Microsoft® Jump Start

M12: Implementing Active Directory Federation Services

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and Configuring

Servers Based on Windows Server

2012

Module 7: Implementing Failover

Clustering

Module 2: Monitoring and

Maintaining Windows Server 2012

Module 8: Implementing Hyper-V

Module 3: Managing Windows Server

2012 by Using PowerShell 3.0

Module 9: Implementing Failover

Clustering with Hyper-V

- MEAL BREAK - - MEAL BREAK -

Module 4: Managing Storage for

Windows Server 2012

Module 10: Implementing Dynamic

Access Control

Module 5: Implementing Network

Services

Module 11: Implementing Active

Directory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing Active

Directory Federation Services

Module Overview

•Overview of Active Directory Federation Services

•Deploying Active Directory Federation Services

• Implementing AD FS for a Single Organization

•Deploying AD FS in a Business to Business

Federation Scenario

What Is Identity Federation?

• Enables distributed identification, authentication, and

authorization across organizational and platform

boundaries.

• Requires a federated trust relationship between two

organizations or entities.

• Enables organizations to retain control over who can

access resources.

• Enables organizations to retain control of their user and

group accounts.

What is Claims-Based Identity?

Application

Provider

Identity

Provider

Application Security

Token

Service Claims provide information

about users who the identity

provider authenticates,and

which the application

provider accepts

Web Services Overview

Web services use a set of open specifications to develop applications that can interoperate across boundaries

• Are developed using industry standards such as XML, SOAP, WSDL, and UDDI

• Define the security specifications used by Identity Federation systems

• Define the SAML standard for exchanging claims between federation partners

What Is AD FS?

AD FS is the Microsoft identity federation solution

that can use claims-based authentication

•AD FS includes the following features:

•Web SSO

•Web services interoperability

• Support for passive and smart clients

• Extensible architecture

• Enhanced security

Perimeter Network

Corporate Network

External Client

Federation Server

Federation Service Proxy

Web Server

AD DS Domain Controller

1

2

3

4 5

6

8

7

7

T

AD FS and SSO in a Single Organization

Federation Trust

Internal Client Computer

Resource Federation Server

Account Federation Server

Web Server

Active Directory

1

3

4

5

6

7

8

9

10

11

2

AD FS and SSO in a B2B Federation

Trey Research A. Datum

Federation Trust

Microsoft Online Federation Server

Federation Server

Outlook Web App server

Active Directory

1

5

6

7

8

9

10

11

2

4

Client Computer

3

AD FS and SSO with Online Services

On Premises Exchange Online

AD FS Components

• Federation Server

• Federation Server Proxy

•Claims

•Claim Rules

•Attribute Store

•Claims Providers

•Relying Parties

•Claims Provider Trust

•Relying Party Trust

•Certificates

• Endpoints

AD FS Prerequisites

Infrastructure critical to a successful AD FS

deployment include:

• TCP/IP network connectivity

•AD DS

•Attribute stores

•DNS

•Compatible operating systems

PKI and Certificate Requirements

•AD FS federation services require:

• Service Communication Certificates

• Token-Signing Certificates

• Token-Decrypting Certificates

•When choosing certificates, ensure that the

Service Communication Certificate and the

Token-Signing Certificate are trusted by all

federation partners and clients

Federation Server Roles

AD FS Server Role Description

Claims Provider federation

server

• Authenticates internal users

• Issues signed tokens

containing user claims

Relying Party federation

server

• Consumes tokens from the

Claims Provider

• Issues tokens for application

access

Federation server proxy • Deployed in a perimeter

network

• Provides a layer of security

for internal federation servers

DEMO: Installing the AD FS Server Role

• In this demonstration, you will see how to install and

configure the AD FS server role

What are AD FS Claims?

Claims used to provide information about users

from the Claims Provider to the Relying Partner

•AD FS: –Provides a default set of built-in claims

– Enables the creation of custom claims

–Requires that each claim have a unique URI

•Claims can be: –Retrieved from an attribute store

–Calculated based on retrieved values

–Transformed into alternate values

What Are AD FS Claim Rules?

•Claims rules define how claims are sent and

consumed by AD FS servers

•Claims provider rules are acceptance transform

rules

•Relying party rules can be: – Issuance transform rules

– Issuance authorization rules

–Delegation authorization rules

•AD FS servers provide default claims rules,

templates and a syntax for creating claims rules

What Is a Claims Provider Trust?

•Claims provider trusts:

–Are configured on the relying party federation server

– Identify the claims provider

–Configure the claims rules for the claims provider

• In a single organization scenario, a claims provider

trust called Active Directory defines how AD DS

user credentials are processed

•Additional claims provider trusts can be

configured: –By importing the federation metadata

–By importing a configuration file

–By manually configuring the trust

What is a Relying Party Trust?

•Relying party trusts:

–Are configured on the claims provider federation server

– Identify the relying party

–Configure the claims rules for the relying party

• In a single organization scenario, a relying party

trust defines the connection to internal

applications

•Additional relying party trusts can be configured: –By importing the federation metadata

–By importing a configuration file

–By manually configuring the trust

DEMO: Configuring Claims Provider and Relying Party Trusts

• In this demonstration, you will see how to:

• Configure a claims provider trust

• Configure a Windows Identity Framework application

for AD FS

• Configure a relying party trust

Configuring an Account Partner

•An account partner is a claims provider in a B2B

federation scenario

• To configure an account partner:

1. Implement the physical topology

2. Add an attribute store

3. Configure a relying party trust

4. Add a claim description

5. Prepare client computers for federation

Configuring a Resource Partner

An resource partner is a relying party in a B2B

federation scenario

To configure an relying party:

1. Implement the physical topology

2. Add an attribute store

3. Configure a claims provider trust

4. Create claim rule sets for the claims provider

trust

Configuring Claims Rules for Business to Business Scenarios

•Organization to organization scenarios may

require more complex claims rules

• You can create claims rules by using the following

templates: –Send LDAP attributes as claims

–Send group membership as a claim

–Pass through or filter an incoming claim

–Transform an incoming claim

–Permit or deny users based on an incoming claim

• You can also create custom rules by using the AD

FS Claim Rule Language

How Home Realm Discovery Works

Home realm discovery is required on the resource

partner when it has configured AD FS federations

with account partners

• To enable home realm discovery, you can: –Prompt the user for home realm information

–Modify the URL for the web application to specify the

home realm

–Configure a SAML profile called IdPInitiated SSO to

direct users to the account partner site first

DEMO: Configuring Claims Rules

• In this demonstration, you will see how to configure

claims rules

Microsoft® Jump Start

BONUS SESSION

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal