Identity Federation Identity Federation Daniel Meyer Daniel Meyer Identity and Access Management Lead, EMEA Identity and Access Management Lead, EMEA Microsoft EMEA HQ Microsoft EMEA HQ Agenda Agenda Federation Federation - Why? Why? General Concepts General Concepts ADFS ADFS – Overview Overview What changed? What changed? Your Your EMPLOYEES EMPLOYEES on on your your NETWORK NETWORK Your Your PARTNERS PARTNERS and and their their NETWORKS NETWORKS Your Your REMOTE REMOTE and and MOBILE EMPLOYEES MOBILE EMPLOYEES Your Your CUSTOMERS CUSTOMERS Your Your SUPPLIERS SUPPLIERS and and their their NETWORKS NETWORKS Customer satisfaction Cost competitiveness Reach, personalization Collaboration Outsourcing Process automation Value chain Mergers & Acquisitions Mobile/global workforce Flexible/temp workforce Services as Identities Services as Identities Application to Application Rich Interactions - Office - Real time Communications - Live Meeting Rich Client Devices & Apps Web Browsers Web Service Web Service Web Service Web Service Web Server Internet Organization Partner Web Service Web Service Extranets Proliferate User Extranets Proliferate User Accounts Accounts Active Directory Logon to Windows Single Sign-on inside your NETWORK NETWORK Exchange SQL/File Servers Web Servers App Servers Your Your SUPPLIERS SUPPLIERS and and their their NETWORKS NETWORKS Your Your EMPLOYEES EMPLOYEES on on your your NETWORK NETWORK The Business Drivers The Business Drivers Identity Management Reduce Costs Improve Service & Productivity Improve Security Assure Compliance Remote Access Strong AuthN Role-based Access Protect Systems DRM SOX Basel II HIPAA DS … Help- Desk Centralize Automate Processes Pre-Audit Checks Delegated Admin Self Service Single Sign-On Federation Single Password In-Synch Data
5
Embed
Federation - Why? General Concepts Identity Federation · Issuer Token Service EPRs Supported Token Type: {SAML 1.1 } … Identity Provider Alice Woodward 1306 - 2523 Exp 9/15/2006
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).
SignedSigned
X.509X.509 KerberosKerberos
XrMLXrMLSAMLSAML
Secret KeySecret Key
PasswordPassword
Proof ofProof ofPossessionPossession
Security Token ServiceSecurity Token Service
Security Security Token Token ServiceService
Key Key Distribution Distribution CenterCenter
A security token service issues security tokens
STS’s can “swap” tokens as a request crosses security domain boundaries
Tokens in the Real WorldTokens in the Real World
STSSTS
tokentoken tokentoken
STSSTStokentoken tokentoken
RPRP
she
sells
sea
she
llssh
e se
lls s
ea s
hells
Main benefits of a Federation Main benefits of a Federation ArchitectureArchitecture
No accounts No accounts for external for external users protects users protects privacyprivacyOutOut--bound bound auditing of auditing of external user external user accessaccess
Regulatory Regulatory ComplianceCompliance
One accountOne accountOne passwordOne passwordOne logonOne logon
End User End User ProductivityProductivity
No active No active external user external user accountsaccountsNo external No external user password user password resetsresetsMay need May need shadow acctsshadow accts
Automatic Automatic termination of termination of external user external user accessaccessNo risk from No risk from orphaned orphaned external user external user accounts accounts
ADFS Authentication FlowADFS Authentication Flow B2B: Federated Web SSO B2B: Federated Web SSO Partners do NOT need local accountsPartners do NOT need local accountsWebWeb--based Purchasing & Inventory Control apps based Purchasing & Inventory Control apps
Partner employees use their corporate AD accountsPartner employees use their corporate AD accountsIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN
B2E: Web SSO + Forest TrustB2E: Web SSO + Forest TrustSingle signSingle sign--on for HQ & on for HQ & ““Road WarriorRoad Warrior”” usersusers
WebWeb--based Wholesale Order Entry app in DMZ based Wholesale Order Entry app in DMZ All employees have accounts in intranet ADAll employees have accounts in intranet ADIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN
B2C: Classic Web SSOB2C: Classic Web SSOClassic Web SSO for Internet customersClassic Web SSO for Internet customers
WebWeb--based Retail Order Entry & Customer Service apps based Retail Order Entry & Customer Service apps Customers issued user accounts in DMZ (AD or ADAM) Customers issued user accounts in DMZ (AD or ADAM) Internet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logonbased logon
Tokens are not encryptedTokens are not encryptedAll messages are over HTTPSAll messages are over HTTPS
Tokens are signedTokens are signedVendor interoperable (default)Vendor interoperable (default)
Signed with RSA Private key and signature Signed with RSA Private key and signature verified with public key from X.509 certificateverified with public key from X.509 certificate
ADFS internal key management (optional)ADFS internal key management (optional)FSFS--R tokens for Web Agent can be signed with R tokens for Web Agent can be signed with Kerberos session keyKerberos session key
Shibboleth Interoperability Shibboleth Interoperability Shibboleth project sponsored by Microsoft Shibboleth project sponsored by Microsoft and ADFSand ADFS
Shibboleth System 1.3 releaseShibboleth System 1.3 releaseDeveloping plugDeveloping plug--ins for SAML 1.1 Identity ins for SAML 1.1 Identity and Service Providersand Service Providers
Support WSSupport WS--Federation Passive Requestor Federation Passive Requestor Interoperability Profile Interoperability Profile Enables Enables InteropInterop with ADFS and other with ADFS and other compliant vendor productscompliant vendor products
Shibboleth Beta version available nowShibboleth Beta version available nowNeed Need ““qualifiedqualified”” customers for testing customers for testing
Name: AliceName: Alice’’s Book Club Cards Book Club CardExpires: 9/15/2006Expires: 9/15/2006ImageImageIssuer: Issuer: FabrikamFabrikamSupported Claims: {Supported Claims: {