Upload
guestd9aa5
View
979
Download
2
Tags:
Embed Size (px)
Citation preview
Active Directory Federation Services Cross-Platform Interoperability
Windows Live@Edu – ADFS/Shibboleth
Agenda
Introduction Project Background Missouri, Oxford & Microsoft
Things we’ll cover: Overview of Technologies ADFS/Shibboleth Interoperability Demos
Project Background
Based on OCG White Paper: Achieving interoperability between Active Directory Federation
Services (ADFS) and Shibboleth
Demonstrate interoperability between ADFS and Shibboleth System 1.3c Release
Using ADFS plug-in for SAML 1.1 Identity and Service Providers
Support for WS-Federation Passive Requestor Interoperability Profile
Demonstrate interoperability with sample applications - Microsoft Office SharePoint Server 2007 and Windows Live IDs
Technology Overview Shibboleth
Standards-based, Open Source Middleware Software Project of Internet2/MACE (Middleware Architecture Committee for
Education) Internet2 – U.S. Advanced Networking Consortium led by the
education and research community (universities, partners, laboratories, government agencies, etc.)
URL: http://shibboleth.internet2.edu/about.html
Implements the OASIS SAML v1.1 specification December 2005 - Extension for ADFS support is developed Implemented in Shibboleth versions 1.3.c and later Platforms include: UNIX (Solaris, etc.), Linux (Fedora, Ubuntu, etc.),
Mac OS-X
Show of Hands
How many schools have a websso? How many use CAS? Pubcookie? Something else?
How many have a Shibboleth? How many have ADFS? How many run a websso & Shib or ADFS? Does anyone run both ADFS & Shib?
Project Credits Project Sponsors
Walter Harp, Microsoft Corporation John DuBois, Microsoft Corporation
Credits and Contributions Ryan Woodsmall, University of Missouri Brian Dourty, University of Missouri Edward D. McKinzie, University of Missouri Bryan W. Roesslet, University of Missouri Randy Wiemer, University of Missouri
Chris Calderon, Oxford Computer Group Jim Muir, Oxford Computer Group
Technology Overview Active Directory Federation Services (ADFS)
First introduced in Windows Server 2003 R2 to provide “Identity Federation”
Projecting user identity from a single logon… Providing single identity based entitlements… Connecting islands (across security, organizational or platform
boundaries) Result: Web single sign-on & simplified identity management
Web Services and WS-* Security Standards Specifically implementing the WS-Federation and WS-Federation
Passive Requestor Profile specifications
Language Translation
Demonstration OverviewEstablishing Federated Interoperability between ADFS
(Relying Party) and Shibboleth (Identity Provider)
Demonstration 1:Shib.org User will access Sample Claims-App that will display the set of claims, associated with that user.
Demonstration 1:Shib.org User will access Sample Claims-App that will display the set of claims, associated with that user.
Demonstration 2:Shib.org User will access MOSS 2007 Extranet Portal.
Demonstration 2:Shib.org User will access MOSS 2007 Extranet Portal.
Configuration Details ADFS Configuration Policy Requirements
Federation Service URI – This uniquely identifies a federated partner
Federation Service endpoint URL – The URL that partner organizations to send requests and responses.
Token Signing Certificate – Relying Party requires a signing certificate that is used to by the Identity Providers to digitally sign message exchanges.
ADFS Management Console - This is the primary management console for administrative management of Account Partners (Identity Providers)
Configuration Details Shibboleth Configuration Requirements
XML Metadata - Trust Policy Configuration idp.xml – (The main configuration file for the identity provider.)
Configures the Shibboleth ADFS extension Provides key information for relying parties Adds reference mapping support for identity claims (i.e. MS UPNs) Adds the XML attribute namespace=http://schema.xmlsoap.org/claims to attribute definitions
in resolver.xml for any attributes that should be sent to ADFS providers.
resolver.xml – (Attribute extraction) Defines the connection to attribute store
arp.site.xml– (Attribute release policy) Defines which attributes are available to relying parties Controls (Permits/Denies) attribute release rules
Demonstration OverviewWindows Live ID/Passport Interoperability
Demonstration 3:Shib.org User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.
Demonstration 3:Shib.org User access Windows Live@edu by passing WLID through claims to generate SLT. The Identity Provider (IdP) acts as the Windows Live Account Store.
Configuration Details Windows Live ID Interoperability
WLIDs (Short-live Tokens) – Can be used to further extending SSO into Web Applications.
Benefits: Windows Live ID users can access resources typically only available
only for AD accounts (SharePoint Sites, etc.) Applications do not need to implement any Windows Live ID code Single Account Management (instead of AD and Windows Live)
Summary Successfully demonstrated the interoperability between
ADFS and Shibboleth: Straight forward configurations
No special software or customization required by either party.
Language Translation (Understanding component relations of each technology)
Lessons learned Federating with Windows Live IDs
Microsoft Office SharePoint Server 2007 Compatibility