Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity

Steve Plank – Microsoft

Ivor Bright – Charteris

Dave Nesbitt – Oxford Computer Group

Agenda

• Overview of Enterprise Federation Challenges/Solutions

• Individual Group Discussions (led)

• Large Group “Debate”

Extranet Access with Identity Federation

Active Directory

Logon to Windows

Single Sign-on inside your NETWORKNETWORK

Exchange

SQL/File Servers

Web Servers

App Servers

Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKS NETWORKS

Your Your EMPLOYEESEMPLOYEES on onyour your NETWORKNETWORK

ADFS Identity Federation

• Projecting user Identity from a single logon …

• Providing distributed authentication & claims-based authorization …

• Connecting islands (across security, organizational or platform boundaries) …

• Enabling web single sign-on & simplified identity management

ADFS Components

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS

ADFS Components

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS

Authenticates usersAuthenticates users

Manages attributesManages attributes

Windows 2000 or 2003Windows 2000 or 2003

Active Directory or ADAMActive Directory or ADAM

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS

ADFS Components

Federation Service (FS)Federation Service (FS)Security Token Service (STS)Security Token Service (STS)

Maps user attributes to claimsMaps user attributes to claims

Issues security tokensIssues security tokens

Manages federation trust policyManages federation trust policy

Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS

ADFS Components

Federation Server Proxy (FSP)Federation Server Proxy (FSP)Client proxy for token requestsClient proxy for token requests

Provides UI for browser clientsProvides UI for browser clientsForms based authForms based auth

Home realm discoveryHome realm discovery

Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2

`

Client Web Browser

Federation Service

Web Server

Active Directoryor ADAM

Federation ServiceProxy

HTTPS

ADFS Components

Web AgentWeb AgentWeb AgentWeb AgentEnforces user authenticationEnforces user authentication

Creates app authZ context from claimsCreates app authZ context from claimsNT Impersonation and ACLsNT Impersonation and ACLs

ASP.NET IsInRole()ASP.NET IsInRole()

AzMan RBAC integrationAzMan RBAC integration

ASP.NET Raw Claims APIASP.NET Raw Claims API

Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2

`

Internal Client

ResourceSecurity Token Service

AccountSecurity Token Service

Web Server

Active Directory

A. DatumA. DatumAccount Account

ForestForest

Trey ResearchTrey ResearchResource Resource

ForestForest

ADFS Authentication Flow

Centrify support for ADFS

• DirectControl provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS6

• Apache and popular J2EE web servers• BEA WebLogic

• Apache Tomcat

• IBM Websphere

• JBoss

• Web agent is a direct drop in for non Microsoft web servers• Customer benefits

• Simple and cost effective entrance into the Federated identity world

• No modification of applications

• Uses existing deployed infrastructure (AD)

Web SSO for non-IIS web servers

Quest support for ADFS

• ADFS supported in Vintela Single Sign-on for Java V3.1

• Existing Java apps need no modifications

• VSJ 3.1 ADFS servlet filter will:

• Support ADFS authentication for Java applications in the resource domain

• Allow Java application servers to leverage an existing ADFS infrastructure

• Enable federation of Java/J2EE applications within ADFS-based trust fabric

• Support NTLM, SPNEGO & WS-Federation based authentication

• VSJ servlet filters work with any J2EE application server

• No change required to the Java application – it “just works”

Web SSO for non-IIS web servers

Shibboleth Interoperability

• Standards based, open source

• Shibboleth System 1.3 release

• Developing plug-ins for SAML 1.1 Identity and Service Providers• Support WS-Federation Passive Requestor Interoperability

Profile

• Enables Interop with ADFS and other compliant vendor products

Sponsored by Microsoft and ADFS

WS-Federation

• Web Services Federation Language• Defines messages to enable security realms to federate & exchange

security tokens

• BEA, IBM, Microsoft, RSA, VeriSign

• Two “profiles” of the model defined• Passive (Browser) clients – HTTP/S

• Active (Smart) clients – SOAP

SecuritySecurityTokenToken

ServiceService

HTTPHTTPReceiverReceiver

HTTP messagesHTTP messages

SOAP messagesSOAP messages

SOAPSOAPReceiverReceiver

Passive Requestor Profile

• Binding of WS-Federation & WS-Trust for browser (passive) clients

• Implicitly adhere to policy by following redirects

• Implicitly acquire tokens via HTTP msgs

• Authentication requires secure transport (HTTPS)• Client cannot provide “proof of possession”

• Tokens subject to replay

• Limited (time based) token caching

Supported by ADFSv1 in W2K03 R2

Authentication Message Flow

Browser Client Account STS Web Server Resource STS

GET (to Web Server)

Detect user’s home realm

302 Redirect (to Resource STS)

302 Redirect (to Account STS)

Authenticate User

POST “Redirect” security token (to Resource STS)

POST “Redirect” security token (to Web Server)

200 OK Response (from Web Server)

Active Requestor Profile

• Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients

• Explicitly determine token needs from policy

• Explicitly request tokens via SOAP msgs

• Strong authentication of all requests• Client can provide “proof of possession”

• Supports delegation• Client can provide token for use on its behalf

• Allows rich token caching at client• Improved performance w/o security risk

Future ADFS release

Sample Flow: Active Client

Requesting Service Identity Provider STS Target Service Service Provider STS

Fetch IP policy

Request token

Return token

Request token

Return token

Send secured request

Return secured response

Fetch SP policy

Fetch service policy

WS-Policy used to route client token requests

Review

• Overview of Enterprise Federation Challenges/Solutions

• Individual Group Discussions (led)

• Large Group “Debate”

•http://blogs.charteris.com/blogs/IvorB•[email protected]