Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Adfs 2 & claims based identity

5,734 views

Published on

Laura E. Hunter

Published in: Technology
  • Be the first to comment

Adfs 2 & claims based identity

  1. 1. AD FS 2 & Claims-Based Identity<br />Laura E. Hunter<br />Identity Lady, AD FS Zealot<br />laura.hunter@lhaconsulting.com<br />http://www.shutuplaura.com<br />@adfskitteh<br />
  2. 2. The Problem? We Lack a Consistent Identity Layer for Applications<br />
  3. 3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change<br />
  4. 4. LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com<br />
  5. 5. filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))<br />
  6. 6. How many different ways can you authenticate to an app?<br />
  7. 7. Managing Application Identity – First Principles<br />1. Identify the Caller<br />2. Extract Information for AuthZ & Personalization<br />
  8. 8. Windows Integrated Authentication<br />Does Active Directory work everywhere?<br />
  9. 9.
  10. 10.
  11. 11. What’s the Solution?<br />
  12. 12. So What’s a Claim?<br />“I am a member of the Marketing group”<br />“My email address is …”<br />“I am over 21 years of age”<br />Populated using information from<br />AD/ADAM/ADLDS<br />SQL<br />Expressed using the SAML format<br />
  13. 13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“><br /><saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"><br /><saml:Audience> https://contoso-dc1.contoso.com </saml:Audience><br /><saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"><br /><saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier><br /><saml:AttributeAttributeName="Group”<br /><saml:AttributeValue> Administrators</saml:AttributeValue><br /><Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature><br /></saml:Assertion><br />Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)<br />
  14. 14. AD FS is all about the apps!<br />
  15. 15. Standards-based:<br />WS-Federation<br />WS-Trust<br />SAML 2.0<br />Use cases:<br />WebSSO<br />Web Services (WCF)<br />What is this…“claims-aware” application of which you speak?<br />
  16. 16. What Can I do with this?<br />
  17. 17. Application Access in a Single Org<br />
  18. 18. Account Partner<br />(ADATUM)<br />Resource Partner<br />(CONTOSO)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />Federated Application Access<br />
  19. 19. SSO to Service Providers<br />
  20. 20. Cloudy with a Chance of Federation<br />
  21. 21. So what does it look like?<br />
  22. 22. WS-Fed Passive Profile<br />Account Partner<br />(Users)<br />Resource Partner<br />(Resource)<br />A. Datum<br />Account Forest<br />Trey Research<br />Resource Forest<br />Federation Trust<br />
  23. 23. Something lost, something gained…<br />What about passwords?<br />What about deprovisioning?<br />
  24. 24. Liberty Alliance Results…<br />ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens<br />IdP Lite<br />SP Lite<br />EGov 1.5<br />Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/<br />
  25. 25.
  26. 26. If you remember nothing else but this…<br />
  27. 27. I want the integrity of yourusers’ identity information when they access myresources…<br />
  28. 28. …to be at least as good…<br />
  29. 29. as the integrity of yourusers’ identity information when they access yourresources.<br />
  30. 30. AD FS components are Windows components<br />No additional server software costs<br />…but it’s all about the apps!<br />AD FSv2 (was “Geneva”)<br />Release Candidate Available Now<br />RTM…“Soon”<br />Windows Identity Foundation<br />.NET Developer Platform<br />Free Download<br />Available now!<br />AD FS 2.0 Availability, Pricing<br />
  31. 31. AD Cookbook, 3rd Edition<br />Best selling Active Directory title<br />What’s New?<br />Windows Server 2008 coverage: <br />Read Only Domain Controllers (RODCs)<br />Fine Grained Password Policies (FGPPs)<br />Exchange 2007 integration & scripting<br />Identity Lifecycle Manager 2007<br />Windows PowerShell & Active Directory .NET programming<br />New user interface features <br />Always more than one way!<br />Learn More! http://oreilly.com/catalog/9780596521103/ <br />
  32. 32. Thank You!<br />mailto: laura.hunter@lhaconsulting.com<br />blog: http://www.shutuplaura.com<br />twitter: @adfskitteh<br />

×