View
38
Download
0
Category
Tags:
Preview:
DESCRIPTION
Enterprise Identity. Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group. Agenda. Overview of Enterprise Federation Challenges/Solutions Individual Group Discussions (led) Large Group “Debate”. Exchange. SQL/File Servers. Active Directory. - PowerPoint PPT Presentation
Citation preview
Enterprise Identity
Steve Plank – Microsoft
Ivor Bright – Charteris
Dave Nesbitt – Oxford Computer Group
Agenda
• Overview of Enterprise Federation Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
Extranet Access with Identity Federation
Active Directory
Logon to Windows
Single Sign-on inside your NETWORKNETWORK
Exchange
SQL/File Servers
Web Servers
App Servers
Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKS NETWORKS
Your Your EMPLOYEESEMPLOYEES on onyour your NETWORKNETWORK
ADFS Identity Federation
• Projecting user Identity from a single logon …
• Providing distributed authentication & claims-based authorization …
• Connecting islands (across security, organizational or platform boundaries) …
• Enabling web single sign-on & simplified identity management
ADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
ADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Authenticates usersAuthenticates users
Manages attributesManages attributes
Windows 2000 or 2003Windows 2000 or 2003
Active Directory or ADAMActive Directory or ADAM
ADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Federation Service (FS)Federation Service (FS)
Security Token Service (STS) Security Token Service (STS) Maps user attributes to claimsMaps user attributes to claims
Issues security tokensIssues security tokens
Manages federation trust policyManages federation trust policy
Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2
ADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Federation Server Proxy (FSP)Federation Server Proxy (FSP)Client proxy for token requestsClient proxy for token requests
Provides UI for browser clientsProvides UI for browser clientsForms based authForms based auth
Home realm discoveryHome realm discovery
Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2
ADFS Components
`
Client Web Browser
Federation Service
Web Server
Active Directoryor ADAM
Federation ServiceProxy
HTTPS
Web AgentWeb AgentWeb AgentWeb AgentEnforces user authenticationEnforces user authentication
Creates app authZ context from claimsCreates app authZ context from claimsNT Impersonation and ACLsNT Impersonation and ACLs
ASP.NET IsInRole()ASP.NET IsInRole()
AzMan RBAC integrationAzMan RBAC integration
ASP.NET Raw Claims APIASP.NET Raw Claims API
Requires IISv6 Windows 2003 R2Requires IISv6 Windows 2003 R2
A. DatumA. DatumAccount ForestAccount Forest
Trey ResearchTrey ResearchResource ForestResource Forest
`
Internal Client
ResourceSecurity Token Service
AccountSecurity Token Service
Web Server
Active Directory
ADFS Authentication Flow
Centrify support for ADFS
• DirectControl provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS6
• Apache and popular J2EE web servers• BEA WebLogic
• Apache Tomcat
• IBM Websphere
• JBoss
• Web agent is a direct drop in for non Microsoft web servers• Customer benefits
• Simple and cost effective entrance into the Federated identity world
• No modification of applications
• Uses existing deployed infrastructure (AD)
Web SSO for non-IIS web servers
Quest support for ADFS
• ADFS supported in Vintela Single Sign-on for Java V3.1
• Existing Java apps need no modifications
• VSJ 3.1 ADFS servlet filter will:
• Support ADFS authentication for Java applications in the resource domain
• Allow Java application servers to leverage an existing ADFS infrastructure
• Enable federation of Java/J2EE applications within ADFS-based trust fabric
• Support NTLM, SPNEGO & WS-Federation based authentication
• VSJ servlet filters work with any J2EE application server
• No change required to the Java application – it “just works”
Web SSO for non-IIS web servers
Shibboleth Interoperability
• Standards based, open source
• Shibboleth System 1.3 release
• Developing plug-ins for SAML 1.1 Identity and Service Providers• Support WS-Federation Passive Requestor Interoperability
Profile
• Enables Interop with ADFS and other compliant vendor products
Sponsored by Microsoft and ADFS
WS-Federation
• Web Services Federation Language• Defines messages to enable security realms to federate &
exchange security tokens
• BEA, IBM, Microsoft, RSA, VeriSign
• Two “profiles” of the model defined• Passive (Browser) clients – HTTP/S
• Active (Smart) clients – SOAP
SecuritySecurityTokenToken
ServiceService
HTTPHTTPReceiverReceiver
HTTP messagesHTTP messages
SOAP messagesSOAP messages
SOAPSOAPReceiverReceiver
Passive Requestor Profile
• Binding of WS-Federation & WS-Trust for browser (passive) clients
• Implicitly adhere to policy by following redirects
• Implicitly acquire tokens via HTTP msgs
• Authentication requires secure transport (HTTPS)• Client cannot provide “proof of possession”
• Tokens subject to replay
• Limited (time based) token caching
Supported by ADFSv1 in W2K03 R2
Authentication Message Flow
Browser Client Account STS Web Server Resource STS
GET (to Web Server)
Detect user’s home realm
302 Redirect (to Resource STS)
302 Redirect (to Account STS)
Authenticate User
POST “Redirect” security token (to Resource STS)
POST “Redirect” security token (to Web Server)
200 OK Response (from Web Server)
Active Requestor Profile
• Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients
• Explicitly determine token needs from policy
• Explicitly request tokens via SOAP msgs
• Strong authentication of all requests• Client can provide “proof of possession”
• Supports delegation• Client can provide token for use on its behalf
• Allows rich token caching at client• Improved performance w/o security risk
Future ADFS release
Sample Flow: Active Client
Requesting Service Identity Provider STS Target Service Service Provider STS
Fetch IP policy
Request token
Return token
Request token
Return token
Send secured request
Return secured response
Fetch SP policy
Fetch service policy
WS-Policy used to route client token requests
Review
• Overview of Enterprise Federation Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
Recommended