Documente Academic
Documente Profesional
Documente Cultură
Module 6: Implementing Direct Access Module 12: Implementing Active Directory Federation Services
Module Overview
Overview of Active Directory Federation Services Deploying Active Directory Federation Services Implementing AD FS for a Single Organization
Federation Scenario
authorization across organizational and platform boundaries. Requires a federated trust relationship between two organizations or entities. Enables organizations to retain control over who can access resources. Enables organizations to retain control of their user and group accounts.
Claims provide information about users who the identity provider authenticates,and which the application provider accepts
SOAP, WSDL, and UDDI Define the security specifications used by Identity Federation systems Define the SAML standard for exchanging claims between federation partners
What Is AD FS? AD FS is the Microsoft identity federation solution that can use claims-based authentication
AD FS includes the following features: Web SSO Web services interoperability
AD DS Domain Controller
7 7 T 3
6 5
Federation Server
8
External Client
Web Server
A. Datum
Federation Trust
Active Directory
Web Server
11
Exchange Online
Federation Trust
Active Directory
Federation Server
8 4 5 3 9 2 10
Client Computer
11
AD FS Components
Federation Server Federation Server Proxy Claims Claim Rules Relying Parties Claims Provider Trust Relying Party Trust Certificates
Attribute Store
Claims Providers
Endpoints
AD FS Prerequisites Infrastructure critical to a successful AD FS deployment include: TCP/IP network connectivity AD DS Attribute stores DNS Compatible operating systems
Service Communication Certificate and the Token-Signing Certificate are trusted by all federation partners and clients
What are AD FS Claims? Claims used to provide information about users from the Claims Provider to the Relying Partner
AD FS: Provides a default set of built-in claims Enables the creation of custom claims Requires that each claim have a unique URI Claims can be: Retrieved from an attribute store Calculated based on retrieved values Transformed into alternate values
consumed by AD FS servers Claims provider rules are acceptance transform rules Relying party rules can be:
Issuance
trust called Active Directory defines how AD DS user credentials are processed Additional claims provider trusts can be configured:
By
importing the federation metadata By importing a configuration file By manually configuring the trust
trust defines the connection to internal applications Additional relying party trusts can be configured:
By
importing the federation metadata By importing a configuration file By manually configuring the trust
Configure a claims provider trust Configure a Windows Identity Framework application for AD FS Configure a relying party trust
federation scenario
3.
4. 5.
Implement the physical topology Add an attribute store Configure a relying party trust Add a claim description Prepare client computers for federation
require more complex claims rules You can create claims rules by using the following templates:
Send
LDAP attributes as claims Send group membership as a claim Pass through or filter an incoming claim Transform an incoming claim Permit or deny users based on an incoming claim
How Home Realm Discovery Works Home realm discovery is required on the resource partner when it has configured AD FS federations with account partners
To enable home realm discovery, you can: Prompt the user for home realm information Modify the URL for the web application to specify the home realm Configure a SAML profile called IdPInitiated SSO to direct users to the account partner site first
claims rules
BONUS SESSION
Rick Claus | Technical Evangelist | Microsoft Ed Liberman | Technical Trainer | Train Signal