ad fs

Integration of Directories Integration of Directories and Federationand Federation

Javier VasquezJavier VasquezSenior Technology SpecialistSenior Technology SpecialistFederal Platforms TeamFederal Platforms TeamMicrosoftMicrosoft

Where it all beganWhere it all began Infrastructure DirectoriesInfrastructure Directories

StreetTalkStreetTalk NDSNDS ADAD

Application Specific DirectoriesApplication Specific Directories X.500X.500 LDAPLDAP AD/AMAD/AM

Good for EnterprisesGood for Enterprises Hard to FederateHard to Federate

Windows IdMWindows IdMActive Directory – Foundation for Identity ManagementActive Directory – Foundation for Identity Management

Central Repository for:Central Repository for:• User Accounts & AttributesUser Accounts & Attributes• System Accounts & AttributesSystem Accounts & Attributes• Organizational & Security GroupsOrganizational & Security Groups• Application & Service LocationsApplication & Service Locations• Management PolicyManagement Policy• Security PolicySecurity Policy• Digital CertificatesDigital Certificates• Network Access PermissionsNetwork Access Permissions• Printer LocationsPrinter Locations• File Shares LocationsFile Shares Locations……Integrated SecurityIntegrated Security• Kerberos v5Kerberos v5• Mac OS Kerberos PAMMac OS Kerberos PAM• x.509 Certificates (PKI)x.509 Certificates (PKI)• Security DomainSecurity Domain

Directory Access ProtocolsDirectory Access Protocols• LDAP v3 – Standards-based accessLDAP v3 – Standards-based access• ADSI – Simple COM-based InterfaceADSI – Simple COM-based Interface• DSML – XML InterfaceDSML – XML Interface

Active Active DirectoryDirectory

http://www.microsoft.com/business/security/access/whpaper.mspx http://www.microsoft.com/business/security/access/whpaper.mspx

Reduced Enterprise Sign-on Reduced Enterprise Sign-on Extending Windows SSOExtending Windows SSO

ActiveActiveDirectoryDirectory

Logon to ADLogon to AD

Services for UNIXServices for UNIX NIS Server for ADNIS Server for AD NIS-AD directory syncNIS-AD directory sync Password synchronizationPassword synchronization User name mappingUser name mapping

UNIXUNIX

Host Integration ServerHost Integration Server Windows to RACF accountsWindows to RACF accounts Windows to 0S/400 Security SystemWindows to 0S/400 Security System Bi-Directional Password SynchronizationBi-Directional Password Synchronization

390/AS400390/AS400

Kerberos Kerberos ApplicationApplication

KerberosKerberos Native AuthN protocolNative AuthN protocol MIT v5 CompliantMIT v5 Compliant Carries group info in PACCarries group info in PAC Windows PAC is openWindows PAC is open SCO, Vintella, Java SSO through SCO, Vintella, Java SSO through

WindowsWindows

Reduced Enterprise IdMReduced Enterprise IdMLDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration

Account DirectoryAccount Directory

LDAPLDAP SQLSQL

Enterprise Enterprise AppApp

Integrate LDAP with ADIntegrate LDAP with AD LDAP v3 compliantLDAP v3 compliant Single AD and LDAP user accountSingle AD and LDAP user account AD/AM for personalization dataAD/AM for personalization data

Microsoft Identity Integration Microsoft Identity Integration ServerServer

Directory synchronizationDirectory synchronization LDAP (eg SunONE & others)LDAP (eg SunONE & others) Relational databasesRelational databases DSMLDSML Application specificApplication specific

Account ProvisioningAccount Provisioning Automate account creationAutomate account creation Automate account de-provisioningAutomate account de-provisioning

Password Management (MIIS 2003)Password Management (MIIS 2003) Self-service password resetSelf-service password reset

Certificate ManagementCertificate Management

ExchangeExchange

Web ServiceWeb Service

File ShareFile Share

ApplicationApplicationApplicationApplicationActiveActive

DirectoryDirectory

MIIS 2003MIIS 2003

Extending Active DirectoryExtending Active Directory Newer conceptsNewer concepts

ADAMADAM DSML gatewayDSML gateway Distributed IdM Distributed IdM Web ServicesWeb Services

ADAM - Integrating extended LDAP app ADAM - Integrating extended LDAP app with ADwith AD

Store app data without extending infra DS schemaStore app data without extending infra DS schema App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory Maintain central user repository!Maintain central user repository!

ADAMADAM

Infrastructure Active DirectoryInfrastructure Active Directory

WebWebappapp

Store/Store/retrieveretrieve

datadata

ClientClient

ServerServerData specific Data specific to portal appto portal app Data shared Data shared

by all appsby all apps

User (right) User (right) and “shadow” (left)and “shadow” (left)

Extending Infrastructure Extending Infrastructure AD with DSMLAD with DSML

This is the URL to which we will post

Transport could be SOAP

HTTP DS Access

Distributed IdM technologiesDistributed IdM technologies How do we distribute IdM services?How do we distribute IdM services? ADFS and AZ-ManagerADFS and AZ-Manager

Security in a Web Services WorldSecurity in a Web Services World – – IBM/MSFT White PaperIBM/MSFT White Paper

WS-Security WS-Security SpecificationSpecification

– Ratified – Ratified April 2004April 2004

SecuritySecurity

PrivacyPrivacyTrustTrustPolicyPolicy

AuthorizationAuthorizationFederationFederationSecureConversationSecureConversation

SOAP FoundationSOAP Foundation

TodayToday

Web Services ApplicationsWeb Services Applications

Web Services SecurityWeb Services Security

WS-Security and Liberty AllianceWS-Security and Liberty AllianceRich Application stack vs.Rich Application stack vs.IdM stackIdM stackID-WSF Web Services FrameworkID-WSF Web Services FrameworkID-FF – Identity Federation FrameworkID-FF – Identity Federation Framework

ID-FFID-FF

ID-WSFID-WSF

The Vision and Future of SSOThe Vision and Future of SSOB2B Federated Single Sign-onB2B Federated Single Sign-on

ExchangeExchange Web ServiceWeb Service

CollaborationCollaboration

Intranet Intranet ApplicationsApplications


Security TokenSecurity Token(eg Kerberos Ticket)(eg Kerberos Ticket)

Security TokenSecurity TokenUser Account/CredentialsUser Account/Credentials

WS Security WS Security ApplicationApplication

WS SecurityWS SecurityApplicationApplication

Requires XRMLRequires XRML Requires SAMLRequires SAML

1.1. ADFS Creates XRML tokenADFS Creates XRML token2.2. Signs it with company’s private keySigns it with company’s private key3.3. Sends it back to the userSends it back to the user4.4. Access Supplier with the tokenAccess Supplier with the token

1.1. ADFS Creates SAML tokenADFS Creates SAML token2.2. Signs it with company’s private keySigns it with company’s private key3.3. Sends the token back to the userSends the token back to the user4.4. Accesses Supplier B using the token Accesses Supplier B using the token

Supplier ASupplier A Supplier BSupplier B

ADFSADFS

ADFS Logon ServerADFS Logon ServerSOAP rich client proxy for browsersSOAP rich client proxy for browsers

Web ServiceWeb Service


ADFSADFS

Web-basedWeb-basedLogon ServerLogon Server

Web Front EndWeb Front End

Security TokenSecurity TokenSecurity MessageSecurity Message

User authenticates to Logon server (forms based)User authenticates to Logon server (forms based) ADFS validates credentials with Active DirectoryADFS validates credentials with Active Directory

ADFS creates the requested security tokenADFS creates the requested security token Logon server returns token to clientLogon server returns token to client

Client forwards token to web front endClient forwards token to web front end Front end sends WS-Security msg with token to web Front end sends WS-Security msg with token to web

serviceservice

Active Directory Federation Active Directory Federation Service ArchitectureService ArchitectureFederation Service (FS)Federation Service (FS) Issues security tokens for usersIssues security tokens for users Manages policy between federated Manages policy between federated

security realmssecurity realms

Logon Service (LS)Logon Service (LS) Provides UI to authenticate usersProvides UI to authenticate users Proxies WS-*/SOAP protocols for Proxies WS-*/SOAP protocols for

passive (dumb) clientspassive (dumb) clients

Web Server SSO Agent Web Server SSO Agent Enforces user authenticationEnforces user authentication Creates user authorization contextCreates user authorization contextNote:Note: SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03 LS and FS can be co-locatedLS and FS can be co-located Supports W2K or W2K03 forestsSupports W2K or W2K03 forests

FS

browser

WebServer

LS

ApplicationSSO Agent

HTTPSHTTPS

SOAPSOAP LDAPLDAP

Windows 2003 AzManWindows 2003 AzManRoles based access control (RBAC)Roles based access control (RBAC)

Authorization APIAuthorization API

IIS6 URLIIS6 URL AuthorizationAuthorization

Policy DefinitionsPolicy Definitions• Global app groupsGlobal app groups• ApplicationsApplications

•RolesRoles•TasksTasks•OperationsOperations•Role assignmentsRole assignments•ScopesScopes•App groupsApp groups•BizRulesBizRules

Business Process Business Process ApplicationsApplications(E-Commerce,(E-Commerce,

LOB Applications,…)LOB Applications,…)

Authorization Authorization Administration Administration

ManagerManager

Common Management UICommon Management UI Active DirectoryActive Directoryor XML (Files, SQL)or XML (Files, SQL)

PolicyPolicyStoreStore

• Role definitionsRole definitions• Role assignmentRole assignment

Authorization APIAuthorization API.NET Framework.NET Framework

DiscussionDiscussion Where do I extend and where do I Federate?Where do I extend and where do I Federate?

Today Integrate; Tomorrow Integrate and/or FederateToday Integrate; Tomorrow Integrate and/or Federate

ExtendExtend

Active Directory Federation Active Directory Federation Service ArchitectureService ArchitectureFederation Service (FS)Federation Service (FS) Issues security tokens for usersIssues security tokens for users Manages policy between federated Manages policy between federated

security realmssecurity realms

Logon Service (LS)Logon Service (LS) Provides UI to authenticate usersProvides UI to authenticate users Proxies WS-*/SOAP protocols for Proxies WS-*/SOAP protocols for

passive (dumb) clientspassive (dumb) clients

Web Server SSO Agent Web Server SSO Agent Enforces user authenticationEnforces user authentication Creates user authorization contextCreates user authorization contextNote:Note: SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03 LS and FS can be co-locatedLS and FS can be co-located Supports W2K or W2K03 forestsSupports W2K or W2K03 forests

FS

browser

WebServer

LS


HTTPSHTTPS

SOAPSOAP LDAPLDAP

Federation ServiceFederation ServiceASP.NET-hosted service running on IISv6 - W2K03 ServerASP.NET-hosted service running on IISv6 - W2K03 Server User authenticationUser authentication

Validates ID/Password via LDAP Bind for Forms-based Logon Validates ID/Password via LDAP Bind for Forms-based Logon Security token generationSecurity token generation

Retrieves user attributes for claim generation from AD (or ADAM) via LDAP searchRetrieves user attributes for claim generation from AD (or ADAM) via LDAP search Transforms claims (if required) between internal & federation namespacesTransforms claims (if required) between internal & federation namespaces Builds security token & Returns to LS via WS-* SOAP messagesBuilds security token & Returns to LS via WS-* SOAP messages Builds “User SSO” cookie contents for LSBuilds “User SSO” cookie contents for LS

Policy managementPolicy management Establishes authority to issue security tokens by PKI-based key distributionEstablishes authority to issue security tokens by PKI-based key distribution Defines supported token/claim typesDefines supported token/claim types Manages trust and defines shared namespace for Federated security realmsManages trust and defines shared namespace for Federated security realms

FS

browser

WebServer

LS


Logon ServiceLogon Service

FS

browser

WebServer

LS


ASP.NET-hosted service running on IISv6 - W2K03 SeverASP.NET-hosted service running on IISv6 - W2K03 Sever User authenticationUser authentication

Provides UI for Home Realm Discovery & Forms-based LogonProvides UI for Home Realm Discovery & Forms-based Logon Authenticates users for Windows integrated authN Authenticates users for Windows integrated authN

(SSL, Kerberos, NTLM)(SSL, Kerberos, NTLM) Writes “User SSO” cookie to Browser (similar to Kerberos TGT)Writes “User SSO” cookie to Browser (similar to Kerberos TGT)

Security token generationSecurity token generation Requests security token from FS via WS-* SOAP messagesRequests security token from FS via WS-* SOAP messages Returns token to web server via “POST redirect” through BrowserReturns token to web server via “POST redirect” through Browser

Web Server SSO AgentWeb Server SSO AgentISAPI extension for IISv6ISAPI extension for IISv6 (Need (Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)User authentication User authentication

Intercepts URL GET requests & Redirects un-authenticated clients to LSIntercepts URL GET requests & Redirects un-authenticated clients to LS Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)

Windows ServiceWindows Service User authorizationUser authorization

Creates NT Token for impersonation (AD users only) Creates NT Token for impersonation (AD users only)

Managed Web ModuleManaged Web Module (Need (Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux) Security token processingSecurity token processing

Validates user’s security token and parses claims in tokenValidates user’s security token and parses claims in token User authorization User authorization

Populates ASP.NET iPrincipal context from claims to support IsInRole()Populates ASP.NET iPrincipal context from claims to support IsInRole() Provides raw claims to applicationProvides raw claims to application

FS

browser

WebServer

LS


Active Directory RolesActive Directory Roles On Windows Server 2008, Active On Windows Server 2008, Active

Directory-related roles have been Directory-related roles have been separated into distinct functions:separated into distinct functions: Active Directory Domain Services (AD DS) Active Directory Domain Services (AD DS) Active Directory Certificate Active Directory Certificate

Services (AD CS) Services (AD CS) Active Directory Federation Active Directory Federation

Services (AD FS) Services (AD FS) Active Directory Lightweight Active Directory Lightweight

Directory Directory Services (AD LDS) Services (AD LDS)

Active Directory Rights Active Directory Rights Management Services (AD RMS)Management Services (AD RMS)

Active Directory Federation Active Directory Federation ServicesServices

Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS)

Es un rol de Windows Server® 2008 permite Es un rol de Windows Server® 2008 permite crear soluciones de identificación:crear soluciones de identificación:

segura segura muy flexibles muy flexibles múltiples plataformasmúltiples plataformas entornos Windows como no-Windowsentornos Windows como no-Windows a través de Internet.a través de Internet.

Gestión de identidades más Gestión de identidades más allá de las fronteras de la allá de las fronteras de la organizaciónorganización

Solución de gestión de la identidad y Solución de gestión de la identidad y accesos accesos

facilita a clientes basados en navegador facilita a clientes basados en navegador Web la posibilidad de identificarse de forma Web la posibilidad de identificarse de forma transparente "de una sola vez" a una o más transparente "de una sola vez" a una o más aplicaciones protegidas accesibles desde aplicaciones protegidas accesibles desde InternetInternet

Redes totalmente diferentes e Redes totalmente diferentes e independientes.independientes.

credenciales secundarias???credenciales secundarias??? AD FS las hace innecesarias ya que:AD FS las hace innecesarias ya que: Permite establecer relaciones de confianzaPermite establecer relaciones de confianza proyecta la identidad digital y los derechos de proyecta la identidad digital y los derechos de

acceso a partners de confianza. acceso a partners de confianza. En un entorno federado cada organización En un entorno federado cada organización

mantiene el control de su propio conjunto de mantiene el control de su propio conjunto de identidades, identidades,

permite un intercambio seguro de las identidades permite un intercambio seguro de las identidades de organizaciones externasde organizaciones externas

facilita la labor administrativafacilita la labor administrativa mejora la experiencia del usuario.mejora la experiencia del usuario.

Novedades en Windows Novedades en Windows Server 2008Server 2008 nueva funcionalidad que no existen en nueva funcionalidad que no existen en

Windows Server 2003 R2 que facilita la Windows Server 2003 R2 que facilita la labor administrativa y amplia el soporte labor administrativa y amplia el soporte disponible a una serie de aplicaciones disponible a una serie de aplicaciones fundamentales:fundamentales:

Instalación mejorada: AD FS se incluye Instalación mejorada: AD FS se incluye dentro de Windows Server 2008 como rol dentro de Windows Server 2008 como rol de servidorde servidor

AD FS se integra de forma más estrecha AD FS se integra de forma más estrecha con Microsoft Office SharePoint® Server con Microsoft Office SharePoint® Server 2007 y con Active Directory Rights 2007 y con Active Directory Rights Management Services (AD RMS).Management Services (AD RMS).

Una experiencia de administración mejor Una experiencia de administración mejor cuando se establecen relaciones de cuando se establecen relaciones de confianza federadas: una funcionalidad confianza federadas: una funcionalidad más evolucionada de importación y más evolucionada de importación y exportación de políticas de confianza exportación de políticas de confianza contribuyen a eliminar muchos de los contribuyen a eliminar muchos de los problemas de configuración que suelen problemas de configuración que suelen surgir a la hora de establecer surgir a la hora de establecer federaciones entre organizaciones.federaciones entre organizaciones.

ith ADFS, each company manages its ith ADFS, each company manages its own identities. But within a federated own identities. But within a federated environment, each company can accept environment, each company can accept and provide permissions and/or access to and provide permissions and/or access to identities from within another company. It identities from within another company. It all comes down to trust. The ability to trust all comes down to trust. The ability to trust accounts from one company without accounts from one company without requiring a local account on your servers. requiring a local account on your servers. This trust is called federated identity This trust is called federated identity management and is the core behind management and is the core behind ADFS. The biggest concern, logically, is ADFS. The biggest concern, logically, is security. All communication from one security. All communication from one company's Active Directory to the other's company's Active Directory to the other's ADFS is encrypted, and client access to ADFS is encrypted, and client access to through their browser is also encrypted through their browser is also encrypted using SSL.using SSL.

It's important to mention that ADFS is only It's important to mention that ADFS is only for Web-based applications (like for Web-based applications (like SharePoint). It's really a solution only for SharePoint). It's really a solution only for allowing external business partners or allowing external business partners or clients to access your Web application, clients to access your Web application, while still allowing the partner or client to while still allowing the partner or client to manage their identities.manage their identities.

An easier installation as a server role with An easier installation as a server role with all the necessary services being all the necessary services being automatically installed with the role itself automatically installed with the role itself such as ASP.Net and IIS)such as ASP.Net and IIS)

Tighter integration with ActiveDirectory Tighter integration with ActiveDirectory RMS (Rights Management Services)RMS (Rights Management Services)

ADFS works with MOSS (Microsoft Office ADFS works with MOSS (Microsoft Office SharePoint Server) 2007 with an easy-to-SharePoint Server) 2007 with an easy-to-configure single-sign-on configuration for configure single-sign-on configuration for both intranet and extranet/Internet sitesboth intranet and extranet/Internet sites

ADFS configuration is not ADFS configuration is not so simpleso simple Explaining ADFS is easy, but the design Explaining ADFS is easy, but the design

and configuration of ADFS is a tad bit and configuration of ADFS is a tad bit more complicated than I've made it sound more complicated than I've made it sound so far. The so far. The design readingdesign reading alone can alone can take forever because you need to take forever because you need to determine what you are truly looking to determine what you are truly looking to accomplish, and there are several accomplish, and there are several methods to reach those goals. For methods to reach those goals. For example, do you want a Web single sign-example, do you want a Web single sign-on implementation, a federated Web on implementation, a federated Web single sign-on implementation, or a single sign-on implementation, or a federated Web single sign-on federated Web single sign-on implementation with Forest Trust? implementation with Forest Trust? Knowing your goal is the key to getting Knowing your goal is the key to getting started.started.

The implementation side depends not only The implementation side depends not only on your design solution but also on the on your design solution but also on the Web application you are looking to Web application you are looking to provide access to. Is it a SharePoint, provide access to. Is it a SharePoint, which already comes with claims-aware which already comes with claims-aware features, or will you features, or will you create your own create your own claims-aware applicationclaims-aware application??

Furthermore, you can deploy federation Furthermore, you can deploy federation servers in multiple organizations to servers in multiple organizations to facilitate business-to-business (B2B) facilitate business-to-business (B2B) transactions between trusted partner transactions between trusted partner organizations. Federated B2B organizations. Federated B2B partnerships identify business partners as partnerships identify business partners as one of the following types of organization:one of the following types of organization:

Resource organization:Resource organization: Organizations Organizations that own and manage resources that are that own and manage resources that are accessible from the Internet can deploy accessible from the Internet can deploy AD FS federation servers and AD FS-AD FS federation servers and AD FS-enabled Web servers that manage access enabled Web servers that manage access to protected resources for trusted to protected resources for trusted partners. These trusted partners can partners. These trusted partners can include external third parties or other include external third parties or other departments or subsidiaries in the same departments or subsidiaries in the same organization.organization.

Account organization:Account organization: Organizations Organizations that own and manage user accounts can that own and manage user accounts can deploy AD FS federation servers that deploy AD FS federation servers that authenticate local users and create authenticate local users and create security tokens that federation servers in security tokens that federation servers in the resource organization use later to the resource organization use later to make authorization decisions.make authorization decisions.

The process of authenticating to one The process of authenticating to one network while accessing resources in network while accessing resources in another network—without the burden of another network—without the burden of repeated logon actions by users—is repeated logon actions by users—is known as single sign-on (SSO). AD FS known as single sign-on (SSO). AD FS provides a Web-based, SSO solution that provides a Web-based, SSO solution that authenticates users to multiple Web authenticates users to multiple Web applications over the life of a single applications over the life of a single browser session.browser session.

AD FS role servicesAD FS role services The AD FS server role includes federation The AD FS server role includes federation

services, proxy services, and Web agent services, proxy services, and Web agent services that you configure to enable Web services that you configure to enable Web SSO, federate Web-based resources, SSO, federate Web-based resources, customize the access experience, and customize the access experience, and manage how existing users are authorized manage how existing users are authorized to access applications.to access applications.

Depending on your organization's Depending on your organization's requirements, you can deploy servers requirements, you can deploy servers running any one of the following AD FS running any one of the following AD FS role services:role services:

Federation Service:Federation Service: The Federation The Federation Service comprises one or more federation Service comprises one or more federation servers that share a common trust policy. servers that share a common trust policy. You use federation servers to route You use federation servers to route authentication requests from user authentication requests from user accounts in other organizations or from accounts in other organizations or from clients that may be located anywhere on clients that may be located anywhere on the Internet.the Internet.

Federation Service Proxy:Federation Service Proxy: The The Federation Service Proxy is a proxy to the Federation Service Proxy is a proxy to the Federation Service in the perimeter Federation Service in the perimeter network (also known as a demilitarized network (also known as a demilitarized zone and screened subnet). The zone and screened subnet). The Federation Service Proxy uses WS-Federation Service Proxy uses WS-Federation Passive Requestor Profile Federation Passive Requestor Profile (WS-F PRP) protocols to collect user (WS-F PRP) protocols to collect user credential information from browser credential information from browser clients, and it sends the user credential clients, and it sends the user credential information to the Federation Service on information to the Federation Service on their behalf.their behalf.

Claims-aware agent:Claims-aware agent: You use the claims- You use the claims-aware agent on a Web server that hosts a aware agent on a Web server that hosts a claims-aware application to allow the claims-aware application to allow the querying of AD FS security token claims. querying of AD FS security token claims. A claims-aware application is a Microsoft A claims-aware application is a Microsoft ASP.NET application that uses claims that ASP.NET application that uses claims that are present in an AD FS security token to are present in an AD FS security token to make authorization decisions and make authorization decisions and personalize applications. personalize applications.

Windows token-based agent:Windows token-based agent: You use You use the Windows token-based agent on a the Windows token-based agent on a Web server that hosts a Windows NT Web server that hosts a Windows NT token-based application to support token-based application to support conversion from an AD FS security token conversion from an AD FS security token to an impersonation-level, Windows NT to an impersonation-level, Windows NT access token. A Windows NT token-access token. A Windows NT token-based application is an application that based application is an application that uses Windows-based authorization uses Windows-based authorization mechanisms.mechanisms.

Installing the AD FS roleInstalling the AD FS role fter you finish installing the operating fter you finish installing the operating

system, a list of initial configuration tasks system, a list of initial configuration tasks appears. To install AD FS, in the list of appears. To install AD FS, in the list of tasks, click tasks, click Add rolesAdd roles, and then , and then click click Active Directory Federation Active Directory Federation ServicesServices..

Managing the AD FS roleManaging the AD FS role You can manage server roles with You can manage server roles with

Microsoft Management Console (MMC) Microsoft Management Console (MMC) snap-ins. After you install AD FS, you can snap-ins. After you install AD FS, you can use the Active Directory Federation use the Active Directory Federation Services snap-in to manage both the Services snap-in to manage both the Federation Service and Federation Federation Service and Federation Service Proxy role services. To open this Service Proxy role services. To open this snap-in, click snap-in, click StartStart, click , click Administrative Administrative ToolsTools, and then click , and then click Active Directory Active Directory Federation ServicesFederation Services..

To manage the Windows token-based To manage the Windows token-based agent, click agent, click StartStart, click , click Administrative Administrative ToolsTools, click , click Internet Information Internet Information Services (IIS) ManagerServices (IIS) Manager, and then , and then click click Connect to localhostConnect to localhost..

Who will be interested in this feature?Who will be interested in this feature? AD FS is designed to be deployed in AD FS is designed to be deployed in

medium to large organizations that have medium to large organizations that have the following:the following:

At least one directory service: either At least one directory service: either Active Directory Domain Services Active Directory Domain Services (AD DS) or Active Directory Lightweight (AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerly Directory Services (AD LDS) (formerly known as Active Directory Application known as Active Directory Application Mode (ADAM)) Mode (ADAM))

Computers running various operating Computers running various operating system platformssystem platforms

Domain-joined computersDomain-joined computers

Computers that are connected to the Computers that are connected to the InternetInternet

One or more Web-based applicationsOne or more Web-based applications

Review this information, along with Review this information, along with additional documentation about AD FS, if additional documentation about AD FS, if you are any of the following:you are any of the following:

An information technology (IT) An information technology (IT) professional who is responsible for professional who is responsible for supporting an existing AD FS supporting an existing AD FS infrastructureinfrastructure

An IT planner, analyst, or architect who is An IT planner, analyst, or architect who is evaluating identity federation productsevaluating identity federation products

Are there any special Are there any special considerations?considerations? If you have an existing AD FS If you have an existing AD FS

infrastructure, there are some special infrastructure, there are some special considerations to be aware of before you considerations to be aware of before you begin upgrading federation servers, begin upgrading federation servers, federation server proxies, and AD FS-federation server proxies, and AD FS-enabled Web servers running enabled Web servers running Windows Server 2003 R2 to Windows Windows Server 2003 R2 to Windows Server 2008. These considerations apply Server 2008. These considerations apply only when you have AD FS servers that only when you have AD FS servers that have been manually configured to use have been manually configured to use unique service accounts.unique service accounts.

AD FS uses the Network Service account AD FS uses the Network Service account as the default account for both the AD FS as the default account for both the AD FS Web Agent Authentication Service and the Web Agent Authentication Service and the identity of the ADFSAppPool application identity of the ADFSAppPool application pool. If you manually configured one or pool. If you manually configured one or more AD FS servers in your existing more AD FS servers in your existing AD FS deployment to use a service AD FS deployment to use a service account other than the default Network account other than the default Network Service account, track which of the AD FS Service account, track which of the AD FS servers use these unique service servers use these unique service accounts and record the user name and accounts and record the user name and password for each service account.password for each service account.

When you upgrade a server to Windows When you upgrade a server to Windows Server 2008, the upgrade process Server 2008, the upgrade process automatically restores all service accounts automatically restores all service accounts to their original default values. Therefore, to their original default values. Therefore, you must enter service account you must enter service account information again manually for each information again manually for each applicable server after Windows applicable server after Windows Server 2008 is fully installed.Server 2008 is fully installed.

What new functionality What new functionality does this feature provide?does this feature provide? For Windows Server 2008, AD FS For Windows Server 2008, AD FS

includes new functionality that was not includes new functionality that was not available in Windows Server 2003 R2. available in Windows Server 2003 R2. This new functionality is designed to ease This new functionality is designed to ease administrative overhead and to further administrative overhead and to further extend support for key applications:extend support for key applications:

Improved installation—AD FS is included Improved installation—AD FS is included in Windows Server 2008 as a server role, in Windows Server 2008 as a server role, and there are new server validation and there are new server validation checks in the installation wizard.checks in the installation wizard.

Improved application support—AD FS is Improved application support—AD FS is more tightly integrated with Microsoft more tightly integrated with Microsoft Office SharePoint® Server 2007 and Office SharePoint® Server 2007 and Active Directory Rights Management Active Directory Rights Management Services (AD RMS).Services (AD RMS).

A better administrative experience when A better administrative experience when you establish federated trusts—Improved you establish federated trusts—Improved trust policy import and export functionality trust policy import and export functionality helps to minimize partner-based helps to minimize partner-based configuration issues that are commonly configuration issues that are commonly associated with federated trust associated with federated trust establishment.establishment.

Improved installationImproved installation AD FS in Windows Server 2008 brings AD FS in Windows Server 2008 brings

several improvements to the installation several improvements to the installation experience. To install AD FS in experience. To install AD FS in Windows Server 2003 R2, you had to Windows Server 2003 R2, you had to use use Add or Remove ProgramsAdd or Remove Programs to find to find and install the AD FS component. and install the AD FS component. However, in Windows Server 2008, you However, in Windows Server 2008, you can install AD FS as a server role using can install AD FS as a server role using Server Manager.Server Manager.

You can use improved AD FS You can use improved AD FS configuration wizard pages to perform configuration wizard pages to perform server validation checks before you server validation checks before you continue with the AD FS server role continue with the AD FS server role installation. In addition, Server Manager installation. In addition, Server Manager automatically lists and installs all the automatically lists and installs all the services that AD FS depends on during services that AD FS depends on during the AD FS server role installation. These the AD FS server role installation. These services include Microsoft ASP.NET 2.0 services include Microsoft ASP.NET 2.0 and other services that are part of the and other services that are part of the Web Server (IIS) server role.Web Server (IIS) server role.

Improved application Improved application supportsupport AD FS in Windows Server 2008 includes AD FS in Windows Server 2008 includes

enhancements that increase its ability to enhancements that increase its ability to integrate with other applications, such as integrate with other applications, such as Office SharePoint Server 2007 and Office SharePoint Server 2007 and AD RMS.AD RMS.

Integration with Office Integration with Office SharePoint Server 2007SharePoint Server 2007 Office SharePoint Server 2007 takes full Office SharePoint Server 2007 takes full

advantage of the SSO capabilities that are advantage of the SSO capabilities that are integrated into this version of AD FS. integrated into this version of AD FS. AD FS in Windows Server 2008 includes AD FS in Windows Server 2008 includes functionality to support Office functionality to support Office SharePoint Server 2007 membership and SharePoint Server 2007 membership and role providers. This means that you can role providers. This means that you can effectively configure Office effectively configure Office SharePoint Server 2007 as a claims-SharePoint Server 2007 as a claims-aware application in AD FS, and you can aware application in AD FS, and you can administer any Office administer any Office SharePoint Server 2007 sites using SharePoint Server 2007 sites using membership and role-based access membership and role-based access control. The membership and role control. The membership and role providers that are included in this version providers that are included in this version of AD FS are for consumption only by of AD FS are for consumption only by Office SharePoint Server 2007.Office SharePoint Server 2007.

Integration with AD RMSIntegration with AD RMS AD RMS and AD FS have been integrated AD RMS and AD FS have been integrated

in such a way that organizations can take in such a way that organizations can take advantage of existing federated trust advantage of existing federated trust relationships to collaborate with external relationships to collaborate with external partners and share rights-protected partners and share rights-protected content. For example, an organization that content. For example, an organization that has deployed AD RMS can set up has deployed AD RMS can set up federation with an external organization by federation with an external organization by using AD FS. The organization can then using AD FS. The organization can then use this relationship to share rights-use this relationship to share rights-protected content across the two protected content across the two organizations without requiring a organizations without requiring a deployment of AD RMS in both deployment of AD RMS in both organizations.organizations.

Better administrative Better administrative experience when experience when establishing federated establishing federated truststrusts In both Windows Server 2003 R2 and In both Windows Server 2003 R2 and

Windows Server 2008, AD FS Windows Server 2008, AD FS administrators can create a federated trust administrators can create a federated trust between two organizations using either a between two organizations using either a process of importing and exporting policy process of importing and exporting policy files or a manual process that involves the files or a manual process that involves the mutual exchange of partner values, such mutual exchange of partner values, such as Uniform Resource Indicators (URIs), as Uniform Resource Indicators (URIs), claim types, claim mappings, display claim types, claim mappings, display names, and so on. The manual process names, and so on. The manual process requires the administrator who receives requires the administrator who receives this data to type all the received data into this data to type all the received data into the appropriate pages in the Add Partner the appropriate pages in the Add Partner Wizard, which can result in typographical Wizard, which can result in typographical errors. In addition, the manual process errors. In addition, the manual process requires the account partner administrator requires the account partner administrator to send a copy of the verification to send a copy of the verification certificate for the federation server to the certificate for the federation server to the resource partner administrator so that the resource partner administrator so that the certificate can be added through the certificate can be added through the wizard.wizard.

Although the ability to import and export Although the ability to import and export policy files was available in policy files was available in Windows Server 2003 R2, creating Windows Server 2003 R2, creating federated trusts between partner federated trusts between partner organizations is easier in Windows organizations is easier in Windows Server 2008 as a result of enhanced Server 2008 as a result of enhanced policy-based export and import policy-based export and import functionality. These enhancements were functionality. These enhancements were made to improve the administrative made to improve the administrative experience by permitting more flexibility experience by permitting more flexibility for the import functionality in the Add for the import functionality in the Add Partner Wizard. For example, when a Partner Wizard. For example, when a partner policy is imported, the partner policy is imported, the administrator can use the Add Partner administrator can use the Add Partner Wizard to modify any values that are Wizard to modify any values that are imported before the wizard process is imported before the wizard process is completed. This includes the ability to completed. This includes the ability to specify a different account partner specify a different account partner verification certificate and the ability to verification certificate and the ability to map incoming or outgoing claims between map incoming or outgoing claims between partners.partners.

By using the export and import features By using the export and import features that are included with AD FS in Windows that are included with AD FS in Windows Server 2008, administrators can simply Server 2008, administrators can simply export their trust policy settings to an .xml export their trust policy settings to an .xml file and then send that file to the partner file and then send that file to the partner administrator. This exchange of partner administrator. This exchange of partner policy files provides all of the URIs, claim policy files provides all of the URIs, claim types, claim mappings, and other values types, claim mappings, and other values and the verification certificates that are and the verification certificates that are necessary to create a federated trust necessary to create a federated trust between the two partner organizations.between the two partner organizations.

http://technet.microsoft.com/en-us/http://technet.microsoft.com/en-us/library/cc772313(WS.10).aspxlibrary/cc772313(WS.10).aspx

What settings have been What settings have been added or changed?added or changed? You configure Windows NT token-based You configure Windows NT token-based

Web Agent settings with the IIS Manager Web Agent settings with the IIS Manager snap-in. To support the new functionality snap-in. To support the new functionality that is provided with Internet Information that is provided with Internet Information Services (IIS) 7.0, Windows Server 2008 Services (IIS) 7.0, Windows Server 2008 AD FS includes user interface (UI) AD FS includes user interface (UI) updates for the AD FS Web Agent role updates for the AD FS Web Agent role service. The following table lists the service. The following table lists the different locations in IIS Manager for different locations in IIS Manager for IIS 6.0 or IIS 7.0 for each of the AD FS IIS 6.0 or IIS 7.0 for each of the AD FS Web Agent property pages, depending on Web Agent property pages, depending on the version of IIS that is used.the version of IIS that is used.

AD FS Deployment GuideAD FS Deployment Guide http://technet.microsoft.com/en-us/http://technet.microsoft.com/en-us/

library/cc771833(WS.10).aspxlibrary/cc771833(WS.10).aspx

AD FS Design GuideAD FS Design Guide http://technet.microsoft.com/en-us/http://technet.microsoft.com/en-us/

library/cc755132(WS.10).aspxlibrary/cc755132(WS.10).aspx

http://www.google.com.ec/imgres?http://www.google.com.ec/imgres?imgurl=http://blog.fpweb.net/wp-imgurl=http://blog.fpweb.net/wp-content/uploads/2009/02/federated-content/uploads/2009/02/federated-14.gif&imgrefurl=http://blog.fpweb.net/14.gif&imgrefurl=http://blog.fpweb.net/federated-identity-and-microsoft-adfs-federated-identity-and-microsoft-adfs-illustrated/illustrated/&usg=__mHc8qi8qn9Tx7JY3HS5BUhpB&usg=__mHc8qi8qn9Tx7JY3HS5BUhpBQTw=&h=250&w=400&sz=11&hl=es&stQTw=&h=250&w=400&sz=11&hl=es&start=15&um=1&itbs=1&tbnid=zbd94rEJwart=15&um=1&itbs=1&tbnid=zbd94rEJw2rDNM:&tbnh=78&tbnw=124&prev=/2rDNM:&tbnh=78&tbnw=124&prev=/images%3Fq%3DActive%2BDirectoryimages%3Fq%3DActive%2BDirectory%2BFederation%2BServices%26um%2BFederation%2BServices%26um%3D1%26hl%3Des%26sa%3DN%26tbs%3D1%26hl%3Des%26sa%3DN%26tbs%3Disch:1%3Disch:1

ad fs

Education