Claims Based Authentication

adhocjackpotSecurity

Nov 5, 2013 (3 years and 7 months ago)

178 views

Claims Based
Authentication

Using ADFS 2.0

Presented By:

Shannon Bray

Shannon Bray


MCT, MCPD, MCITP, MCTS, MCAD, MCDBA


MCM Candidate (Oct. 2010 Rotation)


Technical
Architect


Planet Technologies


Colorado SharePoint Users Group (COSPUG
)



Twitter:

@NoIdentity29


Email:

sbray@go
-
planet.com

Clayton Cobb


MVP,
MCITP,
MCTS


Technical Architect


Planet Technologies


Colorado SharePoint Users Group (COSPUG
)



Twitter:

@
Warrtalon


Email:

ccobb@go
-
planet.com

Agenda


Introduction to CBA


How does ADFS 2.0 Come Into Play?


Farm Configurations


Step by Step


Common Pitfalls


Questions and Answers



What is CBA?

“Geneva” is Microsoft’s next generation identity and access management
platform built on Active Directory® directory services.


“Geneva” provides claims
-
based access and single sign
-
on for on
-
premises and
cloud
-
based applications in the enterprise, across organizations, and on the Web.




Geneva” leverages claims which describe identity attributes and can be used to
drive application and other system behaviors with an open architecture that
implements the industry’s shared Identity
Metasystem

vision.”

Benefits


Supports Existing Identity Infrastructure


Active Directory


LDAP, SQL


Federation Gateways


WebSSO

and Identity Management Systems


Enables Automatic, Secure Identity Delegation


Supports “no credential” connections to external
web services


Consistent API to develop SharePoint Solutions


Identity


What is Identity?


Set of attributes to describe a user such as name,
e
-
mail, age, group membership, etc.


What is a Claim?


Some authority that claims to have the attribute
and its value


User Identity is a set of Claims


Why we say “claim” and not “attribute”?


FaceBook

& DOL have the age attribute


FaceBook

claims that I am 18, while DOL claims I
am 38.


If a claim was based on age, which would you
trust?


User Identity is a set of Claims


Why we say “claim” and not “attribute”?


FaceBook

& DOL have the age attribute


FaceBook

claims that I am 18, while DOL claims I
am 38.


If a claim was based on age, which would you
trust?


Identity Normalization

NT Token

SAML 1.1

ASP.NET

SAML Token (CBA)

SP USER

Classic

Claims

NT Token

The Authentication Process

How does ADFS 2.0 Come Into Play?

Farm Configurations


Internal (Corp)


ADFS 2.0


AD w/ DNS


SharePoint 2010


SQL


External


ADFS 2.0


AD w/ DNS


Step by Step


ADFS 2.0


Wizard


Server Certificates






Step by Step
-

Demo

Common Pitfalls


Kerberos


SPTITI


ADFS 2.0 Settings


Not So Random Errors


The Short Story


CBA


ADFS 2.0


Common Pitfalls




http://shannonbray.wordpress.com

Questions and Answers?

THANK YOU!!!