9/21/2006 3:48 PM

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 1

Identity FederationIdentity FederationDaniel MeyerDaniel MeyerIdentity and Access Management Lead, EMEAIdentity and Access Management Lead, EMEAMicrosoft EMEA HQMicrosoft EMEA HQ

AgendaAgenda

Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview

What changed?What changed?

Your Your EMPLOYEESEMPLOYEES ononyour your NETWORKNETWORK

Your Your PARTNERS PARTNERS and and theirtheir NETWORKSNETWORKS

Your Your REMOTEREMOTE andandMOBILE EMPLOYEESMOBILE EMPLOYEES

Your Your CUSTOMERSCUSTOMERS

Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKSNETWORKS

Customer satisfactionCost competitivenessReach, personalization

CollaborationOutsourcingProcess automationValue chain

Mergers & AcquisitionsMobile/global workforceFlexible/temp workforce

Services as IdentitiesServices as Identities

Application to Application

Rich Interactions- Office- Real time

Communications- Live Meeting

Rich ClientDevices & Apps

Web Browsers

WebService

WebService

WebService

WebService

Web Server

InternetOrganization PartnerWeb

ServiceWeb

Service

Extranets Proliferate User Extranets Proliferate User AccountsAccounts

Active Directory

Logon to WindowsSingle Sign-on inside

your NETWORKNETWORK

Exchange

SQL/File Servers

Web Servers

App Servers

Your Your SUPPLIERS SUPPLIERS and and theirtheir NETWORKSNETWORKS

Your Your EMPLOYEESEMPLOYEES ononyour your NETWORKNETWORK

The Business DriversThe Business Drivers

IdentityManagement

ReduceCosts

ImproveService &

Productivity

ImproveSecurity

AssureCompliance

RemoteAccess

StrongAuthN

Role-basedAccess

ProtectSystems

DRM

SOX

Basel II

HIPAADS …

Help-Desk

Centralize

AutomateProcesses

Pre-AuditChecks

DelegatedAdmin

SelfService

SingleSign-On

Federation

SinglePassword

In-SynchData

9/21/2006 3:48 PM

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 2

AgendaAgenda

Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview

Identity Federation GoalsIdentity Federation Goals

ProjectingProjecting user Identity from a single logon user Identity from a single logon ……

ProvidingProviding distributed authentication & claimsdistributed authentication & claims--based authorization based authorization ……

ConnectingConnecting islands (across security, islands (across security, organizational or platform boundaries) organizational or platform boundaries) ……

EnablingEnabling web single signweb single sign--on & simplified on & simplified identity managementidentity management

Security Tokens & ClaimsSecurity Tokens & ClaimsDistributed authentication/authorizationDistributed authentication/authorizationSecurity tokens assert claims

Claims – Statements authorities make about security principals (name, identity, key, group, privilege, capability, etc).

SignedSigned

X.509X.509 KerberosKerberos

XrMLXrMLSAMLSAML

Secret KeySecret Key

PasswordPassword

Proof ofProof ofPossessionPossession

Security Token ServiceSecurity Token Service

Security Security Token Token ServiceService

Key Key Distribution Distribution CenterCenter

A security token service issues security tokens

STS’s can “swap” tokens as a request crosses security domain boundaries

Tokens in the Real WorldTokens in the Real World

STSSTS

tokentoken tokentoken

STSSTStokentoken tokentoken

RPRP

she

sells

sea

she

llssh

e se

lls s

ea s

hells

Main benefits of a Federation Main benefits of a Federation ArchitectureArchitecture

No accounts No accounts for external for external users protects users protects privacyprivacyOutOut--bound bound auditing of auditing of external user external user accessaccess

Regulatory Regulatory ComplianceCompliance

One accountOne accountOne passwordOne passwordOne logonOne logon

End User End User ProductivityProductivity

No active No active external user external user accountsaccountsNo external No external user password user password resetsresetsMay need May need shadow acctsshadow accts

Automatic Automatic termination of termination of external user external user accessaccessNo risk from No risk from orphaned orphaned external user external user accounts accounts

SecuritySecurityIT/Helpdesk IT/Helpdesk EfficiencyEfficiency

9/21/2006 3:48 PM

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 3

WS-Trust, WS-MetadataExchange

WSWS--* Metasystem Architecture* Metasystem Architecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

Identity Selector

SecurityTokenServer

WS-SecurityPolicy

CustomSecurity

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

AgendaAgenda

Federation Federation -- Why?Why?General ConceptsGeneral ConceptsADFS ADFS –– OverviewOverview

WS-Trust, WS-MetadataExchange

WSWS--* Metasystem Architecture* Metasystem Architecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

Identity Selector

SecurityTokenServer

WS-SecurityPolicy

CustomSecurity

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

ResourceResourceProviderProvider

TreyResearch.netTreyResearch.netNamespaceNamespace

AccountAccountProviderProvider

aDatum.comaDatum.comNamespaceNamespace

ADFS Identity FederationADFS Identity FederationProjects AD Identities to other security realmsProjects AD Identities to other security realms

FederationFederationServer Server (FS(FS--A)A)

FederationFederationServerServer(FS(FS--R)R)

Federation ServersFederation ServersManage:Manage:•• Trust Trust ---- KeysKeys•• Security Security ---- Claims requiredClaims required•• Privacy Privacy ---- Claims allowedClaims allowed•• Audit Audit ---- Identities , authoritiesIdentities , authorities

A. DatumA. DatumAccount ForestAccount Forest

Trey ResearchTrey ResearchResource ForestResource Forest

ADFS Authentication FlowADFS Authentication Flow B2B: Federated Web SSO B2B: Federated Web SSO Partners do NOT need local accountsPartners do NOT need local accountsWebWeb--based Purchasing & Inventory Control apps based Purchasing & Inventory Control apps

Partner employees use their corporate AD accountsPartner employees use their corporate AD accountsIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN

9/21/2006 3:48 PM

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 4

B2E: Web SSO + Forest TrustB2E: Web SSO + Forest TrustSingle signSingle sign--on for HQ & on for HQ & ““Road WarriorRoad Warrior”” usersusers

WebWeb--based Wholesale Order Entry app in DMZ based Wholesale Order Entry app in DMZ All employees have accounts in intranet ADAll employees have accounts in intranet ADIntranet UX: Web SSO after Windows desktop logonIntranet UX: Web SSO after Windows desktop logonInternet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logon or SSL client authNbased logon or SSL client authN

B2C: Classic Web SSOB2C: Classic Web SSOClassic Web SSO for Internet customersClassic Web SSO for Internet customers

WebWeb--based Retail Order Entry & Customer Service apps based Retail Order Entry & Customer Service apps Customers issued user accounts in DMZ (AD or ADAM) Customers issued user accounts in DMZ (AD or ADAM) Internet UX: Web SSO after FormsInternet UX: Web SSO after Forms--based logonbased logon

ADFS Security TokensADFS Security TokensSAML 1.1 assertion syntaxSAML 1.1 assertion syntax

WSWS--Trust Trust RequestSecurityTokenResponsRequestSecurityTokenRespons

Tokens are not encryptedTokens are not encryptedAll messages are over HTTPSAll messages are over HTTPS

Tokens are signedTokens are signedVendor interoperable (default)Vendor interoperable (default)

Signed with RSA Private key and signature Signed with RSA Private key and signature verified with public key from X.509 certificateverified with public key from X.509 certificate

ADFS internal key management (optional)ADFS internal key management (optional)FSFS--R tokens for Web Agent can be signed with R tokens for Web Agent can be signed with Kerberos session keyKerberos session key

Shibboleth Interoperability Shibboleth Interoperability Shibboleth project sponsored by Microsoft Shibboleth project sponsored by Microsoft and ADFSand ADFS

Shibboleth System 1.3 releaseShibboleth System 1.3 releaseDeveloping plugDeveloping plug--ins for SAML 1.1 Identity ins for SAML 1.1 Identity and Service Providersand Service Providers

Support WSSupport WS--Federation Passive Requestor Federation Passive Requestor Interoperability Profile Interoperability Profile Enables Enables InteropInterop with ADFS and other with ADFS and other compliant vendor productscompliant vendor products

Shibboleth Beta version available nowShibboleth Beta version available nowNeed Need ““qualifiedqualified”” customers for testing customers for testing

WS-Trust, WS-MetadataExchange

WSWS--* Metasystem Architecture* Metasystem Architecture

SecurityTokenServer

Kerberos

WS-SecurityPolicy

SAML

Identity Selector

SecurityTokenServer

WS-SecurityPolicy

CustomSecurity

ID ProviderID Provider

x509

ID ProviderID Provider

SubjectSubject

Relying PartyRelying Party Relying PartyRelying Party

CardSpaceCardSpace -- EndEnd--toto--end end

Identity Provider(IP)

Relying Party(RP)

Client(InfoCard)

Client would like to access a resource1

RP communicates the token’s requirements

2

User

3 InfoCard filterscards that satisfythe requirements

User selects a card4

5

The selected card specifies whereto get the token. InfoCard also passesRP’s requirements to IP

6

IP generates thetoken based onRP’s requirements

7 User approves the release of token

8

Token is released to RP. RP could be authorization decisions based on the token

Bob KellyBob Kelly1306 1306 -- 25232523

fabrikamfabrikam Washington State IDWashington State ID

Bob KellyExp 6/12/2008

??AnonymousAnonymous

My CardMy Card

9/21/2006 3:48 PM

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 5

WhatWhat’’s in a Card?s in a Card?

Name: AliceName: Alice’’s Book Club Cards Book Club CardExpires: 9/15/2006Expires: 9/15/2006ImageImageIssuer: Issuer: FabrikamFabrikamSupported Claims: {Supported Claims: {

GivenNameGivenNameLastNameLastNameAddressAddressCityCity…… }}

Issuer Token Service Issuer Token Service EPRsEPRsSupported Token Type: {Supported Token Type: {

SAML 1.1 }SAML 1.1 }

……

Identity ProviderIdentity Provider

Alice WoodwardAlice Woodward1306 1306 -- 25232523

Exp 9/15/2006Exp 9/15/2006

AliceAlice’’s Book Club Cards Book Club Card

FabrikamFabrikam

claim values are ownedclaim values are ownedby Identity Providerby Identity Provider

fabrikamfabrikam

Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

IdentityManagement

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)BitLockerBitLocker™™

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge

WeWe just just scratchedscratched thethe surfacesurface……

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.