22
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft Understanding Active Directory

04 active directory federation services

Embed Size (px)

Citation preview

Page 1: 04 active directory federation services

Christopher Chapman | MCTContent PM, Microsoft Learning, PDG Planning , Microsoft

Understanding Active Directory

Page 2: 04 active directory federation services

Click to edit Master subtitle style

Microsoft Virtual Academy

Active Directory Federation Services

(AD FS)

Page 3: 04 active directory federation services

Module Overview

• AD FS Overview

• AD FS Deployment Scenarios

• Configuring AD FS Components

Page 4: 04 active directory federation services

Lesson 1: AD FS Overview

• What Is Identity Federation?

• What Are the Identity Federation Scenarios?

• Benefits of Deploying AD FS

Page 5: 04 active directory federation services

What is Identity Federation?

An identity federation:

Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundaries

Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundaries

Requires a trust relationship between two organizations or entities

Allows organizations to retain control of:

Resource access

Their own user and group accounts

Page 6: 04 active directory federation services

What Are the Identity Federation Scenarios?

Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario

Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario

Federation for business-to-business (B2B)

Federation for business-to-business (B2B)

Federation within an organization across multiple Web applications

Federation within an organization across multiple Web applications

Page 7: 04 active directory federation services

Benefits of Deploying AD FS

AD FS provides the following benefits:

Works with Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)

Extends AD DS to the Internet

Enables improved:

Security and control over authentication

Regulatory compliance

Interoperability with heterogeneous systems

Page 8: 04 active directory federation services

Demonstration: Installing AD FS

• In this demonstration, you will see how to install the Active Directory Federation Services Server Role

Page 9: 04 active directory federation services

Lesson 2: AD FS Deployment Scenarios

• What Is a Federation Trust?

• What Are the AD FS Components?

• How AD FS Provides Identity Federation in a B2B Scenario

• How AD FS Traffic Flows in a B2B Federation Scenario

• How AD FS Provides Web Single Sign-On

• Integrating AD FS and AD RMS

Page 10: 04 active directory federation services

What Is a Federation Trust?

Web Server

Account Partner Organization

Resource Partner Organization

Resource Federation Server

Account Federation Server

AD DS

Federation Trust

Page 11: 04 active directory federation services

What Are the AD FS Components?

AD FS Components:

AD FS Web Agent

Resource Federation Server Proxy

Account federation server

AD DS domain controllers

Account Federation Service Proxy

Resource Federation Server

Page 12: 04 active directory federation services

How AD FS Provides Identity Federation in a B2B Scenario

Contoso

Online Retailer

Resource

FederationServerAccount

Federation Server

AD DS Account

Federation Server Proxy

AD FS-enabled Web Server

Resource Federation Server Proxy

PERIMETER NETWORK

INTRANET FOREST

Federation Trust

Page 13: 04 active directory federation services

How AD FS Traffic Flows in a Business to Business Federation Scenario

Web Server

Resource Federation Server

Account Federation Server

AD DS

Federation Trust

112233

55

44

Contoso

Online Retailer

Page 14: 04 active directory federation services

Lesson 3: Configuring AD FS Components • Federation Service Configuration Options

• What Are AD FS Trust Policies?

• Demonstration: Configuring the Federation Services for an Account Partner

• AD FS Web Proxy Agent Configuration Options

• What Are AD FS Claims?

Page 15: 04 active directory federation services

Federation Service Configuration Options

To implement the federation service:

Create and configure applications

Create a trust policy for both the resource and account partners

Create organizational claims

Create account stores

Page 16: 04 active directory federation services

What Are AD FS Trust Policies?

Resource partner trust policies include: Token Lifetime

Federation Service URI

Federation Service endpoint URL

The option to use a Windows trust relationship for this partner

Trust policies are the configuration settings that define how to configure a federated trust and how the federated trust worksTrust policies are the configuration settings that define how to configure a federated trust and how the federated trust works

In addition, the account partner trust policies include:

Location for a certificate to verify the resource partner

Options for configuring how resource accounts are created

Page 17: 04 active directory federation services

Demonstration: AD FS Initial Configuration

• In this demonstration, you will see how run the AD FS Management Snap-In and run through the initial configuration steps.

Page 18: 04 active directory federation services

AD FS Web Proxy Agent Configuration Options

AD FS Web Proxy Agent Configuration Options:

Install the AD FS Web Agent on the IIS server• Windows Token-based authentication requires ISAPI

extensions• Claims-aware authorization can authenticate natively

with ASP.NET

Determine how to collect user credential information from browser clients and Web applications

11

22

Page 19: 04 active directory federation services

What Are AD FS Claims?

Claim Type Description

Identity

• UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: user@realm

• E-mail: indicates Request for Comments (RFC) 2822–style e-mail names of the form user@domain

• Common name: indicates an arbitrary string that is used for personalization

Group • Indicates membership in a group or role

Custom • Indicates a claim that contains custom information

about a user, for example, an employee ID number

Page 20: 04 active directory federation services

Module Review and Takeaways

• Review Questions

• Summary of AD FS

Page 21: 04 active directory federation services

Thanks for Watching!

Page 22: 04 active directory federation services

©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.