Upload
mdabdul-nabi-mdabdulnabi92
View
67
Download
0
Embed Size (px)
Citation preview
Microsoft® Jump Start
M12: Implementing Active Directory Federation Services
Rick Claus | Technical Evangelist | Microsoft
Ed Liberman | Technical Trainer | Train Signal
Jump Start Target Agenda | Day One
Day 1 Day 2
Module 1: Installing and Configuring
Servers Based on Windows Server
2012
Module 7: Implementing Failover
Clustering
Module 2: Monitoring and
Maintaining Windows Server 2012
Module 8: Implementing Hyper-V
Module 3: Managing Windows Server
2012 by Using PowerShell 3.0
Module 9: Implementing Failover
Clustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage for
Windows Server 2012
Module 10: Implementing Dynamic
Access Control
Module 5: Implementing Network
Services
Module 11: Implementing Active
Directory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing Active
Directory Federation Services
Module Overview
•Overview of Active Directory Federation Services
•Deploying Active Directory Federation Services
• Implementing AD FS for a Single Organization
•Deploying AD FS in a Business to Business
Federation Scenario
What Is Identity Federation?
• Enables distributed identification, authentication, and
authorization across organizational and platform
boundaries.
• Requires a federated trust relationship between two
organizations or entities.
• Enables organizations to retain control over who can
access resources.
• Enables organizations to retain control of their user and
group accounts.
What is Claims-Based Identity?
Application
Provider
Identity
Provider
Application Security
Token
Service Claims provide information
about users who the identity
provider authenticates,and
which the application
provider accepts
Web Services Overview
Web services use a set of open specifications to develop applications that can interoperate across boundaries
• Are developed using industry standards such as XML, SOAP, WSDL, and UDDI
• Define the security specifications used by Identity Federation systems
• Define the SAML standard for exchanging claims between federation partners
What Is AD FS?
AD FS is the Microsoft identity federation solution
that can use claims-based authentication
•AD FS includes the following features:
•Web SSO
•Web services interoperability
• Support for passive and smart clients
• Extensible architecture
• Enhanced security
Perimeter Network
Corporate Network
External Client
Federation Server
Federation Service Proxy
Web Server
AD DS Domain Controller
1
2
3
4 5
6
8
7
7
T
AD FS and SSO in a Single Organization
Federation Trust
Internal Client Computer
Resource Federation Server
Account Federation Server
Web Server
Active Directory
1
3
4
5
6
7
8
9
10
11
2
AD FS and SSO in a B2B Federation
Trey Research A. Datum
Federation Trust
Microsoft Online Federation Server
Federation Server
Outlook Web App server
Active Directory
1
5
6
7
8
9
10
11
2
4
Client Computer
3
AD FS and SSO with Online Services
On Premises Exchange Online
AD FS Components
• Federation Server
• Federation Server Proxy
•Claims
•Claim Rules
•Attribute Store
•Claims Providers
•Relying Parties
•Claims Provider Trust
•Relying Party Trust
•Certificates
• Endpoints
AD FS Prerequisites
Infrastructure critical to a successful AD FS
deployment include:
• TCP/IP network connectivity
•AD DS
•Attribute stores
•DNS
•Compatible operating systems
PKI and Certificate Requirements
•AD FS federation services require:
• Service Communication Certificates
• Token-Signing Certificates
• Token-Decrypting Certificates
•When choosing certificates, ensure that the
Service Communication Certificate and the
Token-Signing Certificate are trusted by all
federation partners and clients
Federation Server Roles
AD FS Server Role Description
Claims Provider federation
server
• Authenticates internal users
• Issues signed tokens
containing user claims
Relying Party federation
server
• Consumes tokens from the
Claims Provider
• Issues tokens for application
access
Federation server proxy • Deployed in a perimeter
network
• Provides a layer of security
for internal federation servers
DEMO: Installing the AD FS Server Role
• In this demonstration, you will see how to install and
configure the AD FS server role
What are AD FS Claims?
Claims used to provide information about users
from the Claims Provider to the Relying Partner
•AD FS: –Provides a default set of built-in claims
– Enables the creation of custom claims
–Requires that each claim have a unique URI
•Claims can be: –Retrieved from an attribute store
–Calculated based on retrieved values
–Transformed into alternate values
What Are AD FS Claim Rules?
•Claims rules define how claims are sent and
consumed by AD FS servers
•Claims provider rules are acceptance transform
rules
•Relying party rules can be: – Issuance transform rules
– Issuance authorization rules
–Delegation authorization rules
•AD FS servers provide default claims rules,
templates and a syntax for creating claims rules
What Is a Claims Provider Trust?
•Claims provider trusts:
–Are configured on the relying party federation server
– Identify the claims provider
–Configure the claims rules for the claims provider
• In a single organization scenario, a claims provider
trust called Active Directory defines how AD DS
user credentials are processed
•Additional claims provider trusts can be
configured: –By importing the federation metadata
–By importing a configuration file
–By manually configuring the trust
What is a Relying Party Trust?
•Relying party trusts:
–Are configured on the claims provider federation server
– Identify the relying party
–Configure the claims rules for the relying party
• In a single organization scenario, a relying party
trust defines the connection to internal
applications
•Additional relying party trusts can be configured: –By importing the federation metadata
–By importing a configuration file
–By manually configuring the trust
DEMO: Configuring Claims Provider and Relying Party Trusts
• In this demonstration, you will see how to:
• Configure a claims provider trust
• Configure a Windows Identity Framework application
for AD FS
• Configure a relying party trust
Configuring an Account Partner
•An account partner is a claims provider in a B2B
federation scenario
• To configure an account partner:
1. Implement the physical topology
2. Add an attribute store
3. Configure a relying party trust
4. Add a claim description
5. Prepare client computers for federation
Configuring a Resource Partner
An resource partner is a relying party in a B2B
federation scenario
To configure an relying party:
1. Implement the physical topology
2. Add an attribute store
3. Configure a claims provider trust
4. Create claim rule sets for the claims provider
trust
Configuring Claims Rules for Business to Business Scenarios
•Organization to organization scenarios may
require more complex claims rules
• You can create claims rules by using the following
templates: –Send LDAP attributes as claims
–Send group membership as a claim
–Pass through or filter an incoming claim
–Transform an incoming claim
–Permit or deny users based on an incoming claim
• You can also create custom rules by using the AD
FS Claim Rule Language
How Home Realm Discovery Works
Home realm discovery is required on the resource
partner when it has configured AD FS federations
with account partners
• To enable home realm discovery, you can: –Prompt the user for home realm information
–Modify the URL for the web application to specify the
home realm
–Configure a SAML profile called IdPInitiated SSO to
direct users to the account partner site first