Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |

Published byBlanche Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |"— Presentation transcript:

1 Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |

2 AD FS  XML over HTTP/S based authentication and "trust"  Replacement for AD trusts  Free download

3 AD FS vs. local user stores  Local user stores  AD LDS (LDAP), SQL, XML, …  you must manage the accounts  you know their passwords  you must reset and unlock and disable  AD FS  leaves account management on the account partner side  you never see their password

4 AD FS principles

5

6

7 Internal partners - most common

8 SharePoint WS Federation passive URL  This is the resulting redirection after client is authenticated and claims are processed and signed  https://intranet.gopas.cz/_trust/

9 SharePoint realm  Used to identify the calling application  it is the thing that SharePoint sends to ADFS to identify itself  urn:something:something-else  urn:intranet.gopas.virtual:sharepoint

10 SharePoint incoming claim types ADFS Incoming Claim Type ADFS Outgoing Claim Type to SharePoint URI ID SAM-Account-NameName IDnameidentifier E-Mail-AddressesE-Mail Addressemailaddress Token-GroupsRolerole Given-NameGiven Namegivenanme Surname surname User-Principal-NameWindows Account Namewindowsaccountname http://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes.aspx

11 Claim types and SharePoint  Only IdentifierClaim is saved in user's "settings" page  Other claim types can be used to authorize access to resources with People Picker  No lookup for account partner claim values

12 More groups as a single claim  c:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1037”, Issuer == “AD AUTHORITY”]  && c1:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1185”, Issuer == “AD AUTHORITY”]  && c2:[Type == ”http://schemas.microsoft.com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1-5-21-573680338-1201701862- 760492540-1139”, Issuer == “AD AUTHORITY”]  => issue(Type = “http://schemas.sp.local/canDoIt”, Value = “true”, Issuer =c.Issuer, OriginalIssuer = c.OriginalIssuer, ValueType = c.ValueType);

13 Active Directory Federation Services Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | ondrej@sevecek.com | www.sevecek.com |

Download ppt "Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | CEH | | |"

Similar presentations

Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |

GOPAS TechEd 2012 PKI Design Ing. Ondřej Ševeček | GOPAS a.s. |
Key Point: Federation relationships are based on trust.

Key Point: Federation relationships are based on trust.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Implementing and Administering AD FS

Implementing and Administering AD FS
Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.

Ing. Ondřej Ševeček | GOPAS a.s. | MCSM:Directory | MVP:Enterprise Security | CEH:Certified Ethical Hacker | CHFI:Computer Hacking Forensic Investigator.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.

Ing. Ondřej Ševeček MCSM:Directory | MVP:Enterprise Security | Certified Ethical Hacker | MCSE:SharePoint | Smart card.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Share easilyShare responsibly Share with anyone.

Share easilyShare responsibly Share with anyone.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | Certified Ethical Hacker | |
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Similar presentations

Ads by Google