Upload
alaqua
View
73
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Understanding Active Directory. Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning , Microsoft. Active Directory Federation Services (AD FS). Module Overview . AD FS Overview AD FS Deployment Scenarios Configuring AD FS Components . Lesson 1: AD FS Overview. - PowerPoint PPT Presentation
Citation preview
Christopher Chapman | MCTContent PM, Microsoft Learning, PDG Planning , Microsoft
Understanding Active Directory
Click to edit Master subtitle style
Microsoft Virtual Academy
Active Directory Federation Services(AD FS)
Module Overview
• AD FS Overview• AD FS Deployment Scenarios • Configuring AD FS Components
Lesson 1: AD FS Overview
• What Is Identity Federation? • What Are the Identity Federation Scenarios? • Benefits of Deploying AD FS
What is Identity Federation?
An identity federation:
Identity federation is a process that enables distributed identification, authentication, and authorization across organizational and platform boundaries
Requires a trust relationship between two organizations or entities
Allows organizations to retain control of:Resource accessTheir own user and group accounts
What Are the Identity Federation Scenarios?
Federation for business-to-consumer or business-to-employee in a Web single sign-on scenario
Federation for business-to-business (B2B)
Federation within an organization across multiple Web applications
Benefits of Deploying AD FS AD FS provides the following benefits:
Works with Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS)
Extends AD DS to the Internet
Enables improved:Security and control over authentication Regulatory compliance Interoperability with heterogeneous systems
Demonstration: Installing AD FS• In this demonstration, you will see how to install the
Active Directory Federation Services Server Role
Lesson 2: AD FS Deployment Scenarios
• What Is a Federation Trust? • What Are the AD FS Components? • How AD FS Provides Identity Federation in a B2B
Scenario • How AD FS Traffic Flows in a B2B Federation Scenario • How AD FS Provides Web Single Sign-On • Integrating AD FS and AD RMS
What Is a Federation Trust?
Web Server
Account Partner Organization
Resource Partner Organization
Resource Federation Server
Account Federation Server
AD DS
Federation Trust
What Are the AD FS Components?AD FS Components:
AD FS Web Agent
Resource Federation Server Proxy
Account federation server
AD DS domain controllers
Account Federation Service Proxy
Resource Federation Server
How AD FS Provides Identity Federation in a B2B Scenario
Contoso
Online Retailer
Resource
FederationServerAccount
Federation Server
AD DS Account
Federation Server Proxy
AD FS-enabled Web Server
Resource Federation Server Proxy
PERIMETER NETWORK
INTRANET FOREST
Federation Trust
How AD FS Traffic Flows in a Business to Business Federation Scenario
Web Server
Resource Federation Server
Account Federation Server
AD DS
Federation Trust
1 23
5
4
Contoso
Online Retailer
Lesson 3: Configuring AD FS Components • Federation Service Configuration Options• What Are AD FS Trust Policies? • Demonstration: Configuring the Federation Services
for an Account Partner• AD FS Web Proxy Agent Configuration Options • What Are AD FS Claims?
Federation Service Configuration Options
To implement the federation service:
Create and configure applications
Create a trust policy for both the resource and account partners
Create organizational claims
Create account stores
What Are AD FS Trust Policies?
Resource partner trust policies include: Token LifetimeFederation Service URIFederation Service endpoint URLThe option to use a Windows trust relationship for this partner
Trust policies are the configuration settings that define how to configure a federated trust and how the federated trust works
In addition, the account partner trust policies include:
Location for a certificate to verify the resource partnerOptions for configuring how resource accounts are created
Demonstration: AD FS Initial Configuration
• In this demonstration, you will see how run the AD FS Management Snap-In and run through the initial configuration steps.
AD FS Web Proxy Agent Configuration Options
AD FS Web Proxy Agent Configuration Options:
Install the AD FS Web Agent on the IIS server• Windows Token-based authentication requires ISAPI
extensions• Claims-aware authorization can authenticate natively
with ASP.NET
Determine how to collect user credential information from browser clients and Web applications
1
2
What Are AD FS Claims?Claim Type Description
Identity
• UPN: indicates a Kerberos version 5 protocol-style user principal name (UPN), for example: user@realm
• E-mail: indicates Request for Comments (RFC) 2822–style e-mail names of the form user@domain
• Common name: indicates an arbitrary string that is used for personalization
Group • Indicates membership in a group or role
Custom • Indicates a claim that contains custom information
about a user, for example, an employee ID number
Module Review and Takeaways
• Review Questions• Summary of AD FS
Thanks for Watching!
©2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.