Upload
sivadon-chaisiri
View
222
Download
0
Embed Size (px)
Citation preview
8/14/2019 03-Federation Gateway Service
1/19
8/14/2019 03-Federation Gateway Service
2/19
Overview The
FederationGateway
8/14/2019 03-Federation Gateway Service
3/19
Goal Allow users to sign in to onlineservices with familiar credentialsfrom any third-party domain
Solution The Federation Gateway Serviceuses open standards to implementa secure trust relationship between
8/14/2019 03-Federation Gateway Service
4/19
SeamlessSign-in to any
Live ID service The Microsoft FederationGateway service enables seamless S
8/14/2019 03-Federation Gateway Service
5/19
Standards-based, cross-platform
identity federation Live ID Federation uses open standards
Identity Providers (partner
organizations) can use any identity store Active Directory
Resource Providers Resource providers (application hosters& developers) can use the proven Live ID
8/14/2019 03-Federation Gateway Service
6/19
8/14/2019 03-Federation Gateway Service
7/19
8/14/2019 03-Federation Gateway Service
8/19
1. One-time setup of federation Provision trust relationship Install a federation server on corporate domain
2. User browses to a service that uses Live ID The user browses to a site like mail.live.com orcrm.dynamics.com
3. User authenticates on the partners login server Partners server does authentication then redirects toMicrosofts federation gateway
Federation Gateway redirects to the target service and user is
signed in Federation Gateway sends the user to the target service
How Federated Sign In Works
8/14/2019 03-Federation Gateway Service
9/19
MicrosoftFederation Gateway
Organization 1Running Active
Directory and usingthe MSC to access
Online servicesFederation
Server
Active Directory
Microsoftprovided
cloud basedAPIs
3rd party
services
MicrosoftServices
WS-Trust
WS-Fed
IdentityProvider
Login UI
- Username/password
- CardSpace- Sign In assistant- Token
SignupUI
RPS
WebAuth
Organization 2Is not running Active
Directory but federatestheir identity provider
with the MicrosoftFederation Gateway.
Federation
Server
Custom Identity Store
PC (Windows)
Mobile Device (???)
Microsoft Outlook
Windows Live 1st
Party apps
Custom Application
Consumer Microsoft services
Browser
WS-Trust
CRM
Strata
8/14/2019 03-Federation Gateway Service
10/19
MicrosoftFederation Gateway
Organization 1Running Active
Directory and usingthe MSC to access
Online servicesFederation
Server
Active Directory
Microsoftprovided
cloud basedAPIs
3rd party
services
MicrosoftServices
WS-Trust
WS-Fed
IdentityProvider
Login UI
- Username/password
- CardSpace- Sign In assistant- Token
SignupUI
RPS
WebAuth
Organization 2Is not running Active
Directory but federatestheir identity provider
with the MicrosoftFederation Gateway.
Federation
Server
Custom Identity Store
PC (Windows)
Mobile Device (???)
Microsoft Outlook
Windows Live 1st
Party apps
Custom Application
Consumer Microsoft services
Browser
WS-Trust
CRM
Strata
8/14/2019 03-Federation Gateway Service
11/19
Using Dynamics CRM Online as anexample
Federation Gateway Service in Action
8/14/2019 03-Federation Gateway Service
12/19
Live ID detects that fabrikam2.com is afederated domain; redirects todomains auth server
Federation Gateway Service in Action
8/14/2019 03-Federation Gateway Service
13/19
Users domain handles authentication
Federation Gateway Service in Action
*************
8/14/2019 03-Federation Gateway Service
14/19
User is seamlessly signed in to anyservice using Live ID
Federation Gateway Service in Action
8/14/2019 03-Federation Gateway Service
15/19
Two ways to setup federation Manual setup Microsoft Services Connector
Manual Setup
Microsoft Services Connector Automatically provisions federation and sets up anauthentication server see the detailed decks on the
Setup and Configuration
8/14/2019 03-Federation Gateway Service
16/19
An organization that wants to establisha federated partner relationship shouldwork with Windows Live ID to:
Set up a written business agreement.
Take certain industry-standard securitymeasures
8/14/2019 03-Federation Gateway Service
17/19
Logout URL Partner URL
X.509 Token signing certificate
Partner Friendly name
8/14/2019 03-Federation Gateway Service
18/19
Necessary URL This will be in a WS-Federation
metadata document hosted by SSL
Provided separately to each partners
8/14/2019 03-Federation Gateway Service
19/19
Live ID on dev.live.com:http://dev.live.com/liveid/
Live ID Federation white paperhttp://msdn.microsoft.com/en-us/
library/cc287610.aspx
More Information