powerpoint presentationtgt sent to client 5. ticket for file server sent to client 4. tgt sent to...
TRANSCRIPT
![Page 1: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/1.jpg)
02/11/2015
1
This is a slide for graphics (It has a white background)
•
![Page 2: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/2.jpg)
02/11/2015
2
•
•
•
![Page 3: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/3.jpg)
02/11/2015
3
PCs and serversMicrosoft AD
GAfE, AzureAD, on-premAD.
ChromeOS, PC, iOS.
Various web apps. Distributed.
Last 10 years
Now & Future
Password 1 Password 2 Password 3 Password 4
Type of App Identity Issues/Problems
Federated – a way of connecting
different completely independent
security realms/networks with each
other such that the users in each realm
can access resources in each of the
these realms
![Page 4: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/4.jpg)
02/11/2015
4
•
•
•
•
Harry aka “The Baker” Williamson
William Harry’s dad
•
–
•
–
![Page 5: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/5.jpg)
02/11/2015
5
•
•
•
•
![Page 6: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/6.jpg)
02/11/2015
6
PROVISIONING
Simple, automated user provisioning.
Driven from existing data source: MIS
Onward provisioning of all your connected services.
AUTHENTICATION
Sign into your network from anywhere.
SSO from integrated devices.
Support many web SSO standards – makes app integration simpler.
AUTHORISATION
Simplify permissions with RBAC – Role based access control.
Network admin provides consent for data release to apps.
SELF SERVICE
Forgotten passwords
Self service password recovery via email or SMS.
App catalog – shop window of online resources for teachers.
PASSWORD MANAGEMENT
Self-service – reducing the burden.
Delegated password reset rights where appropriate.
COMPLIANCE
Enforce a user attribute release policy – only share minimal data with apps.
Audit key management tasks, e.g. password reset.
Reviewing hosting location of online services.
DEPROVISIONING
Automated via the starters-leavers process in MIS system.
Cascade of user delete to all connected apps.
Provisioning Authentication
Authorisation
Self-Service
Password Management
ComplianceDe-provisioning
IdentityLifecycle
Relationship starts…
Relationship ends…
Provisioning The process of preparing a service for new users, prior to them accessing it
• In-advance provisioning– When the app must know about users before access
– Needs a data feed to be kept in sync with Identity Provider
– E.g: Office 365 Outlook (we must create mailbox ahead of time)
• Just in time provisioning – When the app creates account on-the-fly
– App knows the user is authorised by Identity Provider
– App might receive a few data attributes about the user
– E.g.: Simple reading app (just needs to bookmark)
![Page 7: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/7.jpg)
02/11/2015
7
Service Provider
Identity Provider
HARRY,Password XYZ
HARRY,Password XYZ
TRUST
HARRY, R+W
HARRY, R+W
HARRY = SMT
1. Encrypted Authenticator Package
KDC
2. Package decrypted & identity claim checked
3. TGT Sent to client
5. Ticket for file server sent to client
4. TGT Sent to KDC with request for Ticket
6. Client access to file server via Ticket
![Page 8: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/8.jpg)
02/11/2015
8
•
•
•
•
•
•
•
•
•https://sts.cloudready.ms/adfs/ls/?SAMLRequest=jZFRT4MwFIX%2FCun7KC3OjWaQ4PbgkqlkoA%2B%2BmAKdNCkt9hZ1%2F14GmkwfFl%2Fv%0APfc7p6cr4K3qWNq7Ru%2FFWy%2FAeZ%2Bt0sDGRYx6q5nhIIFp3gpgrmJ5erdj1A9Y%0AZ40zlVHISwGEddLotdHQt8Lmwr7LSjzudzFqnOuAYQyNLP1Kmb62gtdHvwWc%0AD6PSKOEaH8DgE5ni7CEvkLcZokjNT9AzhIM%2FBF4fACvAyNtuYvRSRSIiZXlN%0AwrlY0CriSxKGhNLDFeXhYjkfZAC92GpwXLsY0YCEM0JnQVQESxaEjCyekZd9%0AP%2BxG6lrq18stlJMI2G1RZLMp%2FJOwMAYfBChZnbpko7E9a%2Fcylv9UipJ%2FFbjC%0AZy6TZcfuB%2Bx2kxklq6OXKmU%2B1sOpEzEiCCfTye%2FfT74A%0A&RelayState=cookie%3A29002348&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=M0xoWQfcN3Yp94T2HiqIdJzEkxYqGc6hhopqi8xOI%2B2BtPSLufFDdQIF7z6Xjm6XdLq1MH9Av5xz2QWYs84ZYhlG3fHtZCjjaoI2wZqplRszHla%2BjtZoW20NGDepDsCRT0AKNkhe%2B4Yj3LshrM6EX5O3obx2Mypy8EcsoURkTF3kf1dwKqsGA3ka7ehbRmUQGJUXD0u4iFBog7YgkL4Q9FYMTanZeRo2X4%2FkAeNxT8ormKWJfYnAzg0F4Ku60zDd5N7jYu4XeyOsXDthEFI5H4WYucAprREl2hgSUI21J782kKzrslalIaJ5BKPIO50NPCIb5Sf6Zw4maLpZrFEfrw%3D%3
•
![Page 9: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/9.jpg)
02/11/2015
9
•
•
•
• https://sts.cloudready.ms/adfs/oauth2/authorize?response_type=code&client_id=3fb2a37f-4ced-409c-937c-dddd776f4dfd&redirect_uri=https://www.davetestapp.com&resource=https://www.davetestapp.com
•
•
•
•
•
•
•
–
–
–
WEB1DB1
1. Client needs access. Authenticates
2. WEB1 checks with main identity provider
3. Client needs access
4. DB1 checks with main identity provider
![Page 10: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/10.jpg)
02/11/2015
10
![Page 11: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/11.jpg)
02/11/2015
11
MIS
RM Unify
AD Sync
User accounts
Sig
n in
Authentication
![Page 12: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/12.jpg)
02/11/2015
12
•
•
•
•
![Page 13: PowerPoint PresentationTGT Sent to client 5. Ticket for file server sent to client 4. TGT Sent to KDC with request for Ticket 6. Client access to file server via Ticket](https://reader030.vdocument.in/reader030/viewer/2022040120/5e725681159b42008e1fd51b/html5/thumbnails/13.jpg)
02/11/2015
13