March 15, 2011 Active Directory Federation Services 2.0 Overview InCommon Service Provider Training
6/2/ What is it? A SAML implementation (both IdP and SP) from Microsoft A WS-Fed implementation (Passive Requester) An AD-based single signon system A server role in Windows Server 2008
Some Terminology… Security token – This refers to the assertion from the IdP. Claim – a “claim” is just an attribute from the IdP’s assertion. Claims Provider – This is just the ADFS term for an IdP. Relying Party – This is just the ADFS term for an SP (a consumer of claims). Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example). More: 6/2/2015 3
4 What can it do? Act as an IdP (Claims Provider) Act as an SP (Relying Party) Seamlessly integrate with growing list of apps: Sharepoint 2010: – authentication-cheat-sheet-part-2.aspx Microsoft Unified Access Gateway (proxy): – Citrix: – /WI%20for%20ADFS%20FAQ.pdf Interoperate with other SAML 2.0 solutions (like Shibboleth)
What are the limitations? Metadata support Certificate support WAYF/DS support Forced Authentication support Other? 6/2/2015 5
Resources ADFS Home: Using ADFS with Shibboleth and InCommon: More How-To Guides: guides(WS.10).aspxhttp://technet.microsoft.com/en-us/library/adfs2-step-by-step- guides(WS.10).aspx Claims Rule syntax: Shibboleth wiki on ADFS interop: 6/2/2015 6
Adding Shibboleth Claims Providers ADFS can’t deal with a federation metadata file No support for This can be handled via script/app Uses MS PowerShell to import into ADFS Import one at a time Must force only one encryption cert No other entity can use the same encryption cert The Microsoft ADFS/InCommon doc has code for a python script Dealing with multiple federations? 6/2/2015 7
How to Integrate Sharepoint Install ADFS according to documentation Create a new Relying Party on the ADFS server Configure the RP manually SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2) The identifier/entityID is /_trust/ For claims rules, you can just use “Pass-Through” rules (since Shibb- sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed) On the Sharepoint server, use PowerShell to add a new Security Token Service (STS): Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below) Consider adding some custom code to sync SP profiles –Hook the “OnSignedIn” event of the “federatedAuthentication” module –Use SP’s UserProfileManager class authentication-made-simple/ authentication-made-simple/ 6/2/2015 8
How to Integrate Your Own App Developer’s machine: Install WIF runtime (KB974405) Install WIF SDK ( c &displaylang=en ) c &displaylang=en Web Server Install WIF runtime (KB974405) Set your app’s App Pool property for “loadUserProfile” to ‘true’ 6/2/2015 9
How to Integrate Your Own App (cont) For the app itself (assuming VS2008): Ensure that build target is.NET 3.5 (or greater) Check out (from source control) the app’s web.config file (next step needs to write to it) Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’ –Choose your app’s web.config file –Use your app’s URL as the application URI, making sure to include the trailing slash (Ex. –Choose to “Use an Existing STS” and point to your ADFS server’s metadata /FederationMetadata/ /FederationMetadata.xml –Accept other defaults 6/2/
How to Integrate Your Own App (cont) Edit the attributes/claims that your app requests –Web site: Edit the section of web.config, uncomment needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer –Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at /FederationMetadata/ /FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option: Look for the section Add new elements as needed Name and Role enabled by default, consider adding these: – 6/2/
How to Integrate Your Own App (cont) On ADFS Server Add a new Relying Party –Auto-configure from metadata: /app/FederationMetadata/ /FederationMetadata.xml Create ‘Pass-Through’ Claims Rules for new RP. Consider pass- through rules for these claims (as so-named in the ADFS RP Claim Rules GUI) –“Name” is the userID/sAMAccountName/ePPN –“Given Name” is the user’s first name –“Surname” is the user’s last name –“ Address” is the user’s address –“Role” is the user’s role (or eduPersonAffiliation, etc) 12
How to Integrate Your Own App (cont) App code references: Add reference to Microsoft.IdentityModel (after installing WIF runtime) App Code: using Microsoft.IdentityModel.Claims; using System.Threading; In Page.Load() IClaimsIdentity claimsIdentity = ((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0]; Microsoft Reference: 9AB B-4852-B26E-031A88EDD113http:// 9AB B-4852-B26E-031A88EDD113 13
How to Integrate Your Own App (cont) string GIVENNAME_CLAIM_TYPE = " string SURNAME_CLAIM_TYPE = " string _CLAIM_TYPE = " string ROLE_CLAIM_TYPE = " string UID,FName, LName, Addr, Role = ""; bool AuthOK,roleFound = false; if (claimsIdentity != null) { AuthOK = claimsIdentity.IsAuthenticated; UID = claimsIdentity.Name; foreach (Claim c in claimsIdentity.Claims) { if (c.ClaimType == GIVENNAME_CLAIM_TYPE) FName = c.Value; if (c.ClaimType == SURNAME_CLAIM_TYPE) LName = c.Value; if (c.ClaimType == _CLAIM_TYPE) Addr = c.Value; if (c.ClaimType == ROLE_CLAIM_TYPE) { //role is mutlivalued, so build one semicolon-delimited string if (roleFound) Role += ";" + c.Value; else { Role += c.Value; roleFound = true; } 14
DiscoveryService/WAYF?? ADFS does not support the OASIS DiscoveryService profile To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery” This is very customizable, as it is just a.NET page (.aspx) Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.* Search-as-you-type Cookie name Multi-Fed Selector 15
Demo Claims Provider Properties Claims Provider Claims Rules Relying Party Properties Relying Party Claims Rules Sharepoint Login Custom code to sync SP profiles –Hooks the “OnSignedIn” event of the “federatedAuthentication” module –Uses SP’s UserProfileManager class Custom app integration 16