Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adfs 2 & claims based identity

5,850 views

Published on

Laura E. Hunter

Published in: Technology
  • ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐ has really great writers to help you get the grades you need, they are fast and do great research. Support will always contact you if there is any confusion with the requirements of your paper so they can make sure you are getting exactly what you need.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I think you need a perfect and 100% unique academic essays papers have a look once this site i hope you will get valuable papers, ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ http://bit.ly/2F90ZZC ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/2F90ZZC ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Adfs 2 & claims based identity

  1. 1. AD FS 2 & Claims-Based Identity<br />Laura E. Hunter<br />Identity Lady, AD FS Zealot<br />laura.hunter@lhaconsulting.com<br />http://www.shutuplaura.com<br />@adfskitteh<br />
  2. 2. The Problem? We Lack a Consistent Identity Layer for Applications<br />
  3. 3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change<br />
  4. 4. LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com<br />
  5. 5. filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))<br />
  6. 6. How many different ways can you authenticate to an app?<br />
  7. 7. Managing Application Identity – First Principles<br />1. Identify the Caller<br />2. Extract Information for AuthZ & Personalization<br />
  8. 8. Windows Integrated Authentication<br />Does Active Directory work everywhere?<br />
  9. 9.
  10. 10.
  11. 11. What’s the Solution?<br />
  12. 12. So What’s a Claim?<br />“I am a member of the Marketing group”<br />“My email address is …”<br />“I am over 21 years of age”<br />Populated using information from<br />AD/ADAM/ADLDS<br />SQL<br />Expressed using the SAML format<br />
  13. 13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“><br /><saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"><br /><saml:Audience> https://contoso-dc1.contoso.com </saml:Audience><br /><saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"><br /><saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier><br /><saml:AttributeAttributeName="Group”<br /><saml:AttributeValue> Administrators</saml:AttributeValue><br /><Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature><br /></saml:Assertion><br />Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)<br />
  14. 14. AD FS is all about the apps!<br />
  15. 15. Standards-based:<br />WS-Federation<br />WS-Trust<br />SAML 2.0<br />Use cases:<br />WebSSO<br />Web Services (WCF)<br />What is this…“claims-aware” application of which you speak?<br />
  16. 16. What Can I do with this?<br />
  17. 17. Application Access in a Single Org<br />
  18. 18. Account Partner<br />(ADATUM)<br />Resource Partner<br />(CONTOSO)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />Federated Application Access<br />
  19. 19. SSO to Service Providers<br />
  20. 20. Cloudy with a Chance of Federation<br />
  21. 21. So what does it look like?<br />
  22. 22. WS-Fed Passive Profile<br />Account Partner<br />(Users)<br />Resource Partner<br />(Resource)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />
  23. 23. Something lost, something gained…<br />What about passwords?<br />What about deprovisioning?<br />
  24. 24. Liberty Alliance Results…<br />ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens<br />IdP Lite<br />SP Lite<br />EGov 1.5<br />Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/<br />
  25. 25.
  26. 26. If you remember nothing else but this…<br />
  27. 27. I want the integrity of yourusers’ identity information when they access myresources…<br />
  28. 28. …to be at least as good…<br />
  29. 29. as the integrity of yourusers’ identity information when they access yourresources.<br />
  30. 30. AD FS components are Windows components<br />No additional server software costs<br />…but it’s all about the apps!<br />AD FSv2 (was “Geneva”)<br />Release Candidate Available Now<br />RTM…“Soon”<br />Windows Identity Foundation<br />.NET Developer Platform<br />Free Download<br />Available now!<br />AD FS 2.0 Availability, Pricing<br />
  31. 31. AD Cookbook, 3rd Edition<br />Best selling Active Directory title<br />What’s New?<br />Windows Server 2008 coverage: <br />Read Only Domain Controllers (RODCs)<br />Fine Grained Password Policies (FGPPs)<br />Exchange 2007 integration & scripting<br />Identity Lifecycle Manager 2007<br />Windows PowerShell & Active Directory .NET programming<br />New user interface features <br />Always more than one way!<br />Learn More! http://oreilly.com/catalog/9780596521103/ <br />
  32. 32. Thank You!<br />mailto: laura.hunter@lhaconsulting.com<br />blog: http://www.shutuplaura.com<br />twitter: @adfskitteh<br />

×