Optimal Federation &

Identity Services
Training
(OFIS 1100)

UNIT VII: Optimal Federation

& Identity Services Best
Practices

Installation
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy
Encryption
Certificates

The installation of OFIS solution can be performed in multiple

ways, however it is a best practice to do one of the following:
If installing for internal use only, you may install OFIS
directly on an internal web server. If AD FS is also being
used, you can install OFIS on each AD FS server (even the
same website. In this internal scenario, users will be
accessing the federation URL directly on the web server
(vs. going though a proxy server).

Questions?

If installing OFIS for internal and/or external use, you may

install OFIS directly on an internal web server (possibly the
AD FS server, if in use); however in addition, you will want
to setup/install a reverse proxy in the DMZ to provide
external users to access the OFIS URLs.

OFIS Best
Practices
Unit 7: Slide 2

Optionally, you may choose to install the OFIS within the

DMZ, and open ports to access VIS. Note that logging in
via Windows Integrated Credentials may not be possible.
Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.

Redundancy
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy

As with any production system, the OFIS solution should be

deployed across a minimum of 2 web servers that are loadbalanced (or at least have a warm stand-by ready in case the
primary server goes down). There are no special
requirements for redundancy, sticky sessions are not
required.

Encryption
Certificates
Questions?

OFIS Best
Practices
Unit 7: Slide 3

Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.

Proxy Server
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy
Encryption

Anytime it is desired to allow external users access to OFIS

and OFIS is installed on the internal network, then the use of
a proxy server (reverse proxy), should be leveraged for an
extra layer of security from the outside world.
Note that the AD FS Proxy Server solution will not work
with OFIS, so you will need to deploy another proxy
solution just for the OFIS such as:

Certificates
Questions?

IIS 7 (with a plug-in)

ISA Server
UAG
Other

OFIS Best
Practices
Unit 7: Slide 4

Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.

Encryption
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy
Encryption
Certificates
Questions?

OFIS components should be accessed over HTTPS. This

ensures the claim information is encrypted in transport.
Typically (for internal user), this is a sufficient level of
protection; however, that will depend on the actual data that is
configured and included within the assertion (claim data).
When federating with external entities, the same level of
caution should be considered.
Beyond HTTPS, there are two additional points of encryption
that come into play with OFIS:
Assertion Signing: Signing is required and it requires that the STS
generating the assertion has access to a valid server certificate and
the private key. The public key is included in the
FederationMetadata.xml file that can be consumed by your claimsaware application.

OFIS Best
Practices
Unit 7: Slide 5

Assertion Encryption: Encryption is optional, but when configured

requires that the public key certificate (created by each Relying
Party) is available in the local computer store. This public key cert
is used to encrypt the assertion, so that only the RP with the private
key may decrypt it.
Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.

Certificates
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy
Encryption
Certificates
Questions?

OFIS HTTPS certificates should be generated from public

Certificate Authority (CA).
The OFIS Assertion Signing and Encryption certificates can be
self-signed or issued from an internal CA.
You should make sure that you know exactly when your
certificates are set to expire, so that you can prevent a
system outage when they do expire or in the case of them
being automatically renewed (as in AD FS), but supporting
Relying Parties are not updated.

OFIS Best
Practices
Unit 7: Slide 6

Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.

Questions?
Optimal Federation &
Identity Service
Best Practices
------------------Installation
Redundancy
Proxy
Encryption

Questions and Support?

support@optimalidm.com
http://support.optimalidm.com/
Weekday 8-5 EST: (813) 425-6351
24/7 Production outage: (888) 487-6223

Certificates
Questions?

OFIS Best
Practices
Unit 7: Slide 7

Copyright 2005-2015, Optimal IdM, LLC. All rights reserved.