SlideShare a Scribd company logo

Ad fs

Download as PPT, PDF
Iván Sanchez Vera
Iván Sanchez Vera

Una presentacion muy rapida y por eso nunca finalizada acerca de Windows Server Federation Services en Windows Server 2008, aunque tiene muchas fallas en el uso de informacion como la mezcla de idiomas, o muchos datos plasmados en el slide, puede servir de base para otra presentacion mejor

Education
1 of 49
Integration of DirectoriesIntegration of Directories and Federationand Federation Javier VasquezJavier Vasquez Senior Technology SpecialistSenior Technology Specialist Federal Platforms TeamFederal Platforms Team MicrosoftMicrosoft
Where it all beganWhere it all began  Infrastructure DirectoriesInfrastructure Directories  StreetTalkStreetTalk  NDSNDS  ADAD  Application Specific DirectoriesApplication Specific Directories  X.500X.500  LDAPLDAP  AD/AMAD/AM  Good for EnterprisesGood for Enterprises  Hard to FederateHard to Federate
Windows IdMWindows IdM Active Directory – Foundation for Identity ManagementActive Directory – Foundation for Identity Management Central Repository for:Central Repository for: • User Accounts & AttributesUser Accounts & Attributes • System Accounts & AttributesSystem Accounts & Attributes • Organizational & Security GroupsOrganizational & Security Groups • Application & Service LocationsApplication & Service Locations • Management PolicyManagement Policy • Security PolicySecurity Policy • Digital CertificatesDigital Certificates • Network Access PermissionsNetwork Access Permissions • Printer LocationsPrinter Locations • File Shares LocationsFile Shares Locations …… Integrated SecurityIntegrated Security • Kerberos v5Kerberos v5 • Mac OS Kerberos PAMMac OS Kerberos PAM • x.509 Certificates (PKI)x.509 Certificates (PKI) • Security DomainSecurity Domain Directory Access ProtocolsDirectory Access Protocols • LDAP v3 – Standards-based accessLDAP v3 – Standards-based access • ADSI – Simple COM-based InterfaceADSI – Simple COM-based Interface • DSML – XML InterfaceDSML – XML Interface ActiveActive DirectoryDirectory http://www.microsoft.com/business/security/access/whpaper.mspxhttp://www.microsoft.com/business/security/access/whpaper.mspx
Reduced Enterprise Sign-onReduced Enterprise Sign-on Extending Windows SSOExtending Windows SSO ActiveActive DirectoryDirectory Logon to ADLogon to AD Services for UNIXServices for UNIX  NIS Server for ADNIS Server for AD  NIS-AD directory syncNIS-AD directory sync  Password synchronizationPassword synchronization  User name mappingUser name mapping UNIXUNIX Host Integration ServerHost Integration Server  Windows to RACF accountsWindows to RACF accounts  Windows to 0S/400 Security SystemWindows to 0S/400 Security System  Bi-Directional Password SynchronizationBi-Directional Password Synchronization 390/AS400390/AS400 KerberosKerberos ApplicationApplication KerberosKerberos  Native AuthN protocolNative AuthN protocol  MIT v5 CompliantMIT v5 Compliant  Carries group info in PACCarries group info in PAC  Windows PAC is openWindows PAC is open  SCO, Vintella, Java SSO throughSCO, Vintella, Java SSO through WindowsWindows
Reduced Enterprise IdMReduced Enterprise IdM LDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration Account DirectoryAccount Directory LDAPLDAP SQLSQL EnterpriseEnterprise AppApp Integrate LDAP with ADIntegrate LDAP with AD  LDAP v3 compliantLDAP v3 compliant  Single AD and LDAP user accountSingle AD and LDAP user account  AD/AM for personalization dataAD/AM for personalization data Microsoft Identity IntegrationMicrosoft Identity Integration ServerServer  Directory synchronizationDirectory synchronization  LDAP (eg SunONE & others)LDAP (eg SunONE & others)  Relational databasesRelational databases  DSMLDSML  Application specificApplication specific  Account ProvisioningAccount Provisioning  Automate account creationAutomate account creation  Automate account de-provisioningAutomate account de-provisioning  Password Management (MIIS 2003)Password Management (MIIS 2003)  Self-service password resetSelf-service password reset  Certificate ManagementCertificate Management ExchangeExchange Web ServiceWeb Service File ShareFile Share ApplicationApplicationApplicationApplication ActiveActive DirectoryDirectory MIIS 2003MIIS 2003
Extending Active DirectoryExtending Active Directory  Newer conceptsNewer concepts  ADAMADAM  DSML gatewayDSML gateway  Distributed IdMDistributed IdM Web ServicesWeb Services
ADAM - Integrating extended LDAP appADAM - Integrating extended LDAP app with ADwith AD  Store app data without extending infra DS schemaStore app data without extending infra DS schema  App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory  Maintain central user repository!Maintain central user repository! ADAMADAM Infrastructure Active DirectoryInfrastructure Active Directory WebWeb appapp Store/Store/ retrieveretrieve datadata ClientClient ServerServer Data specificData specific to portal appto portal app Data sharedData shared by all appsby all apps User (right)User (right) and “shadow” (left)and “shadow” (left)
Extending InfrastructureExtending Infrastructure AD with DSMLAD with DSML This is the URL to which we will post Transport could be SOAP HTTP DS Access
Distributed IdM technologiesDistributed IdM technologies  How do we distribute IdM services?How do we distribute IdM services?  ADFS and AZ-ManagerADFS and AZ-Manager
Security in a Web Services WorldSecurity in a Web Services World –– IBM/MSFT White PaperIBM/MSFT White Paper WS-SecurityWS-Security SpecificationSpecification – Ratified– Ratified April 2004April 2004 SecuritySecuritySecuritySecurity PrivacyPrivacyPrivacyPrivacyTrustTrustTrustTrustPolicyPolicyPolicyPolicy AuthorizationAuthorizationAuthorizationAuthorizationFederationFederationFederationFederationSecureConversationSecureConversationSecureConversationSecureConversation SOAP FoundationSOAP FoundationSOAP FoundationSOAP Foundation TodayToday Web Services ApplicationsWeb Services ApplicationsWeb Services ApplicationsWeb Services Applications Web Services SecurityWeb Services Security WS-Security and Liberty AllianceWS-Security and Liberty Alliance Rich Application stack vs.Rich Application stack vs. IdM stackIdM stack ID-WSF Web Services FrameworkID-WSF Web Services Framework ID-FF – Identity Federation FrameworkID-FF – Identity Federation Framework ID-FFID-FFID-FFID-FF ID-WSFID-WSFID-WSFID-WSF
The Vision and Future of SSOThe Vision and Future of SSO B2B Federated Single Sign-onB2B Federated Single Sign-on ExchangeExchange Web ServiceWeb Service CollaborationCollaboration IntranetIntranet ApplicationsApplications ActiveActive DirectoryDirectory Security TokenSecurity Token (eg Kerberos Ticket)(eg Kerberos Ticket) Security TokenSecurity Token User Account/CredentialsUser Account/Credentials WS SecurityWS Security ApplicationApplication WS SecurityWS Security ApplicationApplication Requires XRMLRequires XRML Requires SAMLRequires SAML 1.1. ADFS Creates XRML tokenADFS Creates XRML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends it back to the userSends it back to the user 4.4. Access Supplier with the tokenAccess Supplier with the token 1.1. ADFS Creates SAML tokenADFS Creates SAML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends the token back to the userSends the token back to the user 4.4. Accesses Supplier B using the tokenAccesses Supplier B using the token Supplier ASupplier A Supplier BSupplier B ADFSADFS
ADFS Logon ServerADFS Logon Server SOAP rich client proxy for browsersSOAP rich client proxy for browsers Web ServiceWeb Service ActiveActive DirectoryDirectory ADFSADFS Web-basedWeb-based Logon ServerLogon Server Web Front EndWeb Front End Security TokenSecurity Token Security MessageSecurity Message  User authenticates to Logon server (forms based)User authenticates to Logon server (forms based)  ADFS validates credentials with Active DirectoryADFS validates credentials with Active Directory  ADFS creates the requested security tokenADFS creates the requested security token  Logon server returns token to clientLogon server returns token to client  Client forwards token to web front endClient forwards token to web front end  Front end sends WS-Security msg with token to webFront end sends WS-Security msg with token to web serviceservice
Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
Windows 2003 AzManWindows 2003 AzMan Roles based access control (RBAC)Roles based access control (RBAC) Authorization APIAuthorization API IIS6 URLIIS6 URL AuthorizationAuthorization Policy DefinitionsPolicy Definitions • Global app groupsGlobal app groups • ApplicationsApplications •RolesRoles •TasksTasks •OperationsOperations •Role assignmentsRole assignments •ScopesScopes •App groupsApp groups •BizRulesBizRules Business ProcessBusiness Process ApplicationsApplications (E-Commerce,(E-Commerce, LOB Applications,…)LOB Applications,…) AuthorizationAuthorization AdministrationAdministration ManagerManager Common Management UICommon Management UI Active DirectoryActive Directory or XML (Files, SQL)or XML (Files, SQL) PolicyPolicy StoreStore PolicyPolicy StoreStore • Role definitionsRole definitions • Role assignmentRole assignment Authorization APIAuthorization API .NET Framework.NET Framework
DiscussionDiscussion  Where do I extend and where do I Federate?Where do I extend and where do I Federate?  Today Integrate; Tomorrow Integrate and/or FederateToday Integrate; Tomorrow Integrate and/or Federate ExtendExtend
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
Federation ServiceFederation Service ASP.NET-hosted service running on IISv6 - W2K03 ServerASP.NET-hosted service running on IISv6 - W2K03 Server  User authenticationUser authentication  Validates ID/Password via LDAP Bind for Forms-based LogonValidates ID/Password via LDAP Bind for Forms-based Logon  Security token generationSecurity token generation  Retrieves user attributes for claim generation from AD (or ADAM) via LDAP searchRetrieves user attributes for claim generation from AD (or ADAM) via LDAP search  Transforms claims (if required) between internal & federation namespacesTransforms claims (if required) between internal & federation namespaces  Builds security token & Returns to LS via WS-* SOAP messagesBuilds security token & Returns to LS via WS-* SOAP messages  Builds “User SSO” cookie contents for LSBuilds “User SSO” cookie contents for LS  Policy managementPolicy management  Establishes authority to issue security tokens by PKI-based key distributionEstablishes authority to issue security tokens by PKI-based key distribution  Defines supported token/claim typesDefines supported token/claim types  Manages trust and defines shared namespace for Federated security realmsManages trust and defines shared namespace for Federated security realms
Logon ServiceLogon Service ASP.NET-hosted service running on IISv6 - W2K03 SeverASP.NET-hosted service running on IISv6 - W2K03 Sever  User authenticationUser authentication  Provides UI for Home Realm Discovery & Forms-based LogonProvides UI for Home Realm Discovery & Forms-based Logon  Authenticates users for Windows integrated authNAuthenticates users for Windows integrated authN (SSL, Kerberos, NTLM)(SSL, Kerberos, NTLM)  Writes “User SSO” cookie to Browser (similar to Kerberos TGT)Writes “User SSO” cookie to Browser (similar to Kerberos TGT)  Security token generationSecurity token generation  Requests security token from FS via WS-* SOAP messagesRequests security token from FS via WS-* SOAP messages  Returns token to web server via “POST redirect” through BrowserReturns token to web server via “POST redirect” through Browser
Web Server SSO AgentWeb Server SSO Agent ISAPI extension for IISv6ISAPI extension for IISv6 (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux) User authenticationUser authentication  Intercepts URL GET requests & Redirects un-authenticated clients to LSIntercepts URL GET requests & Redirects un-authenticated clients to LS  Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket) Windows ServiceWindows Service  User authorizationUser authorization  Creates NT Token for impersonation (AD users only)Creates NT Token for impersonation (AD users only) Managed Web ModuleManaged Web Module (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)  Security token processingSecurity token processing  Validates user’s security token and parses claims in tokenValidates user’s security token and parses claims in token  User authorizationUser authorization  Populates ASP.NET iPrincipal context from claims to support IsInRole()Populates ASP.NET iPrincipal context from claims to support IsInRole()  Provides raw claims to applicationProvides raw claims to application
Active Directory RolesActive Directory Roles  On Windows Server 2008, ActiveOn Windows Server 2008, Active Directory-related roles have beenDirectory-related roles have been separated into distinct functions:separated into distinct functions:  Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)  Active Directory CertificateActive Directory Certificate Services (AD CS)Services (AD CS)  Active Directory FederationActive Directory Federation Services (AD FS)Services (AD FS)  Active Directory LightweightActive Directory Lightweight DirectoryDirectory Services (AD LDS)Services (AD LDS)  Active Directory RightsActive Directory Rights Management Services (AD RMS)Management Services (AD RMS)
Active Directory FederationActive Directory Federation ServicesServices
Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS) Es un rol de Windows Server® 2008 permiteEs un rol de Windows Server® 2008 permite crear soluciones de identificación:crear soluciones de identificación:  segurasegura  muy flexiblesmuy flexibles  múltiples plataformasmúltiples plataformas  entornos Windows como no-Windowsentornos Windows como no-Windows  a través de Internet.a través de Internet.
Gestión de identidades másGestión de identidades más allá de las fronteras de laallá de las fronteras de la organizaciónorganización  Solución de gestión de la identidad ySolución de gestión de la identidad y accesosaccesos  facilita a clientes basados en navegadorfacilita a clientes basados en navegador Web la posibilidad de identificarse de formaWeb la posibilidad de identificarse de forma transparente "de una sola vez" a una o mástransparente "de una sola vez" a una o más aplicaciones protegidas accesibles desdeaplicaciones protegidas accesibles desde InternetInternet  Redes totalmente diferentes eRedes totalmente diferentes e independientes.independientes.
credenciales secundarias???credenciales secundarias???  AD FS las hace innecesarias ya que:AD FS las hace innecesarias ya que:  Permite establecer relaciones de confianzaPermite establecer relaciones de confianza  proyecta la identidad digital y los derechos deproyecta la identidad digital y los derechos de acceso a partners de confianza.acceso a partners de confianza.  En un entorno federado cada organizaciónEn un entorno federado cada organización mantiene el control de su propio conjunto demantiene el control de su propio conjunto de identidades,identidades,  permite un intercambio seguro de las identidadespermite un intercambio seguro de las identidades de organizaciones externasde organizaciones externas  facilita la labor administrativafacilita la labor administrativa  mejora la experiencia del usuario.mejora la experiencia del usuario.
Novedades en WindowsNovedades en Windows Server 2008Server 2008 nueva funcionalidad que no existen ennueva funcionalidad que no existen en Windows Server 2003 R2 que facilita laWindows Server 2003 R2 que facilita la labor administrativa y amplia el soportelabor administrativa y amplia el soporte disponible a una serie de aplicacionesdisponible a una serie de aplicaciones fundamentales:fundamentales:  Instalación mejorada: AD FS se incluyeInstalación mejorada: AD FS se incluye dentro de Windows Server 2008 como roldentro de Windows Server 2008 como rol de servidorde servidor  AD FS se integra de forma más estrechaAD FS se integra de forma más estrecha con Microsoft Office SharePoint® Servercon Microsoft Office SharePoint® Server 2007 y con Active Directory Rights2007 y con Active Directory Rights
 ith ADFS, each company manages itsith ADFS, each company manages its own identities. But within a federatedown identities. But within a federated environment, each company can acceptenvironment, each company can accept and provide permissions and/or access toand provide permissions and/or access to identities from within another company. Itidentities from within another company. It all comes down to trust. The ability to trustall comes down to trust. The ability to trust accounts from one company withoutaccounts from one company without requiring a local account on your servers.requiring a local account on your servers. This trust is called federated identityThis trust is called federated identity management and is the core behindmanagement and is the core behind ADFS. The biggest concern, logically, isADFS. The biggest concern, logically, is security. All communication from onesecurity. All communication from one
 An easier installation as a server role withAn easier installation as a server role with all the necessary services beingall the necessary services being automatically installed with the role itselfautomatically installed with the role itself such as ASP.Net and IIS)such as ASP.Net and IIS)  Tighter integration with ActiveDirectoryTighter integration with ActiveDirectory RMS (Rights Management Services)RMS (Rights Management Services)  ADFS works with MOSS (Microsoft OfficeADFS works with MOSS (Microsoft Office SharePoint Server) 2007 with an easy-to-SharePoint Server) 2007 with an easy-to- configure single-sign-on configuration forconfigure single-sign-on configuration for both intranet and extranet/Internet sitesboth intranet and extranet/Internet sites
ADFS configuration is notADFS configuration is not so simpleso simple Explaining ADFS is easy, but the designExplaining ADFS is easy, but the design and configuration of ADFS is a tad bitand configuration of ADFS is a tad bit more complicated than I've made it soundmore complicated than I've made it sound so far. Theso far. The design readingdesign reading alone canalone can take forever because you need totake forever because you need to determine what you are truly looking todetermine what you are truly looking to accomplish, and there are severalaccomplish, and there are several methods to reach those goals. Formethods to reach those goals. For example, do you want a Web single sign-example, do you want a Web single sign- on implementation, a federated Webon implementation, a federated Web single sign-on implementation, or asingle sign-on implementation, or a federated Web single sign-onfederated Web single sign-on
 Furthermore, you can deploy federationFurthermore, you can deploy federation servers in multiple organizations toservers in multiple organizations to facilitate business-to-business (B2B)facilitate business-to-business (B2B) transactions between trusted partnertransactions between trusted partner organizations. Federated B2Borganizations. Federated B2B partnerships identify business partners aspartnerships identify business partners as one of the following types of organization:one of the following types of organization:  Resource organization:Resource organization: OrganizationsOrganizations that own and manage resources that arethat own and manage resources that are accessible from the Internet can deployaccessible from the Internet can deploy AD FS federation servers and AD FS-AD FS federation servers and AD FS- enabled Web servers that manage accessenabled Web servers that manage access
 AD FS role servicesAD FS role services  The AD FS server role includes federationThe AD FS server role includes federation services, proxy services, and Web agentservices, proxy services, and Web agent services that you configure to enable Webservices that you configure to enable Web SSO, federate Web-based resources,SSO, federate Web-based resources, customize the access experience, andcustomize the access experience, and manage how existing users aremanage how existing users are authorized to access applications.authorized to access applications.  Depending on your organization'sDepending on your organization's requirements, you can deploy serversrequirements, you can deploy servers running any one of the following AD FSrunning any one of the following AD FS
Installing the AD FS roleInstalling the AD FS role  fter you finish installing the operatingfter you finish installing the operating system, a list of initial configuration taskssystem, a list of initial configuration tasks appears. To install AD FS, in the list ofappears. To install AD FS, in the list of tasks, clicktasks, click Add rolesAdd roles, and then, and then clickclick Active Directory FederationActive Directory Federation ServicesServices..
 Managing the AD FS roleManaging the AD FS role  You can manage server roles withYou can manage server roles with Microsoft Management Console (MMC)Microsoft Management Console (MMC) snap-ins. After you install AD FS, you cansnap-ins. After you install AD FS, you can use the Active Directory Federationuse the Active Directory Federation Services snap-in to manage both theServices snap-in to manage both the Federation Service and FederationFederation Service and Federation Service Proxy role services. To open thisService Proxy role services. To open this snap-in, clicksnap-in, click StartStart, click, click AdministrativeAdministrative ToolsTools, and then click, and then click Active DirectoryActive Directory Federation ServicesFederation Services..
 Who will be interested in this feature?Who will be interested in this feature?  AD FS is designed to be deployed inAD FS is designed to be deployed in medium to large organizations that havemedium to large organizations that have the following:the following:  At least one directory service: eitherAt least one directory service: either Active Directory Domain ServicesActive Directory Domain Services (AD DS) or Active Directory Lightweight(AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerlyDirectory Services (AD LDS) (formerly known as Active Directory Applicationknown as Active Directory Application Mode (ADAM))Mode (ADAM))
Are there any specialAre there any special considerations?considerations? If you have an existing AD FSIf you have an existing AD FS infrastructure, there are some specialinfrastructure, there are some special considerations to be aware of before youconsiderations to be aware of before you begin upgrading federation servers,begin upgrading federation servers, federation server proxies, and AD FS-federation server proxies, and AD FS- enabled Web servers runningenabled Web servers running Windows Server 2003 R2 to WindowsWindows Server 2003 R2 to Windows Server 2008. These considerations applyServer 2008. These considerations apply only when you have AD FS servers thatonly when you have AD FS servers that have been manually configured to usehave been manually configured to use unique service accounts.unique service accounts.  AD FS uses the Network Service accountAD FS uses the Network Service account
What new functionalityWhat new functionality does this feature provide?does this feature provide? For Windows Server 2008, AD FSFor Windows Server 2008, AD FS includes new functionality that was notincludes new functionality that was not available in Windows Server 2003 R2.available in Windows Server 2003 R2. This new functionality is designed to easeThis new functionality is designed to ease administrative overhead and to furtheradministrative overhead and to further extend support for key applications:extend support for key applications:  Improved installation—AD FS is includedImproved installation—AD FS is included in Windows Server 2008 as a server role,in Windows Server 2008 as a server role, and there are new server validationand there are new server validation checks in the installation wizard.checks in the installation wizard.
Improved installationImproved installation  AD FS in Windows Server 2008 bringsAD FS in Windows Server 2008 brings several improvements to the installationseveral improvements to the installation experience. To install AD FS inexperience. To install AD FS in Windows Server 2003 R2, you had toWindows Server 2003 R2, you had to useuse Add or Remove ProgramsAdd or Remove Programs to findto find and install the AD FS component.and install the AD FS component. However, in Windows Server 2008, youHowever, in Windows Server 2008, you can install AD FS as a server role usingcan install AD FS as a server role using Server Manager.Server Manager.  You can use improved AD FSYou can use improved AD FS configuration wizard pages to performconfiguration wizard pages to perform server validation checks before youserver validation checks before you
Improved applicationImproved application supportsupport AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes enhancements that increase its ability toenhancements that increase its ability to integrate with other applications, such asintegrate with other applications, such as Office SharePoint Server 2007 andOffice SharePoint Server 2007 and AD RMS.AD RMS.
Integration with OfficeIntegration with Office SharePoint Server 2007SharePoint Server 2007 Office SharePoint Server 2007 takes fullOffice SharePoint Server 2007 takes full advantage of the SSO capabilities that areadvantage of the SSO capabilities that are integrated into this version of AD FS.integrated into this version of AD FS. AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes functionality to support Officefunctionality to support Office SharePoint Server 2007 membership andSharePoint Server 2007 membership and role providers. This means that you canrole providers. This means that you can effectively configure Officeeffectively configure Office SharePoint Server 2007 as a claims-SharePoint Server 2007 as a claims- aware application in AD FS, and you canaware application in AD FS, and you can administer any Officeadminister any Office SharePoint Server 2007 sites usingSharePoint Server 2007 sites using
Integration with AD RMSIntegration with AD RMS  AD RMS and AD FS have been integrated AD RMS and AD FS have been integrated  in such a way that organizations can take in such a way that organizations can take  advantage of existing federated trust advantage of existing federated trust  relationships to collaborate with external relationships to collaborate with external  partners and share rights-protected partners and share rights-protected  content. For example, an organization content. For example, an organization  that has deployed AD RMS can set up that has deployed AD RMS can set up  federation with an external organization federation with an external organization  by using AD FS. The organization can by using AD FS. The organization can  then use this relationship to share rights-then use this relationship to share rights- protected content across the two protected content across the two  organizations without requiring a organizations without requiring a 
Better administrativeBetter administrative experience whenexperience when establishing federatedestablishing federated truststrusts  In both Windows Server 2003 R2 and In both Windows Server 2003 R2 and  Windows Server 2008, AD FS Windows Server 2008, AD FS  administrators can create a federated administrators can create a federated  trust between two organizations using trust between two organizations using  either a process of importing and either a process of importing and  exporting policy files or a manual process exporting policy files or a manual process  that involves the mutual exchange of that involves the mutual exchange of  partner values, such as Uniform Resource partner values, such as Uniform Resource  Indicators (URIs), claim types, claim Indicators (URIs), claim types, claim  mappings, display names, and so on. The mappings, display names, and so on. The  manual process requires the administrator manual process requires the administrator  who receives this data to type all the who receives this data to type all the 
 http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc772313(WS.10).aspxus/library/cc772313(WS.10).aspx
What settings have beenWhat settings have been added or changed?added or changed? You configure Windows NT token-based You configure Windows NT token-based  Web Agent settings with the IIS Manager Web Agent settings with the IIS Manager  snap-in. To support the new functionality snap-in. To support the new functionality  that is provided with Internet Information that is provided with Internet Information  Services (IIS) 7.0, Windows Server 2008 Services (IIS) 7.0, Windows Server 2008  AD FS includes user interface (UI) AD FS includes user interface (UI)  updates for the AD FS Web Agent role updates for the AD FS Web Agent role  service. The following table lists the service. The following table lists the  different locations in IIS Manager for different locations in IIS Manager for  IIS 6.0 or IIS 7.0 for each of the AD FS IIS 6.0 or IIS 7.0 for each of the AD FS  Web Agent property pages, depending on Web Agent property pages, depending on  the version of IIS that is used.the version of IIS that is used.
AD FS Deployment GuideAD FS Deployment Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc771833(WS.10).aspxus/library/cc771833(WS.10).aspx
AD FS Design GuideAD FS Design Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc755132(WS.10).aspxus/library/cc755132(WS.10).aspx
 http://www.google.com.ec/imgres?http://www.google.com.ec/imgres? imgurl=http://blog.fpweb.net/wp-imgurl=http://blog.fpweb.net/wp- content/uploads/2009/02/federated-content/uploads/2009/02/federated- 14.gif&imgrefurl=http://blog.fpweb.net/f14.gif&imgrefurl=http://blog.fpweb.net/f ederated-identity-and-microsoft-adfs-ederated-identity-and-microsoft-adfs- illustrated/&usg=__mHc8qi8qn9Tx7JY3illustrated/&usg=__mHc8qi8qn9Tx7JY3 HS5BUhpBQTw=&h=250&w=400&sz=1HS5BUhpBQTw=&h=250&w=400&sz=1 1&hl=es&start=15&um=1&itbs=1&tbnid1&hl=es&start=15&um=1&itbs=1&tbnid =zbd94rEJw2rDNM:&tbnh=78&tbnw=12=zbd94rEJw2rDNM:&tbnh=78&tbnw=12 4&prev=/images%3Fq%3DActive4&prev=/images%3Fq%3DActive %2BDirectory%2BFederation%2BDirectory%2BFederation %2BServices%26um%3D1%26hl%3Des%2BServices%26um%3D1%26hl%3Des

Recommended

AD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewAD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick Overview
Granikos GmbH & Co. KG
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
Natallia Makarevich
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
amitchachra
 
Adfs azure
Adfs azureAdfs azure
Adfs azure
Jethro Seghers
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 

Recommended

AD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewAD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick Overview
Granikos GmbH & Co. KG
 
The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)The Who, What, Why and How of Active Directory Federation Services (AD FS)
The Who, What, Why and How of Active Directory Federation Services (AD FS)
Jay Simcox
 
SharePoint 2013 and ADFS
SharePoint 2013 and ADFSSharePoint 2013 and ADFS
SharePoint 2013 and ADFS
Natallia Makarevich
 
AD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep DiveAD FS Workshop | Part 2 | Deep Dive
AD FS Workshop | Part 2 | Deep Dive
Granikos GmbH & Co. KG
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
amitchachra
 
Adfs azure
Adfs azureAdfs azure
Adfs azure
Jethro Seghers
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
EPC Group
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 
Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
InnoTech
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
Microsoft TechNet - Belgium and Luxembourg
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
David Pechon
 
OFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case Study
Sreenivasa Setty
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Gus Fraser
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
Corey Roth
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365
NCCOMMS
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
Microsoft TechNet - Belgium and Luxembourg
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
rlsoft
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
Jethro Seghers
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
Brian Culver
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
clounoud
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
SPC Adriatics
 
SharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Oleson
webhostingguy
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
NCCOMMS
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
Brian Culver
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
Krunal Trivedi
 
ad.ppt
ad.pptad.ppt
ad.ppt
Hi-Techpoint
 
Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services Platform
David Chou
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
Amazon Web Services
 

More Related Content

What's hot

O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
David Pechon
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
Jethro Seghers
 
SharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Oleson
webhostingguy
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
uberbaum
 

What's hot (20)

Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365Directory Synchronization Single Sign-On in Office 365
Directory Synchronization Single Sign-On in Office 365
 
Office 365 Identity Management options
Office 365 Identity Management options Office 365 Identity Management options
Office 365 Identity Management options
 
O365-AzureAD Identity management
O365-AzureAD Identity managementO365-AzureAD Identity management
O365-AzureAD Identity management
 
OFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case StudyOFM AIA FP Implementation View and Case Study
OFM AIA FP Implementation View and Case Study
 
Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13Building Secure Extranets with Claims-Based Authentication #SPEvo13
Building Secure Extranets with Claims-Based Authentication #SPEvo13
 
Extending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partnersExtending SharePoint 2010 to your customers and partners
Extending SharePoint 2010 to your customers and partners
 
O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365O365con14 - information protection and control in office 365
O365con14 - information protection and control in office 365
 
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
How to provide AD, ADFS, DirSync in Windows Azure and hook it up with Office 365
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?How to deploy SharePoint 2010 to external users?
How to deploy SharePoint 2010 to external users?
 
Supporting architecture for office 365 spo
Supporting architecture for office 365 spoSupporting architecture for office 365 spo
Supporting architecture for office 365 spo
 
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
SharePoint 2010 Extranets and Authentication: How will SharePoint 2010 connec...
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
SharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel OlesonSharePoint in the Extranet Joel Oleson
SharePoint in the Extranet Joel Oleson
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Premier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure ADPremier Webcast - Identity Management with Windows Azure AD
Premier Webcast - Identity Management with Windows Azure AD
 
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
SharePointFest 2013 Washington DC - SPT 103 - SharePoint 2013 Extranets: How ...
 
Certifications for Azure Developers
Certifications for Azure DevelopersCertifications for Azure Developers
Certifications for Azure Developers
 
ad.ppt
ad.pptad.ppt
ad.ppt
 

Similar to Ad fs

CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
Spiffy
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the Cloud
Amazon Web Services
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
Jorgen Thelin
 
Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
tameemyousaf
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
Amazon Web Services
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guru122
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
Amazon Web Services
 

Similar to Ad fs (20)

Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services Platform
 
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
HLC302_Adopting Microservices in Healthcare Building a Compliant DevOps Pipel...
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
Datapower Steven Cawn
Datapower Steven CawnDatapower Steven Cawn
Datapower Steven Cawn
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
Microsoft Insurance Solutions Keynote Presentation at the Financial Services ...
 
Security Innovations in the Cloud
Security Innovations in the CloudSecurity Innovations in the Cloud
Security Innovations in the Cloud
 
Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)Web Services and Devices Profile for Web Services (DPWS)
Web Services and Devices Profile for Web Services (DPWS)
 
Cloud integration and tools
Cloud integration and toolsCloud integration and tools
Cloud integration and tools
 
Oracle Code Keynote with Thomas Kurian
Oracle Code Keynote with Thomas KurianOracle Code Keynote with Thomas Kurian
Oracle Code Keynote with Thomas Kurian
 
Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
 
Migrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWSMigrating to the cloud - Windows on AWS
Migrating to the cloud - Windows on AWS
 
Connect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft AzureConnect your datacenter to Microsoft Azure
Connect your datacenter to Microsoft Azure
 
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...
 
Windows Azure
Windows AzureWindows Azure
Windows Azure
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
Incredible Edible Identity
Incredible Edible IdentityIncredible Edible Identity
Incredible Edible Identity
 
SwiftKnowledge Multitenancy
SwiftKnowledge MultitenancySwiftKnowledge Multitenancy
SwiftKnowledge Multitenancy
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 

More from Iván Sanchez Vera

Economia de Recursos Naturales y Economia Tradicional
Economia de Recursos Naturales y Economia TradicionalEconomia de Recursos Naturales y Economia Tradicional
Economia de Recursos Naturales y Economia Tradicional
Iván Sanchez Vera
 
Nociones básica de ecología y recursos naturales.
Nociones básica de ecología y recursos naturales. Nociones básica de ecología y recursos naturales.
Nociones básica de ecología y recursos naturales.
Iván Sanchez Vera
 
Proceso de Adquisiciones de Tecnologia
Proceso de Adquisiciones de TecnologiaProceso de Adquisiciones de Tecnologia
Proceso de Adquisiciones de Tecnologia
Iván Sanchez Vera
 

More from Iván Sanchez Vera (20)

Git res baz ec - final
Git res baz ec - finalGit res baz ec - final
Git res baz ec - final
 
Intro a Metodos Numericos
Intro a Metodos NumericosIntro a Metodos Numericos
Intro a Metodos Numericos
 
Intro Inteligencia Artificial (AI)
Intro Inteligencia Artificial (AI)Intro Inteligencia Artificial (AI)
Intro Inteligencia Artificial (AI)
 
Trajectory clustering - Traclus Algorithm
Trajectory clustering - Traclus AlgorithmTrajectory clustering - Traclus Algorithm
Trajectory clustering - Traclus Algorithm
 
Proofs on cryptocurrencies
Proofs on cryptocurrenciesProofs on cryptocurrencies
Proofs on cryptocurrencies
 
Social databases - A brief overview
Social databases - A brief overviewSocial databases - A brief overview
Social databases - A brief overview
 
(Draft) Nuevos caminos de innovación en tecnología
(Draft) Nuevos caminos de innovación en tecnología(Draft) Nuevos caminos de innovación en tecnología
(Draft) Nuevos caminos de innovación en tecnología
 
Pin payments presentation final (4)
Pin payments presentation final (4)Pin payments presentation final (4)
Pin payments presentation final (4)
 
Impacto de las Actividades Economicas sobre las Funciones de la Biosfera.pptx
Impacto de las Actividades Economicas sobre las Funciones de la Biosfera.pptxImpacto de las Actividades Economicas sobre las Funciones de la Biosfera.pptx
Impacto de las Actividades Economicas sobre las Funciones de la Biosfera.pptx
 
Funciones Economicas Biosfera
Funciones Economicas BiosferaFunciones Economicas Biosfera
Funciones Economicas Biosfera
 
Economia de Recursos Naturales y Economia Tradicional
Economia de Recursos Naturales y Economia TradicionalEconomia de Recursos Naturales y Economia Tradicional
Economia de Recursos Naturales y Economia Tradicional
 
Nociones básica de ecología y recursos naturales.
Nociones básica de ecología y recursos naturales. Nociones básica de ecología y recursos naturales.
Nociones básica de ecología y recursos naturales.
 
Economia de Recursos Naturales
Economia de Recursos NaturalesEconomia de Recursos Naturales
Economia de Recursos Naturales
 
Tolerencia de fallas
Tolerencia de fallasTolerencia de fallas
Tolerencia de fallas
 
Ingenieria software
Ingenieria softwareIngenieria software
Ingenieria software
 
Pruebas de Software
Pruebas de SoftwarePruebas de Software
Pruebas de Software
 
Proceso de Adquisiciones de Tecnologia
Proceso de Adquisiciones de TecnologiaProceso de Adquisiciones de Tecnologia
Proceso de Adquisiciones de Tecnologia
 
Proceso de Compra de Tecnologia
Proceso de Compra de TecnologiaProceso de Compra de Tecnologia
Proceso de Compra de Tecnologia
 
Pasos para elaborar RFP
Pasos para elaborar RFPPasos para elaborar RFP
Pasos para elaborar RFP
 
Redes ieee 802_11n
Redes ieee 802_11nRedes ieee 802_11n
Redes ieee 802_11n
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 

Ad fs

  • 1. Integration of DirectoriesIntegration of Directories and Federationand Federation Javier VasquezJavier Vasquez Senior Technology SpecialistSenior Technology Specialist Federal Platforms TeamFederal Platforms Team MicrosoftMicrosoft
  • 2. Where it all beganWhere it all began  Infrastructure DirectoriesInfrastructure Directories  StreetTalkStreetTalk  NDSNDS  ADAD  Application Specific DirectoriesApplication Specific Directories  X.500X.500  LDAPLDAP  AD/AMAD/AM  Good for EnterprisesGood for Enterprises  Hard to FederateHard to Federate
  • 3. Windows IdMWindows IdM Active Directory – Foundation for Identity ManagementActive Directory – Foundation for Identity Management Central Repository for:Central Repository for: • User Accounts & AttributesUser Accounts & Attributes • System Accounts & AttributesSystem Accounts & Attributes • Organizational & Security GroupsOrganizational & Security Groups • Application & Service LocationsApplication & Service Locations • Management PolicyManagement Policy • Security PolicySecurity Policy • Digital CertificatesDigital Certificates • Network Access PermissionsNetwork Access Permissions • Printer LocationsPrinter Locations • File Shares LocationsFile Shares Locations …… Integrated SecurityIntegrated Security • Kerberos v5Kerberos v5 • Mac OS Kerberos PAMMac OS Kerberos PAM • x.509 Certificates (PKI)x.509 Certificates (PKI) • Security DomainSecurity Domain Directory Access ProtocolsDirectory Access Protocols • LDAP v3 – Standards-based accessLDAP v3 – Standards-based access • ADSI – Simple COM-based InterfaceADSI – Simple COM-based Interface • DSML – XML InterfaceDSML – XML Interface ActiveActive DirectoryDirectory http://www.microsoft.com/business/security/access/whpaper.mspxhttp://www.microsoft.com/business/security/access/whpaper.mspx
  • 4. Reduced Enterprise Sign-onReduced Enterprise Sign-on Extending Windows SSOExtending Windows SSO ActiveActive DirectoryDirectory Logon to ADLogon to AD Services for UNIXServices for UNIX  NIS Server for ADNIS Server for AD  NIS-AD directory syncNIS-AD directory sync  Password synchronizationPassword synchronization  User name mappingUser name mapping UNIXUNIX Host Integration ServerHost Integration Server  Windows to RACF accountsWindows to RACF accounts  Windows to 0S/400 Security SystemWindows to 0S/400 Security System  Bi-Directional Password SynchronizationBi-Directional Password Synchronization 390/AS400390/AS400 KerberosKerberos ApplicationApplication KerberosKerberos  Native AuthN protocolNative AuthN protocol  MIT v5 CompliantMIT v5 Compliant  Carries group info in PACCarries group info in PAC  Windows PAC is openWindows PAC is open  SCO, Vintella, Java SSO throughSCO, Vintella, Java SSO through WindowsWindows
  • 5. Reduced Enterprise IdMReduced Enterprise IdM LDAP Authentication & Directory IntegrationLDAP Authentication & Directory Integration Account DirectoryAccount Directory LDAPLDAP SQLSQL EnterpriseEnterprise AppApp Integrate LDAP with ADIntegrate LDAP with AD  LDAP v3 compliantLDAP v3 compliant  Single AD and LDAP user accountSingle AD and LDAP user account  AD/AM for personalization dataAD/AM for personalization data Microsoft Identity IntegrationMicrosoft Identity Integration ServerServer  Directory synchronizationDirectory synchronization  LDAP (eg SunONE & others)LDAP (eg SunONE & others)  Relational databasesRelational databases  DSMLDSML  Application specificApplication specific  Account ProvisioningAccount Provisioning  Automate account creationAutomate account creation  Automate account de-provisioningAutomate account de-provisioning  Password Management (MIIS 2003)Password Management (MIIS 2003)  Self-service password resetSelf-service password reset  Certificate ManagementCertificate Management ExchangeExchange Web ServiceWeb Service File ShareFile Share ApplicationApplicationApplicationApplication ActiveActive DirectoryDirectory MIIS 2003MIIS 2003
  • 6. Extending Active DirectoryExtending Active Directory  Newer conceptsNewer concepts  ADAMADAM  DSML gatewayDSML gateway  Distributed IdMDistributed IdM Web ServicesWeb Services
  • 7. ADAM - Integrating extended LDAP appADAM - Integrating extended LDAP app with ADwith AD  Store app data without extending infra DS schemaStore app data without extending infra DS schema  App data keyed off identifier from infra directoryApp data keyed off identifier from infra directory  Maintain central user repository!Maintain central user repository! ADAMADAM Infrastructure Active DirectoryInfrastructure Active Directory WebWeb appapp Store/Store/ retrieveretrieve datadata ClientClient ServerServer Data specificData specific to portal appto portal app Data sharedData shared by all appsby all apps User (right)User (right) and “shadow” (left)and “shadow” (left)
  • 8. Extending InfrastructureExtending Infrastructure AD with DSMLAD with DSML This is the URL to which we will post Transport could be SOAP HTTP DS Access
  • 9. Distributed IdM technologiesDistributed IdM technologies  How do we distribute IdM services?How do we distribute IdM services?  ADFS and AZ-ManagerADFS and AZ-Manager
  • 10. Security in a Web Services WorldSecurity in a Web Services World –– IBM/MSFT White PaperIBM/MSFT White Paper WS-SecurityWS-Security SpecificationSpecification – Ratified– Ratified April 2004April 2004 SecuritySecuritySecuritySecurity PrivacyPrivacyPrivacyPrivacyTrustTrustTrustTrustPolicyPolicyPolicyPolicy AuthorizationAuthorizationAuthorizationAuthorizationFederationFederationFederationFederationSecureConversationSecureConversationSecureConversationSecureConversation SOAP FoundationSOAP FoundationSOAP FoundationSOAP Foundation TodayToday Web Services ApplicationsWeb Services ApplicationsWeb Services ApplicationsWeb Services Applications Web Services SecurityWeb Services Security WS-Security and Liberty AllianceWS-Security and Liberty Alliance Rich Application stack vs.Rich Application stack vs. IdM stackIdM stack ID-WSF Web Services FrameworkID-WSF Web Services Framework ID-FF – Identity Federation FrameworkID-FF – Identity Federation Framework ID-FFID-FFID-FFID-FF ID-WSFID-WSFID-WSFID-WSF
  • 11. The Vision and Future of SSOThe Vision and Future of SSO B2B Federated Single Sign-onB2B Federated Single Sign-on ExchangeExchange Web ServiceWeb Service CollaborationCollaboration IntranetIntranet ApplicationsApplications ActiveActive DirectoryDirectory Security TokenSecurity Token (eg Kerberos Ticket)(eg Kerberos Ticket) Security TokenSecurity Token User Account/CredentialsUser Account/Credentials WS SecurityWS Security ApplicationApplication WS SecurityWS Security ApplicationApplication Requires XRMLRequires XRML Requires SAMLRequires SAML 1.1. ADFS Creates XRML tokenADFS Creates XRML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends it back to the userSends it back to the user 4.4. Access Supplier with the tokenAccess Supplier with the token 1.1. ADFS Creates SAML tokenADFS Creates SAML token 2.2. Signs it with company’s private keySigns it with company’s private key 3.3. Sends the token back to the userSends the token back to the user 4.4. Accesses Supplier B using the tokenAccesses Supplier B using the token Supplier ASupplier A Supplier BSupplier B ADFSADFS
  • 12. ADFS Logon ServerADFS Logon Server SOAP rich client proxy for browsersSOAP rich client proxy for browsers Web ServiceWeb Service ActiveActive DirectoryDirectory ADFSADFS Web-basedWeb-based Logon ServerLogon Server Web Front EndWeb Front End Security TokenSecurity Token Security MessageSecurity Message  User authenticates to Logon server (forms based)User authenticates to Logon server (forms based)  ADFS validates credentials with Active DirectoryADFS validates credentials with Active Directory  ADFS creates the requested security tokenADFS creates the requested security token  Logon server returns token to clientLogon server returns token to client  Client forwards token to web front endClient forwards token to web front end  Front end sends WS-Security msg with token to webFront end sends WS-Security msg with token to web serviceservice
  • 13. Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
  • 14. Windows 2003 AzManWindows 2003 AzMan Roles based access control (RBAC)Roles based access control (RBAC) Authorization APIAuthorization API IIS6 URLIIS6 URL AuthorizationAuthorization Policy DefinitionsPolicy Definitions • Global app groupsGlobal app groups • ApplicationsApplications •RolesRoles •TasksTasks •OperationsOperations •Role assignmentsRole assignments •ScopesScopes •App groupsApp groups •BizRulesBizRules Business ProcessBusiness Process ApplicationsApplications (E-Commerce,(E-Commerce, LOB Applications,…)LOB Applications,…) AuthorizationAuthorization AdministrationAdministration ManagerManager Common Management UICommon Management UI Active DirectoryActive Directory or XML (Files, SQL)or XML (Files, SQL) PolicyPolicy StoreStore PolicyPolicy StoreStore • Role definitionsRole definitions • Role assignmentRole assignment Authorization APIAuthorization API .NET Framework.NET Framework
  • 15. DiscussionDiscussion  Where do I extend and where do I Federate?Where do I extend and where do I Federate?  Today Integrate; Tomorrow Integrate and/or FederateToday Integrate; Tomorrow Integrate and/or Federate ExtendExtend
  • 16. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
  • 17. Active Directory FederationActive Directory Federation Service ArchitectureService Architecture Federation Service (FS)Federation Service (FS)  Issues security tokens for usersIssues security tokens for users  Manages policy between federatedManages policy between federated security realmssecurity realms Logon Service (LS)Logon Service (LS)  Provides UI to authenticate usersProvides UI to authenticate users  Proxies WS-*/SOAP protocols forProxies WS-*/SOAP protocols for passive (dumb) clientspassive (dumb) clients Web Server SSO AgentWeb Server SSO Agent  Enforces user authenticationEnforces user authentication  Creates user authorization contextCreates user authorization context Note:Note:  SSO Agent, LS & FS require IISv6-W2K03SSO Agent, LS & FS require IISv6-W2K03  LS and FS can be co-locatedLS and FS can be co-located  Supports W2K or W2K03 forestsSupports W2K or W2K03 forests HTTPSHTTPS SOAPSOAP LDAPLDAP
  • 18. Federation ServiceFederation Service ASP.NET-hosted service running on IISv6 - W2K03 ServerASP.NET-hosted service running on IISv6 - W2K03 Server  User authenticationUser authentication  Validates ID/Password via LDAP Bind for Forms-based LogonValidates ID/Password via LDAP Bind for Forms-based Logon  Security token generationSecurity token generation  Retrieves user attributes for claim generation from AD (or ADAM) via LDAP searchRetrieves user attributes for claim generation from AD (or ADAM) via LDAP search  Transforms claims (if required) between internal & federation namespacesTransforms claims (if required) between internal & federation namespaces  Builds security token & Returns to LS via WS-* SOAP messagesBuilds security token & Returns to LS via WS-* SOAP messages  Builds “User SSO” cookie contents for LSBuilds “User SSO” cookie contents for LS  Policy managementPolicy management  Establishes authority to issue security tokens by PKI-based key distributionEstablishes authority to issue security tokens by PKI-based key distribution  Defines supported token/claim typesDefines supported token/claim types  Manages trust and defines shared namespace for Federated security realmsManages trust and defines shared namespace for Federated security realms
  • 19. Logon ServiceLogon Service ASP.NET-hosted service running on IISv6 - W2K03 SeverASP.NET-hosted service running on IISv6 - W2K03 Sever  User authenticationUser authentication  Provides UI for Home Realm Discovery & Forms-based LogonProvides UI for Home Realm Discovery & Forms-based Logon  Authenticates users for Windows integrated authNAuthenticates users for Windows integrated authN (SSL, Kerberos, NTLM)(SSL, Kerberos, NTLM)  Writes “User SSO” cookie to Browser (similar to Kerberos TGT)Writes “User SSO” cookie to Browser (similar to Kerberos TGT)  Security token generationSecurity token generation  Requests security token from FS via WS-* SOAP messagesRequests security token from FS via WS-* SOAP messages  Returns token to web server via “POST redirect” through BrowserReturns token to web server via “POST redirect” through Browser
  • 20. Web Server SSO AgentWeb Server SSO Agent ISAPI extension for IISv6ISAPI extension for IISv6 (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux) User authenticationUser authentication  Intercepts URL GET requests & Redirects un-authenticated clients to LSIntercepts URL GET requests & Redirects un-authenticated clients to LS  Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket)Writes “Web Server SSO” cookie to Browser (like Kerberos service ticket) Windows ServiceWindows Service  User authorizationUser authorization  Creates NT Token for impersonation (AD users only)Creates NT Token for impersonation (AD users only) Managed Web ModuleManaged Web Module (Need(Need functional equivalent for Unix/Linux)functional equivalent for Unix/Linux)  Security token processingSecurity token processing  Validates user’s security token and parses claims in tokenValidates user’s security token and parses claims in token  User authorizationUser authorization  Populates ASP.NET iPrincipal context from claims to support IsInRole()Populates ASP.NET iPrincipal context from claims to support IsInRole()  Provides raw claims to applicationProvides raw claims to application
  • 21. Active Directory RolesActive Directory Roles  On Windows Server 2008, ActiveOn Windows Server 2008, Active Directory-related roles have beenDirectory-related roles have been separated into distinct functions:separated into distinct functions:  Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)  Active Directory CertificateActive Directory Certificate Services (AD CS)Services (AD CS)  Active Directory FederationActive Directory Federation Services (AD FS)Services (AD FS)  Active Directory LightweightActive Directory Lightweight DirectoryDirectory Services (AD LDS)Services (AD LDS)  Active Directory RightsActive Directory Rights Management Services (AD RMS)Management Services (AD RMS)
  • 22. Active Directory FederationActive Directory Federation ServicesServices
  • 23. Active Directory Federation Services (AD FS)Active Directory Federation Services (AD FS) Es un rol de Windows Server® 2008 permiteEs un rol de Windows Server® 2008 permite crear soluciones de identificación:crear soluciones de identificación:  segurasegura  muy flexiblesmuy flexibles  múltiples plataformasmúltiples plataformas  entornos Windows como no-Windowsentornos Windows como no-Windows  a través de Internet.a través de Internet.
  • 24. Gestión de identidades másGestión de identidades más allá de las fronteras de laallá de las fronteras de la organizaciónorganización  Solución de gestión de la identidad ySolución de gestión de la identidad y accesosaccesos  facilita a clientes basados en navegadorfacilita a clientes basados en navegador Web la posibilidad de identificarse de formaWeb la posibilidad de identificarse de forma transparente "de una sola vez" a una o mástransparente "de una sola vez" a una o más aplicaciones protegidas accesibles desdeaplicaciones protegidas accesibles desde InternetInternet  Redes totalmente diferentes eRedes totalmente diferentes e independientes.independientes.
  • 25. credenciales secundarias???credenciales secundarias???  AD FS las hace innecesarias ya que:AD FS las hace innecesarias ya que:  Permite establecer relaciones de confianzaPermite establecer relaciones de confianza  proyecta la identidad digital y los derechos deproyecta la identidad digital y los derechos de acceso a partners de confianza.acceso a partners de confianza.  En un entorno federado cada organizaciónEn un entorno federado cada organización mantiene el control de su propio conjunto demantiene el control de su propio conjunto de identidades,identidades,  permite un intercambio seguro de las identidadespermite un intercambio seguro de las identidades de organizaciones externasde organizaciones externas  facilita la labor administrativafacilita la labor administrativa  mejora la experiencia del usuario.mejora la experiencia del usuario.
  • 26. Novedades en WindowsNovedades en Windows Server 2008Server 2008 nueva funcionalidad que no existen ennueva funcionalidad que no existen en Windows Server 2003 R2 que facilita laWindows Server 2003 R2 que facilita la labor administrativa y amplia el soportelabor administrativa y amplia el soporte disponible a una serie de aplicacionesdisponible a una serie de aplicaciones fundamentales:fundamentales:  Instalación mejorada: AD FS se incluyeInstalación mejorada: AD FS se incluye dentro de Windows Server 2008 como roldentro de Windows Server 2008 como rol de servidorde servidor  AD FS se integra de forma más estrechaAD FS se integra de forma más estrecha con Microsoft Office SharePoint® Servercon Microsoft Office SharePoint® Server 2007 y con Active Directory Rights2007 y con Active Directory Rights
  • 27.  ith ADFS, each company manages itsith ADFS, each company manages its own identities. But within a federatedown identities. But within a federated environment, each company can acceptenvironment, each company can accept and provide permissions and/or access toand provide permissions and/or access to identities from within another company. Itidentities from within another company. It all comes down to trust. The ability to trustall comes down to trust. The ability to trust accounts from one company withoutaccounts from one company without requiring a local account on your servers.requiring a local account on your servers. This trust is called federated identityThis trust is called federated identity management and is the core behindmanagement and is the core behind ADFS. The biggest concern, logically, isADFS. The biggest concern, logically, is security. All communication from onesecurity. All communication from one
  • 28.  An easier installation as a server role withAn easier installation as a server role with all the necessary services beingall the necessary services being automatically installed with the role itselfautomatically installed with the role itself such as ASP.Net and IIS)such as ASP.Net and IIS)  Tighter integration with ActiveDirectoryTighter integration with ActiveDirectory RMS (Rights Management Services)RMS (Rights Management Services)  ADFS works with MOSS (Microsoft OfficeADFS works with MOSS (Microsoft Office SharePoint Server) 2007 with an easy-to-SharePoint Server) 2007 with an easy-to- configure single-sign-on configuration forconfigure single-sign-on configuration for both intranet and extranet/Internet sitesboth intranet and extranet/Internet sites
  • 29. ADFS configuration is notADFS configuration is not so simpleso simple Explaining ADFS is easy, but the designExplaining ADFS is easy, but the design and configuration of ADFS is a tad bitand configuration of ADFS is a tad bit more complicated than I've made it soundmore complicated than I've made it sound so far. Theso far. The design readingdesign reading alone canalone can take forever because you need totake forever because you need to determine what you are truly looking todetermine what you are truly looking to accomplish, and there are severalaccomplish, and there are several methods to reach those goals. Formethods to reach those goals. For example, do you want a Web single sign-example, do you want a Web single sign- on implementation, a federated Webon implementation, a federated Web single sign-on implementation, or asingle sign-on implementation, or a federated Web single sign-onfederated Web single sign-on
  • 30.  Furthermore, you can deploy federationFurthermore, you can deploy federation servers in multiple organizations toservers in multiple organizations to facilitate business-to-business (B2B)facilitate business-to-business (B2B) transactions between trusted partnertransactions between trusted partner organizations. Federated B2Borganizations. Federated B2B partnerships identify business partners aspartnerships identify business partners as one of the following types of organization:one of the following types of organization:  Resource organization:Resource organization: OrganizationsOrganizations that own and manage resources that arethat own and manage resources that are accessible from the Internet can deployaccessible from the Internet can deploy AD FS federation servers and AD FS-AD FS federation servers and AD FS- enabled Web servers that manage accessenabled Web servers that manage access
  • 31.  AD FS role servicesAD FS role services  The AD FS server role includes federationThe AD FS server role includes federation services, proxy services, and Web agentservices, proxy services, and Web agent services that you configure to enable Webservices that you configure to enable Web SSO, federate Web-based resources,SSO, federate Web-based resources, customize the access experience, andcustomize the access experience, and manage how existing users aremanage how existing users are authorized to access applications.authorized to access applications.  Depending on your organization'sDepending on your organization's requirements, you can deploy serversrequirements, you can deploy servers running any one of the following AD FSrunning any one of the following AD FS
  • 32. Installing the AD FS roleInstalling the AD FS role  fter you finish installing the operatingfter you finish installing the operating system, a list of initial configuration taskssystem, a list of initial configuration tasks appears. To install AD FS, in the list ofappears. To install AD FS, in the list of tasks, clicktasks, click Add rolesAdd roles, and then, and then clickclick Active Directory FederationActive Directory Federation ServicesServices..
  • 33.  Managing the AD FS roleManaging the AD FS role  You can manage server roles withYou can manage server roles with Microsoft Management Console (MMC)Microsoft Management Console (MMC) snap-ins. After you install AD FS, you cansnap-ins. After you install AD FS, you can use the Active Directory Federationuse the Active Directory Federation Services snap-in to manage both theServices snap-in to manage both the Federation Service and FederationFederation Service and Federation Service Proxy role services. To open thisService Proxy role services. To open this snap-in, clicksnap-in, click StartStart, click, click AdministrativeAdministrative ToolsTools, and then click, and then click Active DirectoryActive Directory Federation ServicesFederation Services..
  • 34.  Who will be interested in this feature?Who will be interested in this feature?  AD FS is designed to be deployed inAD FS is designed to be deployed in medium to large organizations that havemedium to large organizations that have the following:the following:  At least one directory service: eitherAt least one directory service: either Active Directory Domain ServicesActive Directory Domain Services (AD DS) or Active Directory Lightweight(AD DS) or Active Directory Lightweight Directory Services (AD LDS) (formerlyDirectory Services (AD LDS) (formerly known as Active Directory Applicationknown as Active Directory Application Mode (ADAM))Mode (ADAM))
  • 35. Are there any specialAre there any special considerations?considerations? If you have an existing AD FSIf you have an existing AD FS infrastructure, there are some specialinfrastructure, there are some special considerations to be aware of before youconsiderations to be aware of before you begin upgrading federation servers,begin upgrading federation servers, federation server proxies, and AD FS-federation server proxies, and AD FS- enabled Web servers runningenabled Web servers running Windows Server 2003 R2 to WindowsWindows Server 2003 R2 to Windows Server 2008. These considerations applyServer 2008. These considerations apply only when you have AD FS servers thatonly when you have AD FS servers that have been manually configured to usehave been manually configured to use unique service accounts.unique service accounts.  AD FS uses the Network Service accountAD FS uses the Network Service account
  • 36. What new functionalityWhat new functionality does this feature provide?does this feature provide? For Windows Server 2008, AD FSFor Windows Server 2008, AD FS includes new functionality that was notincludes new functionality that was not available in Windows Server 2003 R2.available in Windows Server 2003 R2. This new functionality is designed to easeThis new functionality is designed to ease administrative overhead and to furtheradministrative overhead and to further extend support for key applications:extend support for key applications:  Improved installation—AD FS is includedImproved installation—AD FS is included in Windows Server 2008 as a server role,in Windows Server 2008 as a server role, and there are new server validationand there are new server validation checks in the installation wizard.checks in the installation wizard.
  • 37. Improved installationImproved installation  AD FS in Windows Server 2008 bringsAD FS in Windows Server 2008 brings several improvements to the installationseveral improvements to the installation experience. To install AD FS inexperience. To install AD FS in Windows Server 2003 R2, you had toWindows Server 2003 R2, you had to useuse Add or Remove ProgramsAdd or Remove Programs to findto find and install the AD FS component.and install the AD FS component. However, in Windows Server 2008, youHowever, in Windows Server 2008, you can install AD FS as a server role usingcan install AD FS as a server role using Server Manager.Server Manager.  You can use improved AD FSYou can use improved AD FS configuration wizard pages to performconfiguration wizard pages to perform server validation checks before youserver validation checks before you
  • 38. Improved applicationImproved application supportsupport AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes enhancements that increase its ability toenhancements that increase its ability to integrate with other applications, such asintegrate with other applications, such as Office SharePoint Server 2007 andOffice SharePoint Server 2007 and AD RMS.AD RMS.
  • 39. Integration with OfficeIntegration with Office SharePoint Server 2007SharePoint Server 2007 Office SharePoint Server 2007 takes fullOffice SharePoint Server 2007 takes full advantage of the SSO capabilities that areadvantage of the SSO capabilities that are integrated into this version of AD FS.integrated into this version of AD FS. AD FS in Windows Server 2008 includesAD FS in Windows Server 2008 includes functionality to support Officefunctionality to support Office SharePoint Server 2007 membership andSharePoint Server 2007 membership and role providers. This means that you canrole providers. This means that you can effectively configure Officeeffectively configure Office SharePoint Server 2007 as a claims-SharePoint Server 2007 as a claims- aware application in AD FS, and you canaware application in AD FS, and you can administer any Officeadminister any Office SharePoint Server 2007 sites usingSharePoint Server 2007 sites using
  • 40. Integration with AD RMSIntegration with AD RMS  AD RMS and AD FS have been integrated AD RMS and AD FS have been integrated  in such a way that organizations can take in such a way that organizations can take  advantage of existing federated trust advantage of existing federated trust  relationships to collaborate with external relationships to collaborate with external  partners and share rights-protected partners and share rights-protected  content. For example, an organization content. For example, an organization  that has deployed AD RMS can set up that has deployed AD RMS can set up  federation with an external organization federation with an external organization  by using AD FS. The organization can by using AD FS. The organization can  then use this relationship to share rights-then use this relationship to share rights- protected content across the two protected content across the two  organizations without requiring a organizations without requiring a 
  • 41. Better administrativeBetter administrative experience whenexperience when establishing federatedestablishing federated truststrusts  In both Windows Server 2003 R2 and In both Windows Server 2003 R2 and  Windows Server 2008, AD FS Windows Server 2008, AD FS  administrators can create a federated administrators can create a federated  trust between two organizations using trust between two organizations using  either a process of importing and either a process of importing and  exporting policy files or a manual process exporting policy files or a manual process  that involves the mutual exchange of that involves the mutual exchange of  partner values, such as Uniform Resource partner values, such as Uniform Resource  Indicators (URIs), claim types, claim Indicators (URIs), claim types, claim  mappings, display names, and so on. The mappings, display names, and so on. The  manual process requires the administrator manual process requires the administrator  who receives this data to type all the who receives this data to type all the 
  • 43. What settings have beenWhat settings have been added or changed?added or changed? You configure Windows NT token-based You configure Windows NT token-based  Web Agent settings with the IIS Manager Web Agent settings with the IIS Manager  snap-in. To support the new functionality snap-in. To support the new functionality  that is provided with Internet Information that is provided with Internet Information  Services (IIS) 7.0, Windows Server 2008 Services (IIS) 7.0, Windows Server 2008  AD FS includes user interface (UI) AD FS includes user interface (UI)  updates for the AD FS Web Agent role updates for the AD FS Web Agent role  service. The following table lists the service. The following table lists the  different locations in IIS Manager for different locations in IIS Manager for  IIS 6.0 or IIS 7.0 for each of the AD FS IIS 6.0 or IIS 7.0 for each of the AD FS  Web Agent property pages, depending on Web Agent property pages, depending on  the version of IIS that is used.the version of IIS that is used.
  • 44.
  • 45. AD FS Deployment GuideAD FS Deployment Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc771833(WS.10).aspxus/library/cc771833(WS.10).aspx
  • 46. AD FS Design GuideAD FS Design Guide  http://technet.microsoft.com/en-http://technet.microsoft.com/en- us/library/cc755132(WS.10).aspxus/library/cc755132(WS.10).aspx
  • 47.
  • 48.