PowerPoint Presentation

Christopher Chapman | MCTContent PM, Microsoft Learning, PDG Planning , MicrosoftUnderstanding Active Directory11 minuteActive Directory Federation Services(AD FS)Click to edit Master subtitle styleMicrosoft Virtual AcademyModule Overview AD FS OverviewAD FS Deployment Scenarios Configuring AD FS Components

3Module 6: Introduction to Active Directory Federation ServicesCourse 6424ALesson 1: AD FS OverviewWhat Is Identity Federation? What Are the Identity Federation Scenarios? Benefits of Deploying AD FS

4Module 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat is Identity Federation?An identity federation: Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundariesRequires a trust relationship between two organizations or entities

Allows organizations to retain control of:Resource accessTheir own user and group accounts

5Identity Federation allows for separate authentication domains or realms to be able to share resources without having to provide complete access to each of the authentication domains.

So what does this REALLY mean? In the real world everyone has a number of username and passwords that they must remember, even in the same organizations or within partner organizations. Identity federation allows for different authentication domains/realms to provide single sign-on (SSO) services. This can be done without creating a full Active Directory trust between the organizations.Module 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat Are the Identity Federation Scenarios?Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario

Federation for business-to-business (B2B)

Federation within an organization across multiple Web applications

6Federation for B2B Enables businesses to provide SSO for a business partner or other business unit that has a separate domain.

Federation for business-to-consumer or business-to-employee in a Web single sign-on scenarioThis design allows a business that had a perimeter network domain to provide authentication for internal user accounts.

Federation within an organization across multiple Web applicationsThis provides SSO across multiple Web applications. No trusts exist in this scenario. Module 6: Introduction to Active Directory Federation ServicesCourse 6424ABenefits of Deploying AD FS AD FS provides the following benefits: Works with Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)Extends AD DS to the InternetEnables improved:Security and control over authentication Regulatory compliance Interoperability with heterogeneous systems

7AD FS provides the benefits that the following section details:

Enables improved:Security and control over authentication. You establish rules to control which users are allowed to authenticate across the federated trust. Regulatory compliance. Because of controlled authentication, and not providing business partners or Internet users direct authentication with your corporate domains, this enables scenarios that would allow you to maintain regulatory compliance.Interoperability with heterogeneous systems. AD FS leverages Web services, so it can interoperate with many heterogeneous systems. Whitepapers have been created to set up this interoperation.AD FS works with AD DS or AD LDS, which allows for flexibility and INSERT use with other third-party applications. Extends Active Directory to the Internet, as it allows for users on the Internet to authenticate against AD DS for use in Web applications.Module 6: Introduction to Active Directory Federation ServicesCourse 6424ADemonstration: Installing AD FSIn this demonstration, you will see how to install the Active Directory Federation Services Server Role

8Demonstrate the steps required to configure that federation services for an account partner. Steps include:Configure the federation trust settings.Configure the account stores.Configure the application.Configure the trust policy.Module 6: Introduction to Active Directory Federation ServicesCourse 6424ALesson 2: AD FS Deployment Scenarios What Is a Federation Trust? What Are the AD FS Components? How AD FS Provides Identity Federation in a B2B Scenario How AD FS Traffic Flows in a B2B Federation Scenario How AD FS Provides Web Single Sign-On Integrating AD FS and AD RMS

9Module 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat Is a Federation Trust?

Web Server

Account Partner OrganizationResource Partner OrganizationResource Federation Server

Account Federation Server

AD DS

Federation Trust

10This trust is one way and the arrow pointer is always where the accounts come from. The side of the trust where the accounts are managed is the account partner, while the side of the trust that has the resources that will be accessed is the resource partner. However, federation trusts are not like Windows trusts. In a federation trust, the federation servers in the account partner and the resource partner do not need to communicate directly with each other.Module 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat Are the AD FS Components?AD FS Components:AD FS Web AgentResource Federation Server Proxy Account federation serverAD DS domain controllers Account Federation Service ProxyResource Federation Server

11AD DS domain controllers Domain controllers store directory data and manage user and domain interactions, including user logon processes, authentication, and directory searches.

Federation serversA federation server is a computer that runs a specialized Web service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of identity claims, such as a user's name or role. In addition, a federation server can protect the contents of security tokens in transit with an X.509 certificate, which makes it possible to validate trusted issuers.

Federation Service ProxiesYou can use a federation server proxy to enhance the security and performance of your ActiveDirectory Federation Services (ADFS)2.0 deployment. When you install the ADFS2.0 software on a computer and configure it for the federation server proxy role, that computer functions as proxy server in a perimeter network (also known as a screened subnet) for a protected Federation Service on an internal network.

AD FS Web AgentActiveDirectory Federation Service (ADFS) Web Agents are Internet Server Application Programming Interface (ISAPI) extensions. They run on Internet Information Services (IIS)and Windows Server, and they manage security tokens and authentication cookies for the Web server. An ADFS Web Agent intercepts incoming client URL requests for a protected resource and ensures that a valid authentication token is presented.Module 6: Introduction to Active Directory Federation ServicesCourse 6424AHow AD FS Provides Identity Federation in a B2B Scenario

ContosoOnline RetailerResource FederationServer

Account Federation Server

AD DS

Account Federation Server Proxy

AD FS-enabled Web ServerResource Federation Server Proxy

PERIMETER NETWORKINTRANET FOREST

Federation Trust

12Module 6: Introduction to Active Directory Federation ServicesCourse 6424AHow AD FS Traffic Flows in a Business to Business Federation Scenario

Web Server

Resource Federation Server

Account Federation Server

AD DS

Federation Trust

123

54

ContosoOnline Retailer13In this design, external users, such as customers, can access the Web application by authenticating to the external account federation server, which is located in the perimeter network. External users have user accounts in the perimeter-network ActiveDirectory forest. Internal users, such as employees, also can access the Web application by authenticating to the internal account federation server, which is located in the internal network. Internal users have accounts in the internal ActiveDirectory forest.

If the Web-based application is a WindowsNT token-based application, the ADFS Web Agent that is running on the Web application server intercepts requests and creates WindowsNT security tokens, which are required by the Web application to make authorization decisions. For external users, this is possible because the AD FS-enabled Web server that hosts the WindowsNT token-based application is joined to the domain in the external forest. For internal users, this is enabled through the forest trust relationship that exists between the perimeter forest and the internal forest.

If the Web-based application is a claims-aware application, the ADFS Web Agent that is running on the Web application server does not have to create WindowsNT security tokens for the user. The ADFS Web agent can expose the claims that come across, which makes it possible for the application to make authorization decisions based on the contents of the security token that is provided by the account federation server. As a result, when it deploys claims-aware applications, the ADFS-enabled Web server does not have to be joined to the domain, and the external-forest-to-internal-forest trust is not required. Module 6: Introduction to Active Directory Federation ServicesCourse 6424ALesson 3: Configuring AD FS Components Federation Service Configuration OptionsWhat Are AD FS Trust Policies? Demonstration: Configuring the Federation Services for an Account PartnerAD FS Web Proxy Agent Configuration Options What Are AD FS Claims?

14Module 6: Introduction to Active Directory Federation ServicesCourse 6424AFederation Service Configuration OptionsTo implement the federation service: Create and configure applicationsCreate a trust policy for both the resource and account partnersCreate organizational claimsCreate account stores

15Briefly talk about the main settings that will need to be configured before AD FS is functional:Create organizational claimsCreate account storesCreate applications Create a trustModule 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat Are AD FS Trust Policies?Resource partner trust policies include: Token LifetimeFederation Service URIFederation Service endpoint URLThe option to use a Windows trust relationship for this partnerTrust policies are the configuration settings that define how to configure a federated trust and how the federated trust worksIn addition, the account partner trust policies include: Location for a certificate to verify the resource partnerOptions for configuring how resource accounts are created

16Discuss how the trust policies really are the definition of the trust functions,.Then describe each of the configuration options for the resource and account partners trust policies.Module 6: Introduction to Active Directory Federation ServicesCourse 6424ADemonstration: AD FS Initial ConfigurationIn this demonstration, you will see how run the AD FS Management Snap-In and run through the initial configuration steps.

17Demonstrate the steps required to configure that federation services for an account partner. Steps include:Configure the federation trust settings.Configure the account stores.Configure the application.Configure the trust policy.Module 6: Introduction to Active Directory Federation ServicesCourse 6424AAD FS Web Proxy Agent Configuration OptionsAD FS Web Proxy Agent Configuration Options: Install the AD FS Web Agent on the IIS serverWindows Token-based authentication requires ISAPI extensionsClaims-aware authorization can authenticate natively with ASP.NET Determine how to collect user credential information from browser clients and Web applications12

18Module 6: Introduction to Active Directory Federation ServicesCourse 6424AWhat Are AD FS Claims?Claim TypeDescriptionIdentity UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: user@realmE-mail: indicates Request for Comments (RFC)2822style e-mail names of the form user@domainCommon name: indicates an arbitrary string that is used for personalization Group Indicates membership in a group or roleCustom Indicates a claim that contains custom information about a user, for example, an employee ID number

19Define an AD FS claim, and then talk about each type: identity, group, and custom. Be sure to talk about how they differ and, if possible, give an example of each.

The table below shows more information than the slide table:Module 6: Introduction to Active Directory Federation ServicesCourse 6424AClaim TypeDescriptionIdentityUPN, e-mail, and common name are referred to in ADFS as identity claim types: UPN: Indicates a Kerberos-style user principal name (UPN), for example, user@realm. Only one claim may be the UPN type. Even if multiple UPN values must be communicated, only one may be of the UPN type. Additional UPNs may be configured as custom claim types. E-mail: Indicates Request for Comments (RFC)2822style e-mail names of the form user@domain. Only one claim may be the e-mail type. Even if multiple e-mail values must be communicated, only one may be of e-mail type. Additional e-mails may be configured as custom claim types. Common name: Indicates an arbitrary string that is used for personalization. Examples include John Smith or Tailspin Toys Employee. Only one claim may have the common name type. It is important to note that there is no mechanism for guaranteeing the uniqueness of the common name claim. Therefore, use caution when you use this claim type for authorization decisions. Group Indicates membership in a group or role. Administrators define individual claims that have the group type Group claims. For example, you might define the following set of group claims: [Developer, Tester, Program Manager]. Each group claim is a separate unit of administration for claim population and mapping. It is useful to think of the value of a group claim as a Boolean value indicating membership. Module Review and TakeawaysReview QuestionsSummary of AD FS

Module 3: Introduction to Active Directory Lightweight Directory Services Course 6424A20Review Questions1. After defining a Web application in the AD FS Management tool, what else must be done to have an application begin to authenticate AD FS tokens?Answer: The Web proxy agent must be configured on the Web site. If this is a Windows NT token-based application, the ISAP filter must be running and configured. If this is a claims-aware application, the application must be configured with the AD FS server information.2. Where are certificates used in a AD FS deployment?Answer: SSL certificates are used to encrypt Web communications. A server validation certificate is used to sign tokens as well as to validate tokens to ensure they have not been tampered with.3. Why would you use a Federation Service Proxy role server be needed?Answer: Federation Service proxies are typically installed in a perimeter network and used to proxy Internet request back to the federation server that is installed on the Intranet.4. Can the Web Proxy agent be installed on a older version of Windows Server?Answer: The Web Proxy agent can be installed on the following operating systems: WindowsServer2003R2, StandardEdition; WindowsServer2003R2, EnterpriseEdition; WindowsServer2003R2, DatacenterEdition; Windows Server2008 Standard; Windows Server2008 Enterprise; or Windows Server2008 Datacenter.Summary of Active Directory Federation ServicesThe AD FS server role can be used to create a highly extensible, Internet-scalable, and secure identity access solution that can operate across multiple platforms, including both Windows and non-Windows environments. It can be used to provide browser-based clients (internal or external to your network) with seamless, single sign-on access to one or more protected Internet-facing applications, even when the user accounts and applications are located in completely different networks or organizations.Several standard scenarios are addressed with AD FS. The business-to-business federation scenario enables a business to provide single sign on (SSO) for a business partner or other business unit that has a separate domain. The business-to-consumer or business-to-employee Web single sign-on scenario enables authentication for internal user accounts for a business with a perimeter network domain. The last scenario is federation within an organization across multiple Web applications.Thanks for Watching!212013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.