Identity Management in Windows Server 2003 R2: Active Directory Federation Services

OLAV TVEDT EMENTOR

What Will We Cover?

Identity Management

New and improved features in R2

What Active Directory Federation Services (ADFS) is, and what it does How ADFS works

Helpful Experience
Knowledge of Active Directory

Understanding of Certificates
Authentication and authorization methods IIS and Web application principles

Level 300

Agenda
Identity Management

Active Directory Application Mode

(ADAM) UNIX Identity Management Active Directory Federation Services (ADFS)

Identity Management Vision

Past
Application Silos
ID

Present
Custom Integration
Identity Internal High

Future
Connected Systems
Identity Built Low

for Each System Focused

Integration & External

Federation

Internally Limit

to Extend

to Biz Value

cost to value

cost to value

Identity Management in Windows Server 2003 R2

Contains improvements, additions, and

new features
Active Directory Application Mode (ADAM)

UNIX Identity Management

Active Directory Federation Services (ADFS)
Key new feature

Agenda
Identity Management

ADAM
UNIX Identity Management ADFS

What is ADAM
A mode of Active Directory Lightweight, domain-independent

Intended for application directory

scenarios

ADAM Improvements
Active Directory to ADAM Synchronizer tool Active Directory Schema Analyzer tool Newer version of LDP tool

User Password Chaining

Agenda
Identity Management

ADAM
UNIX Identity Management ADFS

UNIX Identity Management Challenges of Interoperation

UNIX Server UNIX Workstation UNIX Workstation UNIX Workstation UNIX Server Windows Server Windows Server Windows Workstation Windows Workstation Windows Workstation

UNIX Identity Management Objective of Interoperation Goal: Efficient cross-platform user

management
Consolidate administration and monitoring across
platforms

Manage Windows and UNIX-based systems with

the same tools

Server for NIS

Makes a Windows Server 2003 Active Directory into an NIS master server UNIX NIS Servers Windows Servers

Master Subordinate Subordinate NIS Clients

Server for NIS

UNIX NIS Servers

Windows Servers

Subordinate Subordinate Subordinate NIS Clients

Master

UNIX Password Synchronization

Pull NIS schema into Active Directory Bidirectional Password Sync, user name mapping Supported on several common platforms Mapping Server
Map Windows User and Group Accounts to UNIX
Testet ut p Sun Solaris 8 & 9, HP-UX 11i, IBM AIX 5L 5.2 og Red Hat 9.0, men br virke p alle LDAP baserte versjoner

Agenda
Identity Management

ADAM
UNIX Identity Management ADFS

Federated Identity Management

Federation: trust-based relationships across organizations Benefits:
Accelerates creation of relationships Standardization for integration with partners Security

What is ADFS?
Active Directory-based ID federation
Simplified, secure sharing of digital identities across security boundaries

Web single sign-on

Interoperability via Web Services (WS-*)

ADFS: Standards-based Solution

Now Future
HTTP messages
SOAP messages HTTP Receiver SOAP Receiver

Security Token Service

AD Users WS-Federation

Java, Unix, Linux Users

.Net Apps

Active Directory Federation Services

IBM PingID BMC Oracle CA Quest RSA Centrify + others

Java, Unix, Linux Apps

ADFS Architecture
LPC/Web Methods Windows Authentication/ LDAP

HTTPS

AD or ADAM

ADFS Requirements
Federation Service, Federation Service Proxy, and ADFS Web Service Agent must have:
Internet Information Server (IIS) 6.0 ASP.NET

Microsoft .NET Framework 2.0

Transport Layer Security and Secure Sockets Layer (TLS/SSL) X.509 certificate (Federation Service only)

ADFS Requirements (continued)

ADFS requires Active Directory or ADAM
Domain controllers must be
Windows Server 2003 Service Pack 1 (SP1) Windows Server 2003 R2 Windows 2000 with Service Pack 4 (SP4)

ADFS: How it works

A. Datum Account Forest Trey Research Resource Forest

Federation Trust
Active Directory

Account Federation Server

Resource Federation Server

` Internal Client Web Server

Certificates
Certificates used by the Federation Service
Token Signing Certificates Verification Certificates

Certificates used by the Federation Proxy Service

SSL Client Authentication Certificate

ADFS Authentication Methods

Windows Integrated (intranet) Recommended
Use the session generated when logging onto a Windows machine

Client Certificate
Web browser receives a request to present a client certificate and the user may choose which certificate to present

Forms-based
Present a customizable web page to the user requesting credentials

Basic
Web browser presents the standard username/password dialog

Claims-aware Federation Process

Configure environments Create claims Create claim transforms Establish trust Enable the claims for the application See the ADFS Reference on TechNet:
http://go.microsoft.com/fwlink/?LinkId=54635

ADFS-enabled Applications
Implements the ADFS API or an API that consumes claims ASP.NET 2.0 application

Application Authorization Using Claims

Claims are statements made about users
Used for authorization purposes in an application

Three types of claims

Identity
Email User Principal Name (UPN) Common Name

Group Custom

Understanding Transforms
Transforms are instructions that map claims between partners Used by the resource partner to make authorization decisions

Establishing Trust
Assumes proper partner relationship agreements Carefully consider security ramifications
Method for transfer of certificates between organizations

Mechanics:
Account partner must transfer token signing certificate to

resource
Resource uses ADFS snap-in to establish trust and enable account partner

Demo

demonstration

Session Summary
Windows Server 2003 R2 delivers important functionality toward the Microsoft vision for Identity Management ADFS is a key, new component ADFS is standards-based (WS-*), integrates with third party federation solutions