federation - why? general concepts identity federation · issuer token service eprs supported token...
Post on 31-Oct-2019
6 Views
Preview:
TRANSCRIPT
9/21/2006 3:48 PM
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1
Identity FederationIdentity FederationDaniel MeyerDaniel MeyerIdentity and Access Management Lead, EMEAIdentity and Access Management Lead, EMEAMicrosoft EMEA HQMicrosoft EMEA HQ
AgendaAgenda
Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview
What changed?What changed?
Your Your EMPLOYEESEMPLOYEES ononyour your NETWORKNETWORK
Your Your PARTNERS PARTNERS and and theirtheir NETWORKSNETWORKS
Your Your REMOTEREMOTE andandMOBILE EMPLOYEESMOBILE EMPLOYEES
Your Your CUSTOMERSCUSTOMERS
Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKSNETWORKS
Customer satisfactionCost competitivenessReach, personalization
CollaborationOutsourcingProcess automationValue chain
Mergers & AcquisitionsMobile/global workforceFlexible/temp workforce
Services as IdentitiesServices as Identities
Application to Application
Rich Interactions- Office- Real time
Communications- Live Meeting
Rich ClientDevices & Apps
Web Browsers
WebService
WebService
WebService
WebService
Web Server
InternetOrganization PartnerWeb
ServiceWeb
Service
Extranets Proliferate User Extranets Proliferate User AccountsAccounts
Active Directory
Logon to WindowsSingle Sign-on inside
your NETWORKNETWORK
Exchange
SQL/File Servers
Web Servers
App Servers
Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKSNETWORKS
Your Your EMPLOYEESEMPLOYEES ononyour your NETWORKNETWORK
The Business DriversThe Business Drivers
IdentityManagement
ReduceCosts
ImproveService &
Productivity
ImproveSecurity
AssureCompliance
RemoteAccess
StrongAuthN
Role-basedAccess
ProtectSystems
DRM
SOX
Basel II
HIPAADS …
Help-Desk
Centralize
AutomateProcesses
Pre-AuditChecks
DelegatedAdmin
SelfService
SingleSign-On
Federation
SinglePassword
In-SynchData
9/21/2006 3:48 PM
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2
AgendaAgenda
Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview
Identity Federation GoalsIdentity Federation Goals
ProjectingProjecting user Identity from a single logon user Identity from a single logon ……
ProvidingProviding distributed authentication & claimsdistributed authentication & claims--based authorization based authorization ……
ConnectingConnecting islands (across security, islands (across security, organizational or platform boundaries) organizational or platform boundaries) ……
EnablingEnabling web single signweb single sign--on & simplified on & simplified identity managementidentity management
Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed authentication/authorizationDistributed authentication/authorizationSecurity tokens assert claims
Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).
SignedSigned
X.509X.509 KerberosKerberos
XrMLXrMLSAMLSAML
Secret KeySecret Key
PasswordPassword
Proof ofProof ofPossessionPossession
Security Token ServiceSecurity Token Service
Security Security Token Token ServiceService
Key Key Distribution Distribution CenterCenter
A security token service issues security tokens
STS’s can “swap” tokens as a request crosses security domain boundaries
Tokens in the Real WorldTokens in the Real World
STSSTS
tokentoken tokentoken
STSSTStokentoken tokentoken
RPRP
she
sells
sea
she
llssh
e se
lls s
ea s
hells
Main benefits of a Federation Main benefits of a Federation ArchitectureArchitecture
No accounts No accounts for external for external users protects users protects privacyprivacyOutOut--bound bound auditing of auditing of external user external user accessaccess
Regulatory Regulatory ComplianceCompliance
One accountOne accountOne passwordOne passwordOne logonOne logon
End User End User ProductivityProductivity
No active No active external user external user accountsaccountsNo external No external user password user password resetsresetsMay need May need shadow acctsshadow accts
Automatic Automatic termination of termination of external user external user accessaccessNo risk from No risk from orphaned orphaned external user external user accounts accounts
SecuritySecurityIT/Helpdesk IT/Helpdesk EfficiencyEfficiency
9/21/2006 3:48 PM
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3
WS-Trust, WS-MetadataExchange
WSWS--* Metasystem Architecture* Metasystem Architecture
SecurityTokenServer
Kerberos
WS-SecurityPolicy
SAML
Identity Selector
SecurityTokenServer
WS-SecurityPolicy
CustomSecurity
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
AgendaAgenda
Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview
WS-Trust, WS-MetadataExchange
WSWS--* Metasystem Architecture* Metasystem Architecture
SecurityTokenServer
Kerberos
WS-SecurityPolicy
SAML
Identity Selector
SecurityTokenServer
WS-SecurityPolicy
CustomSecurity
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
ResourceResourceProviderProvider
TreyResearch.netTreyResearch.netNamespaceNamespace
AccountAccountProviderProvider
aDatum.comaDatum.comNamespaceNamespace
ADFS Identity FederationADFS Identity FederationProjects AD Identities to other security realmsProjects AD Identities to other security realms
FederationFederationServer Server (FS(FS--A)A)
FederationFederationServerServer(FS(FS--R)R)
Federation ServersFederation ServersManage:Manage:•• Trust Trust ---- KeysKeys•• Security Security ---- Claims requiredClaims required•• Privacy Privacy ---- Claims allowedClaims allowed•• Audit Audit ---- Identities , authoritiesIdentities , authorities
A. DatumA. DatumAccount ForestAccount Forest
Trey ResearchTrey ResearchResource ForestResource Forest
ADFS Authentication FlowADFS Authentication Flow B2B: Federated Web SSO B2B: Federated Web SSO Partners do NOT need local accountsPartners do NOT need local accountsWebWeb--based Purchasing & Inventory Control apps based Purchasing & Inventory Control apps
Partner employees use their corporate AD accountsPartner employees use their corporate AD accountsIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN
9/21/2006 3:48 PM
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4
B2E: Web SSO + Forest TrustB2E: Web SSO + Forest TrustSingle signSingle sign--on for HQ & on for HQ & ““Road WarriorRoad Warrior”” usersusers
WebWeb--based Wholesale Order Entry app in DMZ based Wholesale Order Entry app in DMZ All employees have accounts in intranet ADAll employees have accounts in intranet ADIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN
B2C: Classic Web SSOB2C: Classic Web SSOClassic Web SSO for Internet customersClassic Web SSO for Internet customers
WebWeb--based Retail Order Entry & Customer Service apps based Retail Order Entry & Customer Service apps Customers issued user accounts in DMZ (AD or ADAM) Customers issued user accounts in DMZ (AD or ADAM) Internet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logonbased logon
ADFS Security TokensADFS Security TokensSAML 1.1 assertion syntaxSAML 1.1 assertion syntax
WSWS--Trust Trust RequestSecurityTokenResponsRequestSecurityTokenRespons
Tokens are not encryptedTokens are not encryptedAll messages are over HTTPSAll messages are over HTTPS
Tokens are signedTokens are signedVendor interoperable (default)Vendor interoperable (default)
Signed with RSA Private key and signature Signed with RSA Private key and signature verified with public key from X.509 certificateverified with public key from X.509 certificate
ADFS internal key management (optional)ADFS internal key management (optional)FSFS--R tokens for Web Agent can be signed with R tokens for Web Agent can be signed with Kerberos session keyKerberos session key
Shibboleth Interoperability Shibboleth Interoperability Shibboleth project sponsored by Microsoft Shibboleth project sponsored by Microsoft and ADFSand ADFS
Shibboleth System 1.3 releaseShibboleth System 1.3 releaseDeveloping plugDeveloping plug--ins for SAML 1.1 Identity ins for SAML 1.1 Identity and Service Providersand Service Providers
Support WSSupport WS--Federation Passive Requestor Federation Passive Requestor Interoperability Profile Interoperability Profile Enables Enables InteropInterop with ADFS and other with ADFS and other compliant vendor productscompliant vendor products
Shibboleth Beta version available nowShibboleth Beta version available nowNeed Need ““qualifiedqualified”” customers for testing customers for testing
WS-Trust, WS-MetadataExchange
WSWS--* Metasystem Architecture* Metasystem Architecture
SecurityTokenServer
Kerberos
WS-SecurityPolicy
SAML
Identity Selector
SecurityTokenServer
WS-SecurityPolicy
CustomSecurity
ID ProviderID Provider
x509
ID ProviderID Provider
SubjectSubject
Relying PartyRelying Party Relying PartyRelying Party
CardSpaceCardSpace -- EndEnd--toto--end end
Identity Provider(IP)
Relying Party(RP)
Client(InfoCard)
Client would like to access a resource1
RP communicates the token’s requirements
2
User
3 InfoCard filterscards that satisfythe requirements
User selects a card4
5
The selected card specifies whereto get the token. InfoCard also passesRP’s requirements to IP
6
IP generates thetoken based onRP’s requirements
7 User approves the release of token
8
Token is released to RP. RP could be authorization decisions based on the token
Bob KellyBob Kelly1306 1306 -- 25232523
fabrikamfabrikam Washington State IDWashington State ID
Bob KellyExp 6/12/2008
??AnonymousAnonymous
My CardMy Card
9/21/2006 3:48 PM
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5
WhatWhat’’s in a Card?s in a Card?
Name: AliceName: Alice’’s Book Club Cards Book Club CardExpires: 9/15/2006Expires: 9/15/2006ImageImageIssuer: Issuer: FabrikamFabrikamSupported Claims: {Supported Claims: {
GivenNameGivenNameLastNameLastNameAddressAddressCityCity…… }}
Issuer Token Service Issuer Token Service EPRsEPRsSupported Token Type: {Supported Token Type: {
SAML 1.1 }SAML 1.1 }
……
Identity ProviderIdentity Provider
Alice WoodwardAlice Woodward1306 1306 -- 25232523
Exp 9/15/2006Exp 9/15/2006
AliceAlice’’s Book Club Cards Book Club Card
FabrikamFabrikam
claim values are ownedclaim values are ownedby Identity Providerby Identity Provider
fabrikamfabrikam
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
IdentityManagement
Services
Information Protection
Encrypting File System (EFS)
Encrypting File System (EFS)BitLockerBitLocker™™
Network Access Protection (NAP)
Client and Server OS
Server Applications
Edge
WeWe just just scratchedscratched thethe surfacesurface……
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
top related