AD FS 2 & Claims-Based Identity provides a consistent identity layer across applications by extracting identity information from Active Directory and other sources and expressing it as standardized claims. This allows applications to authenticate users once via AD FS and receive attributes about the user, without the applications needing direct access to identity stores. Claims can include group memberships, email address, or any other identity attributes that can be used for authorization and personalization. AD FS supports web single sign-on, web services, and "claims-aware" applications via standards like WS-Federation, SAML 2.0, and can federate identity across organizations.

1. AD FS 2 & Claims-Based IdentityLaura E. HunterIdentity Lady, AD FS Zealotlaura.hunter@lhaconsulting.comhttp://www.shutuplaura.com@adfskitteh

2. The Problem? We Lack a Consistent Identity Layer for Applications

3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change

4. LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com

5. filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))

6. How many different ways can you authenticate to an app?

7. Managing Application Identity – First Principles1. Identify the Caller2. Extract Information for AuthZ & Personalization

8. Windows Integrated AuthenticationDoes Active Directory work everywhere?

11. What’s the Solution?

12. So What’s a Claim?“I am a member of the Marketing group”“My email address is …”“I am over 21 years of age”Populated using information fromAD/ADAM/ADLDSSQLExpressed using the SAML format

13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“><saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"><saml:Audience> https://contoso-dc1.contoso.com </saml:Audience><saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"><saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier><saml:AttributeAttributeName="Group”<saml:AttributeValue> Administrators</saml:AttributeValue><Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature></saml:Assertion>Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)

14. AD FS is all about the apps!

15. Standards-based:WS-FederationWS-TrustSAML 2.0Use cases:WebSSOWeb Services (WCF)What is this…“claims-aware” application of which you speak?

16. What Can I do with this?

17. Application Access in a Single Org

18. Account Partner(ADATUM)Resource Partner(CONTOSO)A. DatumAccount ForestTrey ResearchResource ForestFederation TrustFederated Application Access

19. SSO to Service Providers

20. Cloudy with a Chance of Federation

21. So what does it look like?

22. WS-Fed Passive ProfileAccount Partner(Users)Resource Partner(Resource)A. DatumAccount ForestTrey ResearchResource ForestFederation Trust

23. Something lost, something gained…What about passwords?What about deprovisioning?

24. Liberty Alliance Results…ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, SiemensIdP LiteSP LiteEGov 1.5Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/

26. If you remember nothing else but this…

27. I want the integrity of yourusers’ identity information when they access myresources…

28. …to be at least as good…

29. as the integrity of yourusers’ identity information when they access yourresources.

30. AD FS components are Windows componentsNo additional server software costs…but it’s all about the apps!AD FSv2 (was “Geneva”)Release Candidate Available NowRTM…“Soon”Windows Identity Foundation.NET Developer PlatformFree DownloadAvailable now!AD FS 2.0 Availability, Pricing

31. AD Cookbook, 3rd EditionBest selling Active Directory titleWhat’s New?Windows Server 2008 coverage: Read Only Domain Controllers (RODCs)Fine Grained Password Policies (FGPPs)Exchange 2007 integration & scriptingIdentity Lifecycle Manager 2007Windows PowerShell & Active Directory .NET programmingNew user interface features Always more than one way!Learn More! http://oreilly.com/catalog/9780596521103/

32. Thank You!mailto: laura.hunter@lhaconsulting.comblog: http://www.shutuplaura.comtwitter: @adfskitteh