03-Federation Gateway Service

8/14/2019 03-Federation Gateway Service

1/19


2/19

Overview The

FederationGateway


3/19

Goal Allow users to sign in to onlineservices with familiar credentialsfrom any third-party domain

Solution The Federation Gateway Serviceuses open standards to implementa secure trust relationship between


4/19

SeamlessSign-in to any

Live ID service The Microsoft FederationGateway service enables seamless S


5/19

Standards-based, cross-platform

identity federation Live ID Federation uses open standards

Identity Providers (partner

organizations) can use any identity store Active Directory

Resource Providers Resource providers (application hosters& developers) can use the proven Live ID


6/19


7/19


8/19

1. One-time setup of federation Provision trust relationship Install a federation server on corporate domain

2. User browses to a service that uses Live ID The user browses to a site like mail.live.com orcrm.dynamics.com

3. User authenticates on the partners login server Partners server does authentication then redirects toMicrosofts federation gateway

Federation Gateway redirects to the target service and user is

signed in Federation Gateway sends the user to the target service

How Federated Sign In Works


9/19

MicrosoftFederation Gateway

Organization 1Running Active

Directory and usingthe MSC to access

Online servicesFederation

Server

Active Directory

Microsoftprovided

cloud basedAPIs

3rd party

services

MicrosoftServices

WS-Trust

WS-Fed

IdentityProvider

Login UI

- Username/password

- CardSpace- Sign In assistant- Token

SignupUI

RPS

WebAuth

Organization 2Is not running Active

Directory but federatestheir identity provider

with the MicrosoftFederation Gateway.

Federation

Server

Custom Identity Store

PC (Windows)

Mobile Device (???)

Microsoft Outlook

Windows Live 1st

Party apps

Custom Application

Consumer Microsoft services

Browser

WS-Trust

CRM

Strata


10/19

MicrosoftFederation Gateway

Organization 1Running Active

Directory and usingthe MSC to access

Online servicesFederation

Server

Active Directory

Microsoftprovided

cloud basedAPIs

3rd party

services

MicrosoftServices

WS-Trust

WS-Fed

IdentityProvider

Login UI

- Username/password

- CardSpace- Sign In assistant- Token

SignupUI

RPS

WebAuth

Organization 2Is not running Active

Directory but federatestheir identity provider

with the MicrosoftFederation Gateway.

Federation

Server

Custom Identity Store

PC (Windows)

Mobile Device (???)

Microsoft Outlook

Windows Live 1st

Party apps

Custom Application

Consumer Microsoft services

Browser

WS-Trust

CRM

Strata


11/19

Using Dynamics CRM Online as anexample

Federation Gateway Service in Action

[email protected]


12/19

Live ID detects that fabrikam2.com is afederated domain; redirects todomains auth server



13/19

Users domain handles authentication


[email protected]

*************


14/19

User is seamlessly signed in to anyservice using Live ID



15/19

Two ways to setup federation Manual setup Microsoft Services Connector

Manual Setup

Microsoft Services Connector Automatically provisions federation and sets up anauthentication server see the detailed decks on the

Setup and Configuration


16/19

An organization that wants to establisha federated partner relationship shouldwork with Windows Live ID to:

Set up a written business agreement.

Take certain industry-standard securitymeasures


17/19

Logout URL Partner URL

X.509 Token signing certificate

Partner Friendly name


18/19

Necessary URL This will be in a WS-Federation

metadata document hosted by SSL

Provided separately to each partners


19/19

Live ID on dev.live.com:http://dev.live.com/liveid/

Live ID Federation white paperhttp://msdn.microsoft.com/en-us/

library/cc287610.aspx

More Information

Documents

03-Federation Gateway Service