Networks ∙ Services ∙ People www.geant.org Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect -

Slides:



Advertisements
Similar presentations
Active Directory Federation Services How does it really work?
Advertisements

CLARIN AAI, Web Services Security Requirements
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
 Jan Alexander Program Manager Microsoft Corporation BB43.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
TF-EMC2 | Lyon - France | February 2011 SAML WORK WITH SHAREPOINT, OWA, … Jean Marie THIA.
Implementing and Administering AD FS
Eric Raff. Usergroup up
SAML 2.0 og ”Geneva” OIOSAML Workshop 31. marts 2009 Århus René Løhde, Microsoft
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity & Access Control in the Cloud Sachin Vinod Rathi Architect Advisor, Microsoft Corporation Niraj Bhatt Enterprise Architect, Windows Azure MVP.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Managing Identity and Permissions
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…
SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Claims Based Authentication
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Troubleshooting Federation, AD FS 2.0, and More…
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Identity & Access Control in the Cloud Name Title Organization.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Security Design with Claims- Based Authentication Israel Vega, Nathan Miller OSP431.
Expertise in Identity & Access Management AD, AuthZ and FIM (Oh my!) Laura E. Hunter Identity Architect.
SIM401. A. Datum Account Forest Trey Research Resource Forest Federation Trust Microsoft (Users) E-Company Store (Resource) Contoso(Users)Contoso(Users)Fabrikam(Resource)Fabrikam(Resource)
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.
Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation SESSION CODE: SIA302.
Enabling Shibboleth attributes for Sharepoint Facts – Microsoft Sharepoint (WSS v3 & MOSS 2007) uses.Net role provider to assign authorization. – Shibboleth.
Networks ∙ Services ∙ People Daniela Pöhn REFEDS EWTI, Vienna IdPs and Federations Service Aspects of Assurance SA5T1.
Networks ∙ Services ∙ People Bert van Pinxteren General Assembly, Porto, Portugal Transition to one GÉANT Annual Review June,
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
steve plank “planky” microsoft connecting your private and public clouds with adfs
Networks ∙ Services ∙ People Ann Harding GÉANT Symposium, Vienna Users Session A3 Trust and Identity March GÉANT Activity Leader Trust.
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Networks ∙ Services ∙ People TNC 2016, Prague Alice Through the Looking Glass Science DMZ goes above the network 13 June
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.
Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Web SSO with Cloud Resources using AD Federation Services
SharePoint Authentication and Authorization
Stop Those Prying Eyes Getting to Your Data
Azure Active Directory - Business 2 Consumer
LIGO Identity and Access Management
User Community Driven Development in Trust and Identity
Solving the Identity Crisis
An authorization service for Virtual Organizations (VO)
ACS Functionality.
Community AAI with Check-In
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Networks ∙ Services ∙ People Jean Marie THIA GN4-1 Symposium, Vienna A case study GÉANT AuthN / AuthZ 9 march 2016 Solutions Architect - CNRS

Networks ∙ Services ∙ People SharePoint authN & authZ principle Item STS People Picker SharePoint Custom claim provider ti* Bob needs access to a SharePoint item Alice gives Bob access with a claim Alice sets authorizations with the people picker. A custom claim provider makes the picker behave the way we want. The Secure Token Service handles authentication, claims definition and provider declaration.

Networks ∙ Services ∙ People Roles Repositories Roles Repositories Roles Repositories Roles Repositories 3 The puzzle Item STS People Picker ADFS IdP Directory Roles Repositories Roles Repositories Does that claim value exist for this claim type ? Give me all the roles For this identity SharePoint SAML attributes My Claims OID are transformed to claim type. 2.Claims augmentation with attribute stores. 1.OID are transformed to claim type. 2.Claims augmentation with attribute stores. Custom claim provider ti* * ti = Trusted Identity Token Issuer Authorise access to the selected claim type and value Claim values are only checked when using a custom claim provider. 1 2

Networks ∙ Services ∙ People 4 A view of GÉANT intranet Grouper LDAP IdP ADFS SAML attributes My Claims Sympa CoManage User is enrolled prior access SharePoint Custom claim provider ti*

Networks ∙ Services ∙ People Handles authentication Talks SAML 1.1 (WS-Federation) only Needs a Trusted Identity Token Issuer Needs a gateway to SAML 2 (ADFS) Lives inside SharePoint Security Token Service (STS)

Networks ∙ Services ∙ People Gateway for SAML2 -> SAML 1.1 Atribute ID to Claim Type mapping Realm Home Discovery (WAYF) Claims augmentation SILA script to automate federation metadata loading (IdP) the RHD Page refresh Claim type mapping Sila.codeplex.com New branch for adfs3 CNRSrhd.codeplex.com for ADFS3 UI 6 Active Directory Federation Service (ADFS)

Networks ∙ Services ∙ People Claims augmentation with attribute store LDAP Grouper CoManage SQL … 7 ADFS – Attribute store

Networks ∙ Services ∙ People Claim pipeline Claim Engine Retrieve AD group sample 8 ADFS – Claims rule language

Networks ∙ Services ∙ People Open source project In production Still need work CNRSccp.codeplex.com Lookup in LDAP SQL Grouper (VOOT) Must be configured in the token issuer 9 Custom Claim Provider : CNRSccp

Networks ∙ Services ∙ People Projects sila.codeplex.com : federation medata loading in ADFS CNRSrhd.codeplex.com : ADFS 3 UI tweak for autocomplete IdP selector CNRSccp.codeplex.com : Custom claim provider CNRSgaas.codeplex.com : Grouper attribute store for ADFS CNRSlas.codeplex.com : Ldap attribute store for ADFS jmITnotes.wordpress.com 10 Takeaway links

Networks ∙ Services ∙ People Thank you Networks ∙ Services ∙ People This work is part of a project that has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No (GN4-1). 11

Networks ∙ Services ∙ People Thank you Networks ∙ Services ∙ People 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.