ad fs-2 a claims-based identity metasystem henk den baes technology advisor microsoft belux

AD FS-2A claims-based Identity

Metasystem

Henk Den BaesTechnology AdvisorMicrosoft BeLux

Agenda

• The access challenge• Defining AD FS-2• Federation with MS-online– Exchange– SharePoint– CRM, …

• Demo AD FS-2 & SharePoint by Bert Jansen (MCS Belgium)

ADDB

App1

DB

App2

AD

App4

App6

AD

App5

Intranet Intranet Extranet

Extranet

Cloud

AD

App3

DB

DB

SSO

SeparateSign-in

SeparateSign-in

SeparateSign-in

SeparateSign-in

SeparateSign-in

AdditionalProvisioning





ILM

Defining the ProblemWorking with identity is hard

• Applications must use different identity technologies in different situations:– Active Directory (Kerberos) inside a Windows domain– Username/password on the Internet– WS-Federation and the Security Assertion Markup

Language (SAML) between organizations• Why not define one approach that can be used in

all of these cases?– Claims-based identity allows this– It can make life simpler for developers

SSO

App1 App2

App4

App6

App5

Intranet Intranet Extranet

Extranet

Cloud

App3

FIM 2010

SSO andClaims

SSO andClaims

SSO andClaims

SSO and Claims

SSOand

Claims

SSO andClaims

“AD FS-2” enables apps and infrastructure to be more easily plugged together

Authentication problem statement

• Every connected app must handle two functions– Authenticate user– Get information about user to drive app behavior

• Many different technologies to do this– Name/password, X.509, Kerberos, SAML, LDAP, …– Scenario drives technology choice

• Application bound to constraints of technology– But modern apps face increasing requirements: federation, strong authentication,

SOA, cloud…• Solution: claims-based identity

– Abstraction layer hides detail of authenticating user, getting information about user

– Application logic exposed to claims only; claims = information about the user

– Change details after deployment without changing application code

Agenda



Identities

• Information about a person or object, i.e. Users

• Traverses the network as an array of bytes – referred to as a token– In a Claims-based scenario, the array of bytes

carry Claims

Claims

• Claims carry pieces of information about the user

Claim

Claim

Claim

Claim

Signature

Name

Age

Location

Token

Issuer

• Tokens are issued by Security Token Service (STS) software

• Identity providers (IP) can include Directory Services, Windows Live Id, etc.

Application Server

Claims Based Identity access

End User

Claims Provider

4. Send claims

1. Authentica

te

3. Retu

rn cl

aims

ClaimsFramework

Your App

5. Use claims

2. Look up claims, transform for app

trust

Claims Provider

Introducing AD FS-2

End User

4. Send claims

1. Authentica

te

2. Look up claims, transform for app

3. Retu

rn cl

aims

Application Server

ClaimsFramework

WIFFramework

Your App

trustAD ADFS-2 Server

FIM

5. Use claims

What is AD FS 2.0?

• Active Directory Federation Services 2.0 Server – Claims provider server– Federation trust manager

• Windows Identity Foundation– Framework for claims aware applications

• Windows CardSpace– Identity client for claims aware applications

Client Sends Token from IP to RP

Identity Provider (IP) Relying Party (RP)

ClientClient tries to access a resource

RP provides identity requirements policy

1

2

User

3 CardSpace shows which IPs can satisfy RP’s policy

User selects a Card4

5Request Security Tokensent to IP by CardSpace

6

IP returns security token

7 User approves release of token

8 CardSpace releases Token to RP

AD FS-2 Server

Management APIs and UX

Card Issuance

Token Issuance

Metadata

AD FS-2 Server Components

Account Store

AD FS-2 Proxy

Token Issuance

Proxy

Metadata Proxy

Internet Client

Policy Store

Intranet Client

Geneva Server


Card Issuance

Token Issuance

Metadata

Geneva Server Components

Account Store

Geneva Proxy

Token Issuance

Proxy

Metadata Proxy

Internet Client

Policy Store

Intranet Client

Geneva Clients:• Web Browsers• Windows CardSpace and OtherIdentity Selectors• WS-* Aware Clients (WCF, etc.)

AD FS-2 Server


Card Issuance

Token Issuance

Metadata


Account Store

AD FS-2 Proxy

Token Issuance

Proxy

Metadata Proxy

Internet Client

Policy Store

Intranet Client

Geneva Policy Store:• SQL Server

AD FS-2 Server


Card Issuance

Token Issuance

Metadata


Account Store

AD FS-2 Proxy

Token Issuance

Proxy

Metadata Proxy

Internet Client

Policy Store

Intranet Client

Geneva Server:• Security Token Service for SOAP and browser clients• Information card issuance web site• Policy and service management

What's Involved for the Developer?

1. Who are you?

<federatedAuthentication enabled="true"> <wsFederation

issuer="https://sts1.contoso.com/FederationPassive/" realm = “http://web1.contoso.com/MyApp” passiveRedirectEnabled = "true"/></federatedAuthentication>

2. What can you do?

IClaimsIdentity caller = Thread.CurrentPrincipal.Identity as IClaimsIdentity;string Role = (from c in caller.Claims where c.ClaimType == MyClaimTypes.Role select c.Value).Single();

Windows CardSpaceSelecting identities

• CardSpace provides a standard user interface for choosing an identity– Using the metaphor of cards– Choosing a card selects an identity (i.e., a token)

Geneva (ADFS) project is one of the most significant enhancements for future use and dissemination of the Identity Federation. -Kuppinger Cole“

Extend Access Across Organizations

EMPOWER BUSINESS• Ability to move seamlessly between

applications using a single identity

• Collaboration across organizations

EMPOWER IT• No need to manage external accounts

• Simplified and flexible claims-based federation

• Common authentication controls for building custom applications

Source: Awards for Outstanding Identity Management Projects. Kuppinger Cole, May 2009. http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/

http://www.id-conf.com/blog/2009/05/07/awards-for-outstanding-identity-management-projects/

Simplifying Access Management with Active Directory Federation Services 2

• Streamline User Access Management

• Enhance Application Security

• Interoperable & Adaptable

• Quick roll out of high value projects

• Manage Compliance• Reduce TCO and

leverage the cloud

• Simplify User Access• Increase productivity• Reduce password burden

• Improve Developer Productivity

• Enhance Application Security• Open and Extensible

Security Considerations

• Treat your AD FS-2 servers like domain controllers• Your AD FS-2 Server admins are like domain administrators• AD FS-2 includes claims policy language, which is extremely powerful

• Manage your certificates– Token signing protects from man-in-the-middle attacks– SSL validates the end-points

Server Token Crypto Administrator

Domain Controller Kerberos or NTLM Shared Secret Domain Admin

Certificate Authority x.509 certificate Trusted chain Certificate Admin

Federation Server SAML x.509 certificate ???

Skills Required for Engagement considerations

• ADFS (obviously)• PKI• IIS• HTTP• Probably some development (WIF, custom STS)

WS-* Protocol Support

AD FS1 AD FS2

WS-Federation 1.0 (Passive Requestor Interop Profile) Y Y

WS-Federation 1.2 (Min Passive Requestor Subset) n/a Y

POST (push) Binding Y

WS-Trust 2005 and 1.3 ( aka Active Requestor Profile) n/a Y

Issue Y

Issue “OnBehalfOf” (proxy support) Y

Issue “ActAs” (identity delegation) Y

WS-SecurityPolicy 1.2 n/a Y

SAML Token Support

AD FS1 AD FS2

SAML 1.1 Tokens Y Y

Authentication & Attribute Statements Y Y

Signed tokens Y Y

Encrypted tokens N Y

SAML 2.0 tokens N Y

Authentication & Attribute Statements Y

Extensible claim type (any URI) Y

Signed tokens Y

Encrypted tokens Y

Proof tokens (symmetric/asymmetric keys) Y

Authentication Context Y

Federation/SSO Futures

• Authorization– Authorization Manager (AzMan) v.Next– Authorization server

• “U-Prove”: minimal disclosure tokens– Issued tokens that don’t inescapably contain

correlation handles– Users can prove properties of encoded claims

• Disclose subset of claims• Derived claims: age > 21 proof instead of disclosing DoB• Prove claim not equal to value (name not on deny list)

– Offline/disconnected scenarios• Identity selector for mobile platform

Agenda



How AD FS-2 is Changing Our Game

ADFSServer

ADFS Partners

SQL AuthzStore

AD FS-2 Server Microsoft Federation Gateway

trust

trust

Relying party

Corporate User

SharePointOnline

On-premise MicrosoftOnline

Federation with MS Online

ExchangeOnline

CRM Online

…

“Microsoft Federation Gateway Utility”

Authentication and Sign-On

How it works today How it will work

Users have separate password for cloud services

Sign-in tool stores password to achieve SSO for Outlook

Users log in to cloud services with domain credentials

No Outlook sign-in tool required

Token-based referral

ADFS 2.0 (Geneva)

Sign-in tool

AD FS-2 Server connects AD to the cloud for single sign-on

Federated Identity using AD FS 2

User benefits• Same identity on-premises and in the cloud• No need to manage separate passwords

Administrator benefits• No sign-on application to manage across desktops• Passwords not synchronized to the cloud• Security control retained over user accounts• No need to manually de-provision cloud users• No changes to enterprise deployment of AD

Other benefits• Supports multi-factor authentication for OWA• Allows you to customize the OWA login page

Windows Server 2008

2. Configure federated trust with Microsoft Online Services

1. Install AD FS 2

Users are authenticated by local AD FS-2 server

AD FS-2

1. User opens Outlook or clicks OWA URL – is taken to AD FS-2 server for authentication

2. AD FS-2 server validates credentials with Active Directory

3. AD FS-2 server issues login token and posts it to Federation Gateway

Desktop

Browser

Outlook

Apps

Enterprise

GenevaActive

Directory

Microsoft Federation Gateway

CloudExchange

Online

4. Federation Gateway validates token and transforms claims

5. Federation Gateway issues service token and posts it to service

6. User accesses service

User Login Process with AD FS 2

Comparing User Experiences:

With and Without ADFS 2.0

Outlook2010

Win 7 Vista/XP

With ADFS 2.0

OWA

(No prompt)**Each session*

ActiveSync, POP, IMAP

Entourage 2008 WS Ed.

Once at setup (No prompt)**

Once at setup

Outlook 2007

*Teams are investigating patches for Outlook and Windows that would eliminate this prompt

Each session*

Outlook 2007 or 2010

Win 7

AD credentials AD credentials AD credentialsAD credentials

• With AD FS 2.0 in place, users access Online services using their domain credentials• Password prompts are eliminated in some scenarios• If AD FS 2.0 is not deployed, users access Online services using a LiveID• The Microsoft Online Services Sign-in Tool will be retired

**No prompt if logged on to the corporate network. Internet-based users will be prompted.

Without ADFS 2.0 Each session Once at setup Once at setupEach session* Each session* Each session*

LiveIDLiveIDLiveIDLiveIDLiveIDLiveID

Agenda



© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Subject to Change

Earlier CY 2009H2

CY 2010H1

Managem

ent

Pro

tect

ion &

A

ccess

Solu

tions

Pla

tform

Active Directory® Domain Services DirectAccess

Active Directory® Domain Services

Business Ready Security: The Road Ahead

ad fs-2 a claims-based identity metasystem henk den baes technology advisor microsoft belux

Documents

claims sso

claims ad fs

claimsbased scenario

demo ad fs

app trust slide

application code slide

app trust ad adfs

bert jansen mcs belgium