AIC Enterprise Federation Session - Microsoft

judgedrunkshipServers

Nov 17, 2013 (3 years and 4 months ago)

123 views

Enterprise Identity

Steve Plank


Microsoft

Ivor Bright


Charteris

Dave Nesbitt


Oxford Computer Group

Agenda


Overview of Enterprise Federation
Challenges/Solutions


Individual Group Discussions (led)


Large Group “Debate”

Extranet Access with Identity Federation

Active

Directory

Logon to Windows

Single Sign
-
on inside
your
NETWORK

Exchange

SQL/File
Servers

Web
Servers

App Servers

Your
SUPPLIERS
and
their

NETWORKS

Your
EMPLOYEES

on

your
NETWORK

ADFS Identity Federation




Projecting

user Identity from a single logon …


Providing

distributed authentication & claims
-
based
authorization …


Connecting

islands (across security, organizational or
platform boundaries) …


Enabling

web single sign
-
on & simplified identity
management


ADFS Components

`
Client Web Browser
Federation Service
Web Server
Active Directory
or ADAM
Federation Service
Proxy
HTTPS
ADFS Components

`
Client Web Browser
Federation Service
Web Server
Active Directory
or ADAM
Federation Service
Proxy
HTTPS
Authenticates users


Manages attributes

Windows 2000 or 2003

Active Directory or ADAM

ADFS Components

`
Client Web Browser
Federation Service
Web Server
Active Directory
or ADAM
Federation Service
Proxy
HTTPS
Federation Service (FS)

Security Token Service (STS)

Maps user attributes to claims

Issues security tokens

Manages federation trust policy

Requires IISv6 Windows 2003 R2

ADFS Components

`
Client Web Browser
Federation Service
Web Server
Active Directory
or ADAM
Federation Service
Proxy
HTTPS
Federation Server Proxy (FSP)

Client proxy for token requests

Provides UI for browser clients

Forms based auth

Home realm discovery

Requires IISv6 Windows 2003 R2

ADFS Components

`
Client Web Browser
Federation Service
Web Server
Active Directory
or ADAM
Federation Service
Proxy
HTTPS
Web Agent

Enforces user authentication

Creates app
authZ

context from claims

NT Impersonation and ACLs

ASP.NET
IsInRole
()

AzMan

RBAC integration

ASP.NET Raw Claims API

Requires IISv6 Windows 2003 R2

A. Datum

Account Forest

Trey Research

Resource Forest

`
Internal Client
Resource
Security Token Service
Account
Security Token Service
Web Server
Active Directory
ADFS Authentication Flow

Centrify support for ADFS


DirectControl provides cross
-
platform equivalent of Microsoft ADFS SSO
Agent for IIS6


Apache and popular J2EE web servers


BEA WebLogic


Apache Tomcat


IBM Websphere


JBoss


Web agent is a direct drop in for non Microsoft web servers


Customer benefits


Simple and cost effective entrance into the Federated identity world


No modification of applications


Uses existing deployed infrastructure (AD)

Web SSO for non
-
IIS web servers

Quest support for ADFS


ADFS supported in Vintela Single Sign
-
on for Java V3.1


Existing Java apps need no modifications


VSJ 3.1 ADFS servlet filter will:


Support ADFS authentication for Java applications in the resource domain


Allow Java application servers to leverage an existing ADFS infrastructure


Enable federation of Java/J2EE applications within ADFS
-
based trust fabric


Support NTLM, SPNEGO & WS
-
Federation based authentication


VSJ servlet filters work with any J2EE application

server


No change required to the Java application


it “just works”

Web SSO for non
-
IIS web servers

Shibboleth Interoperability


Standards based, open source


Shibboleth System 1.3 release


Developing plug
-
ins for SAML 1.1 Identity and
Service Providers


Support WS
-
Federation Passive Requestor Interoperability
Profile


Enables Interop with ADFS and other compliant vendor
products


Sponsored by Microsoft and ADFS

WS
-
Federation


Web Services Federation Language


Defines messages to enable security realms to federate &
exchange security tokens


BEA, IBM, Microsoft, RSA, VeriSign


Two “profiles” of the model defined


Passive (Browser) clients


HTTP/S


Active (Smart) clients


SOAP

Security

Token

Service

HTTP

Receiver

HTTP messages

SOAP messages

SOAP

Receiver

Passive Requestor Profile


Binding of WS
-
Federation & WS
-
Trust for browser
(passive) clients


Implicitly adhere to policy by following redirects


Implicitly acquire tokens via HTTP msgs


Authentication requires secure transport (HTTPS)


Client cannot provide “proof of possession”


Tokens subject to replay


Limited (time based) token caching

Supported by ADFSv1 in W2K03 R2

Authentication Message Flow

Browser Client

Account STS

Web Server

Resource STS

GET
(to Web Server)

Detect user’s home realm

302 Redirect
(to Resource STS)


302 Redirect
(to Account STS
)


Authenticate User


POST “Redirect” security token
(to Resource STS)

POST “Redirect” security token
(to Web Server)

200 OK Response
(from Web Server)

Active Requestor Profile


Binding of WS
-
Federation & WS
-
Trust for SOAP/XML
aware (active) clients


Explicitly determine token needs from policy


Explicitly request tokens via SOAP msgs


Strong authentication of all requests


Client can provide “proof of possession”


Supports delegation


Client can provide token for use on its behalf


Allows rich token caching at client


Improved performance w/o security risk

Future ADFS release

Sample Flow: Active Client

Requesting Service

Identity Provider STS

Target Service

Service Provider STS

Fetch IP policy

Request token

Return token

Request token

Return token

Send secured request

Return secured response

Fetch SP policy

Fetch service policy

WS
-
Policy used to route client token requests

Review


Overview of Enterprise Federation
Challenges/Solutions


Individual Group Discussions (led)


Large Group “Debate”