Microsoft Jump Start

M12: Implementing Active Directory Federation Services

Rick Claus | Technical Evangelist | Microsoft Ed Liberman | Technical Trainer | Train Signal

Jump Start Target Agenda | Day One

Day 1 Day 2

Module 1: Installing and Configuring Servers Based on Windows Server 2012

Module 2: Monitoring and Maintaining Windows Server 2012 Module 3: Managing Windows Server 2012 by Using PowerShell 3.0 - MEAL BREAK Module 4: Managing Storage for Windows Server 2012

Module 7: Implementing Failover Clustering

Module 8: Implementing Hyper-V Module 9: Implementing Failover Clustering with Hyper-V - MEAL BREAK Module 10: Implementing Dynamic Access Control

Module 5: Implementing Network Services

Module 11: Implementing Active Directory Domain Services

Module 6: Implementing Direct Access Module 12: Implementing Active Directory Federation Services

Module Overview
Overview of Active Directory Federation Services Deploying Active Directory Federation Services Implementing AD FS for a Single Organization

Deploying AD FS in a Business to Business

Federation Scenario

What Is Identity Federation?

Enables distributed identification, authentication, and

authorization across organizational and platform boundaries. Requires a federated trust relationship between two organizations or entities. Enables organizations to retain control over who can access resources. Enables organizations to retain control of their user and group accounts.

What is Claims-Based Identity?

Identity Provider Security Token Service

Application Provider Application

Claims provide information about users who the identity provider authenticates,and which the application provider accepts

Web Services Overview

Web services use a set of open specifications to develop applications that can interoperate across boundaries
Are developed using industry standards such as XML,

SOAP, WSDL, and UDDI Define the security specifications used by Identity Federation systems Define the SAML standard for exchanging claims between federation partners

What Is AD FS? AD FS is the Microsoft identity federation solution that can use claims-based authentication
AD FS includes the following features: Web SSO Web services interoperability

Support for passive and smart clients

Extensible architecture Enhanced security

AD FS and SSO in a Single Organization

Perimeter Network Corporate Network

AD DS Domain Controller

7 7 T 3

6 5

Federation Service Proxy

Federation Server
8

External Client

Web Server

AD FS and SSO in a B2B Federation

Trey Research
7 6

A. Datum
Federation Trust

Active Directory

Account Federation Server

8 5 4 10 3 9

Resource Federation Server

Internal Client Computer

Web Server
11

AD FS and SSO with Online Services

On Premises
7 6

Exchange Online
Federation Trust

Active Directory

Federation Server
8 4 5 3 9 2 10

Microsoft Online Federation Server

Client Computer

11

Outlook Web App server

AD FS Components
Federation Server Federation Server Proxy Claims Claim Rules Relying Parties Claims Provider Trust Relying Party Trust Certificates

Attribute Store
Claims Providers

Endpoints

AD FS Prerequisites Infrastructure critical to a successful AD FS deployment include: TCP/IP network connectivity AD DS Attribute stores DNS Compatible operating systems

PKI and Certificate Requirements

AD FS federation services require:
Service

Communication Certificates Token-Signing Certificates Token-Decrypting Certificates

When choosing certificates, ensure that the

Service Communication Certificate and the Token-Signing Certificate are trusted by all federation partners and clients

Federation Server Roles

AD FS Server Role Claims Provider federation server Relying Party federation server Federation server proxy Description Authenticates internal users Issues signed tokens containing user claims Consumes tokens from the Claims Provider Issues tokens for application access Deployed in a perimeter network Provides a layer of security for internal federation servers

DEMO: Installing the AD FS Server Role

In this demonstration, you will see how to install and

configure the AD FS server role

What are AD FS Claims? Claims used to provide information about users from the Claims Provider to the Relying Partner
AD FS: Provides a default set of built-in claims Enables the creation of custom claims Requires that each claim have a unique URI Claims can be: Retrieved from an attribute store Calculated based on retrieved values Transformed into alternate values

What Are AD FS Claim Rules?

Claims rules define how claims are sent and

consumed by AD FS servers Claims provider rules are acceptance transform rules Relying party rules can be:
Issuance

transform rules Issuance authorization rules Delegation authorization rules

AD FS servers provide default claims rules,

templates and a syntax for creating claims rules

What Is a Claims Provider Trust?

Claims provider trusts: Are configured on the relying party federation server Identify the claims provider Configure the claims rules for the claims provider In a single organization scenario, a claims provider

trust called Active Directory defines how AD DS user credentials are processed Additional claims provider trusts can be configured:
By

importing the federation metadata By importing a configuration file By manually configuring the trust

What is a Relying Party Trust?

Relying party trusts: Are configured on the claims provider federation server Identify the relying party Configure the claims rules for the relying party In a single organization scenario, a relying party

trust defines the connection to internal applications Additional relying party trusts can be configured:
By

importing the federation metadata By importing a configuration file By manually configuring the trust

DEMO: Configuring Claims Provider and Relying Party Trusts

In this demonstration, you will see how to:

Configure a claims provider trust Configure a Windows Identity Framework application for AD FS Configure a relying party trust

Configuring an Account Partner

An account partner is a claims provider in a B2B

federation scenario

To configure an account partner:

1. 2.

3.
4. 5.

Implement the physical topology Add an attribute store Configure a relying party trust Add a claim description Prepare client computers for federation

Configuring a Resource Partner

An resource partner is a relying party in a B2B federation scenario

To configure an relying party: 1. Implement the physical topology 2. Add an attribute store 3. Configure a claims provider trust 4. Create claim rule sets for the claims provider trust

Configuring Claims Rules for Business to Business Scenarios

Organization to organization scenarios may

require more complex claims rules You can create claims rules by using the following templates:
Send

LDAP attributes as claims Send group membership as a claim Pass through or filter an incoming claim Transform an incoming claim Permit or deny users based on an incoming claim

You can also create custom rules by using the AD

FS Claim Rule Language

How Home Realm Discovery Works Home realm discovery is required on the resource partner when it has configured AD FS federations with account partners
To enable home realm discovery, you can: Prompt the user for home realm information Modify the URL for the web application to specify the home realm Configure a SAML profile called IdPInitiated SSO to direct users to the account partner site first

DEMO: Configuring Claims Rules

In this demonstration, you will see how to configure

claims rules

Microsoft Jump Start

BONUS SESSION
Rick Claus | Technical Evangelist | Microsoft Ed Liberman | Technical Trainer | Train Signal