Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 5: Configuring AD FS Overview of AD FS AD FS Deployment Scenarios Deploying AD FS Implementing AD FS Claims
Lesson 1: Overview of AD FS What Is Identity Federation? Identity Federation Scenarios Identity Federation Business Requirements What Is a Federation Trust? AD FS Components
Identity Federation: What Is Identity Federation? Enables user access to resources between different organizations or different server platforms Allows an organization to retain control over who can access resources Requires an identity federation partnership to provide a form of trust between two organizations Provides an agreement to define which resources will be accessible to the other organization and how access to the resources will be enabled
Identity Federation Scenarios Identity federation allows secure and efficient communication and collaboration in the following three scenarios: Business-To-Business (B2B) Business-To-Employee (B2E) Business-To-Consumer (B2C)
Discussion: Identity Federation Business Requirements What business requirements would lead to the deployment of an identity federation solution?
What Is a Federation Trust? A federation trust relationship provides efficient communication between organizations. Federation trust: This is the embodiment of a partnership between two organizations Account partner: This stores and manages user accounts in Active Directory® store or AD LDS Resource partner: This hosts the Web servers that host Web- based applications Federation trust: This is the embodiment of a partnership between two organizations Account partner: This stores and manages user accounts in Active Directory® store or AD LDS Resource partner: This hosts the Web servers that host Web- based applications
AD FS Components User accounts can exist in AD DS or AD LDS Domain Controller Resource Federation Server Federation Service Proxy Account Partner Resource Partner Web Server running ADFS Web Service Agent Account Federation Server Federation Trust
Lesson 2: AD FS Deployment Scenarios AD FS Deployment Options How ADFS Traffic Flows in a B2B Federation Scenario How ADFS Traffic Flows in a B2E Federation Scenario How ADFS Traffic Flows in a B2C Federation Scenario AD FS Deployment Considerations
AD FS Deployment Options Web SSO AD DS Forest Trust Account federation Resource federation Federation Trust Internet Firewall A. Datum Corp. Federated Web SSO with Forest Trust Northwind Traders Contoso Firewall Federation Trust Internet Federated Web SSO AD DS Account federation Resource federation Federation Trust Internet Firewall A. Datum Corp.
How AD FS Traffic Flows in a B2B Federation Scenario Federated Web SSO AD DS Domain Controller Resource Federation Server Web Server Client Federation Trust A. Datum Account partner Woodgrove Bank Resource partner Internet Account Federation Server
How AD FS Traffic Flows in a B2E Federation Scenario Federated Web SSO with Forest Trust Domain Controller Client (AD FS Web Agent) Ad DS Domain Controller Resource Federation Server Account Federation Proxy Sever One-Way Forest Trust Federation Trust Internet This perimeter network is its own domain Separate AD Domain Account Federation Server
How AD FS Traffic Flows in a B2C Federation Scenario Federation Proxy Sever Resource Federation Sever (AD FS Web Agent) AD LDS Sever Client Web Single Sign-On Internet
AD FS Deployment Considerations AD FS scenario to be deployed Certificate management Directory store requirements Application type AD FS scenario to be deployed Certificate management Directory store requirements Application type Consider the following when planning an AD FS solution: Manufacturer Account Partner Supplier Resource Partner
Lesson 3: Deploying AD FS AD FS System Requirements AD FS Prerequisites AD FS Certificate Requirements How To Install the AD FS Server Role Federation Service Configuration Tasks What Is an AD FS Trust Policy? Configuring AD FS Web Agent
AD FS System Requirements One of the following: Windows Server® 2003 R2 Enterprise Edition Windows Server® 2003 R2 Datacenter Edition Windows Server® 2008 Enterprise Windows Server® 2008 Datacenter One of the following: Windows Server® 2003 R2 Enterprise Edition Windows Server® 2003 R2 Datacenter Edition Windows Server® 2008 Enterprise Windows Server® 2008 Datacenter AD FS requirements for the Federation Service, Federation Service Proxy and FD FS Web Agent Roles: Internet Information Services (IIS) A Web site with Transport Layer Security/Secure Sockets Layer (TLS/SSL) configured Microsoft® ASP.NET 2.0 Microsoft®.NET Framework 2.0
AD FS Prerequisites Network services critical to a successful AD FS deployment include: Active Directory® or AD LDS Domain Name System (DNS) Certificates Active Directory® or AD LDS Domain Name System (DNS) Certificates
AD FS Certificate Requirements RoleCertificates Required Token-signing Certificate Verification Certificate SSL server authentication certificate SSL client authentication certificate SSL server authentication certificate Federation Server Federation Server Proxy ADFS Web Agent Certificates can be issued by a trusted Certification Authority. You can also use a self-signed certificate.
Demonstration: How To Install the AD FS Server Role To install the AD FS server role To install the Federation Service role service
Federation Service Configuration Tasks Use the AD FS console to configure: Account Partners Resource Partners Trust Policy Account Stores ADFS-protected Applications Organization Claims Account Partners Resource Partners Trust Policy Account Stores ADFS-protected Applications Organization Claims
What Is an AD FS Trust Policy? Federation Service URI Federation Service endpoint URL Trust policy display name Verification certificates and federation server proxy certificates Event log level Advanced settings Properties that can be configured include the following: An AD FS trust policy consists of the configuration information that is associated with your Federation service.
Configuring AD FS Web Agent Configuration options for AD FS Web Agent include: Federation Service URL Cookie path Cookie domain Return URL Federation Service URL Cookie path Cookie domain Return URL Manufacturer Account Partner Supplier Resource Partner AD FS
Lesson 4: Implementing AD FS Claims What Are AD FS Claims? What Are Identity Claims? What Are Group and Custom Claims? What Is Incoming Claim Mapping? What Is Outgoing Claim Mapping? How To Configure AD FS Claim Mapping
What Are AD FS Claims? AD FS Claims: A statement made about a user that is understood by both the partners in an AD FS federation scenario. The Federation Service supports following Claims: Identity Claims Group Claims Custom Claims Identity Claims Group Claims Custom Claims
What Are Group and Custom Claims? Purchaser Title Custom Claim Purchaser Organizational Claim Position Purchasing Agent Group Claim Position Custom Claim Purchasing Dept Security Group Title User Attributes Federated Namespace (Incoming/Outgoing) Account Partner Group claims contain group membership information. Custom claims contain information about a user. Group claims contain group membership information. Custom claims contain information about a user. Resource Partner
What Is Incoming Claim Mapping? Incoming Claim Mapping maps claims sent from the account partner to claims used by the resource partner. The two types of outgoing claim mappings are: Incoming Group Claim Mapping Incoming Custom Claim Mapping Purchaser Title Custom Claim Purchaser Organizational Claim Position Federated Namespace (Incoming/Outgoing) Resource Partner
What Is Outgoing Claim Mapping? Outgoing claim mapping modifies an account partner’s organization claim to match a common attribute as agreed with the resource partner. The two types of outgoing claim mappings are: Outgoing group claim mapping Outgoing custom claim mapping Purchaser Position Purchasing Agent Group Claim Position Custom Claim Purchasing Dept Security Group Title User Attributes Federated Namespace (Incoming/Outgoing) Account Partner
Demonstration: How To Configure AD FS Claim Mapping To configure Organizational claims To configure Group and Custom claims To configure outgoing and incoming claim mapping
Lab 5A: Configuring the Federated Web SSO with Forest Trust Scenario Exercise 1: Installing the AD FS Server Role Exercise 2: Configuring Certificate Requirements Exercise 3: Configuring the AD FS Web Agent Exercise 4: Configuring the Web Server application on 6426A-CHI-DC1 Exercise 5: Configuring the Forest Trust and the Federated Trust Policies Exercise 6: Configuring the Federation Service Within the Internal Network Exercise 7: Configuring the Federation Service Within the Extranet Exercise 8: Testing the AD FS Implementation Logon information Pa$$w0rd woodgrovebank.com Administrator 6426A-NYC-DC1 Pa$$w0rd WDextranet.net Administrator 6426A-CHI-DC1 WilliamUser name Pa$$w0rd Password woodgrovebank.comDomain 6426A-NYC-CL1Virtual machine Estimated time: 75 minutes
Lab 5B: Configuring AD FS by Using Federated Web SSO Scenario Exercise 1: Installing the AD FS Server Role Exercise 2: Configuring Certificate Requirements Exercise 3: Configuring the AD FS Web Agent Exercise 4: Configuring the Web Server application on the 6426A-CHI- DC1 virtual computer Exercise 5: Configuring the Federation Trust Policies Exercise 6: Configuring the Account Partner Federation Service Exercise 7: Configuring the Resource Partner Federation Service Exercise 8: Testing the AD FS implementation Pa$$w0rd Password AdministratorUser name 6426A-NYC-DC1 and 6426A- CHI-DC1 Virtual machine Estimated time: 75 minutes Logon information