SlideShare une entreprise Scribd logo

Adfs 2 & claims based identity

Télécharger en tant que PPTX, PDF
Nathan Winters
Nathan Winters

AD FS 2 & Claims-Based Identity provides a consistent identity layer across applications by extracting identity information from Active Directory and other sources and expressing it as standardized claims. This allows applications to authenticate users once via AD FS and receive attributes about the user, without the applications needing direct access to identity stores. Claims can include group memberships, email address, or any other identity attributes that can be used for authorization and personalization. AD FS supports web single sign-on, web services, and "claims-aware" applications via standards like WS-Federation, SAML 2.0, and can federate identity across organizations.

Technologie
1  sur  32
AD FS 2 & Claims-Based Identity Laura E. Hunter Identity Lady, AD FS Zealot laura.hunter@lhaconsulting.com http://www.shutuplaura.com @adfskitteh
The Problem? We Lack a Consistent Identity Layer for Applications
The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change
LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com
filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))
How many different ways can you authenticate to an app?
Managing Application Identity – First Principles 1. Identify the Caller 2. Extract Information for AuthZ & Personalization
Windows Integrated Authentication Does Active Directory work everywhere?
What’s the Solution?
So What’s a Claim? “I am a member of the Marketing group” “My email address is …” “I am over 21 years of age” Populated using information from AD/ADAM/ADLDS SQL Expressed using the SAML format
<saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“> <saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"> <saml:Audience> https://contoso-dc1.contoso.com </saml:Audience> <saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"> <saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier> <saml:AttributeAttributeName="Group” <saml:AttributeValue> Administrators</saml:AttributeValue> <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature> </saml:Assertion> Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
AD FS is all about the apps!
Standards-based: WS-Federation WS-Trust SAML 2.0 Use cases: WebSSO Web Services (WCF) What is this…“claims-aware” application of which you speak?
What Can I do with this?
Application Access in a Single Org
Account Partner (ADATUM) Resource Partner (CONTOSO) A. Datum Account Forest Trey Research Resource Forest Federation Trust Federated Application Access
SSO to Service Providers
Cloudy with a Chance of Federation
So what does it look like?
WS-Fed Passive Profile Account Partner (Users) Resource Partner (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust
Something lost, something gained… What about passwords? What about deprovisioning?
Liberty Alliance Results… ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens IdP Lite SP Lite EGov 1.5 Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
If you remember nothing else but this…
I want the integrity of yourusers’ identity information when they access myresources…
…to be at least as good…
as the integrity of yourusers’ identity information when they access yourresources.
AD FS components are Windows components No additional server software costs …but it’s all about the apps! AD FSv2 (was “Geneva”) Release Candidate Available Now RTM…“Soon” Windows Identity Foundation .NET Developer Platform Free Download Available now! AD FS 2.0 Availability, Pricing
AD Cookbook, 3rd Edition Best selling Active Directory title What’s New? Windows Server 2008 coverage: Read Only Domain Controllers (RODCs) Fine Grained Password Policies (FGPPs) Exchange 2007 integration & scripting Identity Lifecycle Manager 2007 Windows PowerShell & Active Directory .NET programming New user interface features Always more than one way! Learn More! http://oreilly.com/catalog/9780596521103/
Thank You! mailto: laura.hunter@lhaconsulting.com blog: http://www.shutuplaura.com twitter: @adfskitteh

Recommandé

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Naohiro Fujie
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 

Recommandé

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Naohiro Fujie
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAMRichard Harvey
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Perficient, Inc.
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationConcentrated Technology
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourseConcentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functionsmikepfeiffer
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secretChris Conte
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateDon Reese
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent themConcentrated Technology
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d aConcentrated Technology
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash courseConcentrated Technology
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom propertiesConcentrated Technology
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingConcentrated Technology
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMIConcentrated Technology
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsConcentrated Technology
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesConcentrated Technology
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 

Contenu connexe

En vedette

Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Perficient, Inc.
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationConcentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functionsmikepfeiffer
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secretChris Conte
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateDon Reese
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingConcentrated Technology
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsConcentrated Technology
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesConcentrated Technology
 

En vedette (20)

ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAM
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourse
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent them
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMI
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
 

Similaire à Adfs 2 & claims based identity

Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Role-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role-Based Access ControlEmpowerID
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral AnalyticsAPIsecure_ Official
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainSplunk
 

Similaire à Adfs 2 & claims based identity (20)

Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat Protection
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Role-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role-Based Access Control
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
Basics of IT security
Basics of IT securityBasics of IT security
Basics of IT security
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
 

Plus de Nathan Winters

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Exchange 2010 storage improvements
Exchange 2010 storage improvementsExchange 2010 storage improvements
Exchange 2010 storage improvementsNathan Winters
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Nathan Winters
 
Sql server troubleshooting
Sql server troubleshootingSql server troubleshooting
Sql server troubleshootingNathan Winters
 
Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Nathan Winters
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you thinkNathan Winters
 
Nathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters
 
Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Nathan Winters
 
Desktop virtualization scott calvet
Desktop virtualization scott calvetDesktop virtualization scott calvet
Desktop virtualization scott calvetNathan Winters
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters
 
OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009Nathan Winters
 
Introduction to Exchange 2010
Introduction to Exchange 2010Introduction to Exchange 2010
Introduction to Exchange 2010Nathan Winters
 
Eric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesEric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesNathan Winters
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeNathan Winters
 
Thomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshThomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshNathan Winters
 
Joe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessJoe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessNathan Winters
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsNathan Winters
 
Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters
 

Plus de Nathan Winters (20)

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inal
 
Exchange 2010 storage improvements
Exchange 2010 storage improvementsExchange 2010 storage improvements
Exchange 2010 storage improvements
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
 
Sql server troubleshooting
Sql server troubleshootingSql server troubleshooting
Sql server troubleshooting
 
Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
 
Nathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and compliance
 
Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2
 
Desktop virtualization scott calvet
Desktop virtualization scott calvetDesktop virtualization scott calvet
Desktop virtualization scott calvet
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPC
 
OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009
 
Introduction to Exchange 2010
Introduction to Exchange 2010Introduction to Exchange 2010
Introduction to Exchange 2010
 
Eric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesEric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 Companies
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
 
Thomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshThomas Deimel The World Of Hackintosh
Thomas Deimel The World Of Hackintosh
 
Joe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessJoe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small Business
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The Internets
 
Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2
 

Dernier

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Dernier (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Adfs 2 & claims based identity

  • 1. AD FS 2 & Claims-Based Identity Laura E. Hunter Identity Lady, AD FS Zealot laura.hunter@lhaconsulting.com http://www.shutuplaura.com @adfskitteh
  • 2. The Problem? We Lack a Consistent Identity Layer for Applications
  • 3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change
  • 6. How many different ways can you authenticate to an app?
  • 7. Managing Application Identity – First Principles 1. Identify the Caller 2. Extract Information for AuthZ & Personalization
  • 8. Windows Integrated Authentication Does Active Directory work everywhere?
  • 9.
  • 10.
  • 12. So What’s a Claim? “I am a member of the Marketing group” “My email address is …” “I am over 21 years of age” Populated using information from AD/ADAM/ADLDS SQL Expressed using the SAML format
  • 13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“> <saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"> <saml:Audience> https://contoso-dc1.contoso.com </saml:Audience> <saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"> <saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier> <saml:AttributeAttributeName="Group” <saml:AttributeValue> Administrators</saml:AttributeValue> <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature> </saml:Assertion> Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
  • 14. AD FS is all about the apps!
  • 15. Standards-based: WS-Federation WS-Trust SAML 2.0 Use cases: WebSSO Web Services (WCF) What is this…“claims-aware” application of which you speak?
  • 16. What Can I do with this?
  • 17. Application Access in a Single Org
  • 18. Account Partner (ADATUM) Resource Partner (CONTOSO) A. Datum Account Forest Trey Research Resource Forest Federation Trust Federated Application Access
  • 19. SSO to Service Providers
  • 20. Cloudy with a Chance of Federation
  • 21. So what does it look like?
  • 22. WS-Fed Passive Profile Account Partner (Users) Resource Partner (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust
  • 23. Something lost, something gained… What about passwords? What about deprovisioning?
  • 24. Liberty Alliance Results… ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens IdP Lite SP Lite EGov 1.5 Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
  • 25.
  • 26. If you remember nothing else but this…
  • 27. I want the integrity of yourusers’ identity information when they access myresources…
  • 28. …to be at least as good…
  • 29. as the integrity of yourusers’ identity information when they access yourresources.
  • 30. AD FS components are Windows components No additional server software costs …but it’s all about the apps! AD FSv2 (was “Geneva”) Release Candidate Available Now RTM…“Soon” Windows Identity Foundation .NET Developer Platform Free Download Available now! AD FS 2.0 Availability, Pricing
  • 31. AD Cookbook, 3rd Edition Best selling Active Directory title What’s New? Windows Server 2008 coverage: Read Only Domain Controllers (RODCs) Fine Grained Password Policies (FGPPs) Exchange 2007 integration & scripting Identity Lifecycle Manager 2007 Windows PowerShell & Active Directory .NET programming New user interface features Always more than one way! Learn More! http://oreilly.com/catalog/9780596521103/
  • 32. Thank You! mailto: laura.hunter@lhaconsulting.com blog: http://www.shutuplaura.com twitter: @adfskitteh

Notes de l'éditeur

  1. Hard-coded dependencies
  2. Re-inventing the wheel – asking our devs to be AD experts
  3. Resistance to change – smart card, cloud, etc.
  4. Identify the caller (AuthN)Grep information about the caller for AuthZ &amp; personalization
  5. Partner fed
  6. Fed with the cloud
  7. Hide.Fedutil, pre-baked RP trust
  8. For WinHIED
  9. For WinHIED