Advanced Networking Consortium led by the  education and research community (universities, partners, laboratories, government agencies, etc.) URL:  Implements the OASIS SAML v1.1 specification  December 2005 - Extension for ADFS support is developed  Implemented in Shibboleth versions 1.3.c and later  Platforms include: UNIX (Solaris, etc.), Linux  (Fedora, Ubuntu, etc.), Mac OS-X
  5. 5. Show of Hands How many schools have a websso?   How many use CAS?  Pubcookie?  Something else? How many have a Shibboleth?  How many have ADFS?  How many run a websso & Shib or ADFS?  Does anyone run both ADFS & Shib? 
  6. 6. Project Credits Project Sponsors  Walter Harp, Microsoft Corporation  John DuBois, Microsoft Corporation  Credits and Contributions  Ryan Woodsmall, University of Missouri  Brian Dourty, University of Missouri  Edward D. McKinzie, University of Missouri  Bryan W. Roesslet, University of Missouri  Randy Wiemer, University of Missouri  Chris Calderon, Oxford Computer Group  Jim Muir, Oxford Computer Group 
  7. 7. Technology Overview Active Directory Federation Services (ADFS)  First introduced in Windows Server 2003 R2 to provide “Identity  Federation”  Projecting user identity from a single logon…  Providing single identity based entitlements…  Connecting islands (across security, organizational or platform boundaries)  Result: Web single sign-on & simplified identity management Web Services and WS-* Security Standards  Specifically implementing the WS-Federation and WS-Federation  Passive Requestor Profile specifications
  8. 8. Language Translation
  9. 9. Demonstration Overview Establishing Federated Interoperability between ADFS (Relying Party) and Shibboleth (Identity Provider) Demonstration 2: User will access MOSS 2007 Extranet Portal. Demonstration 1: User will access Sample Claims- App that will display the set of claims, associated with that user.
  10. 10. Configuration Details ADFS Configuration Policy Requirements  Federation Service URI – This uniquely identifies a federated partner  Federation Service endpoint URL – The URL that partner organizations to send  requests and responses. Token Signing Certificate – Relying Party requires a signing certificate that is used to  by the Identity Providers to digitally sign message exchanges. ADFS Management Console - This is the primary management console for  administrative management of Account Partners (Identity Providers)
  11. 11. Configuration Details Shibboleth Configuration Requirements  XML Metadata - Trust Policy Configuration  idp.xml – (The main configuration file for the identity provider.) Configures the Shibboleth ADFS extension  Provides key information for relying parties  Adds reference mapping support for identity claims (i.e. MS UPNs)  Adds the XML attribute namespace= to attribute definitions in  resolver.xml for any attributes that should be sent to ADFS providers. resolver.xml – (Attribute extraction)  Defines the connection to attribute store – (Attribute release policy)  Defines which attributes are available to relying parties  Controls (Permits/Denies) attribute release rules 
  12. 12. Demonstration Overview Windows Live ID/Passport Interoperability Demonstration 3: User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.
  13. 13. Configuration Details Windows Live ID Interoperability  WLIDs (Short-live Tokens) – Can be used to further extending SSO into  Web Applications. Benefits:  Windows Live ID users can access resources typically only available  only for AD accounts (SharePoint Sites, etc.) Applications do not need to implement any Windows Live ID code  Single Account Management (instead of AD and Windows Live) 
  14. 14. Summary Successfully demonstrated the interoperability between  ADFS and Shibboleth: Straight forward configurations  No special software or customization required by either party.  Language Translation (Understanding component relations of each  technology) Lessons learned  Federating with Windows Live IDs  Microsoft Office SharePoint Server 2007 Compatibility 