Presentation is loading. Please wait.

Presentation is loading. Please wait.

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Published byHelena Gordon Modified over 9 years ago

Similar presentations

Presentation on theme: "Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,"— Presentation transcript:

1

2

3

4 Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors, publisher and distributor assume will not be liable for errors or omissions, or for damages resulting from the use of the information presented and contained herein

5

6

7 Identity Provider (IP) Active Directory Security Token Service (STS) User / Subject /Principal Requests token for AppX Issues Security Token crafted for Appx Relying party (RP)/ Resource provider Issuer IP-STS Trusts the Security Token from the issuer The Security Token Contains claims about the user For example: Name Group membership User Principal Name (UPN) Email address of user Email address of manager Phone number Other attribute values Security Token “Authenticates” user to the application ST Signed by issuer AppX Authenticates user

8 Process token Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Return new ST Your AD FS STS Your Claims-aware app Active Directory Partner user Partner AD FS STS & IP Redirected to your STS Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your STS ST App trusts STS Your STS trusts your partner’s STS

9 partner.xtseminars.com example.com Internet ISP DNS Client Client2 Proxy-p adfs1 dc1 srv1 adfs-p Proxy

10

11

12 PS C:\>Set-AdfsProperties -LogLevel Errors, Warnings, Information, Verbose

13

14

15

16

17 BrowserWinINETFiddler Webserver Spoof certificate

18 AD FS STS Claims-aware app Active Directory Browse app Not authenticated Redirected to STS Authenticate Our user Query for user attributes Return security token Return cookies and page Send Token App trusts STS ST

19 Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z AD FS logon endpoint Action to perform Security realm of RP Consumed by RP passed through unchanged by all actors Time Stamp %2f decodes to /

20 Hidden form with POST method POST back URL defined via RP configuration in AD FS SAML claims Signature X.509 Certificate of signing party (includes public key) Unchanged since initial request Begins / ends with saml:Assertion

21

22 AD FS

23 APP

24

25 Issuance Transform rules Issuance Authorization rules Acceptance Transform rules Relying Party Trusts Claims Provider Trusts STS AD Username, user & group SIDs Logon Issued claims Acceptance Transform rules Username user & group SIDs Token authentication ST Claims Deny ST

26

27 Web application ADFS Claims-aware web application Web application with Windows Authentication AD FS preauthentication Kerberos constrained delegation Publish applications and services to the Internet WAP Users are authenticated and authorized before gaining access to the corporate network Pass-through KCD

28 SAMLSWTJWT JSON Web Tokens (JWT)Simple Web Token ( Microsoft, Google, Yahoo) Security Assertion Markup Language SAML 1.1/2.0 Complex to: Create Parse Validate Transmit Easy to: Create Parse Validate Transmit Too simple! Time

29 User User trusts website and STS via SSL certificates Certificate path validated and CRL checked ST Sign with STS token signing certificate private key Validate with STS token signing certificate public key encrypt with RP encryption certificate public key Decrypt with RP encryption certificate private key STS RP CNG certificates are not supported

30

31

32

33 John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk

34

35 www.microsoft.com/learning http://microsoft.com/msdn http://microsoft.com/technet http://channel9.msdn.com/Events/TechEd

36

37

38

Download ppt "Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Active Directory Federation Services How does it really work?

Active Directory Federation Services How does it really work?
steve plank “planky” microsoft Lest we forget windows azure appfab

steve plank “planky” microsoft Lest we forget windows azure appfab
 Jan Alexander Program Manager Microsoft Corporation BB43.

 Jan Alexander Program Manager Microsoft Corporation BB43.
SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.
Implementing and Administering AD FS

Implementing and Administering AD FS
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
0 Who Are You and What Do You Want? Working with Oauth in SharePoint 2013 Eric Shupps SharePoint MVP.

0 Who Are You and What Do You Want? Working with Oauth in SharePoint 2013 Eric Shupps SharePoint MVP.
Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates www.davidchappell.com.

Identity for.NET Applications: A Technology Overview David Chappell Chappell & Associates
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.

Problem Statement AD DB App1 DB App2 AD App4 App6 AD App5 Intranet Extranet Cloud AD App3 DB SSO Separate Sign-in Separate Sign-in Separate Sign-in.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
An Introduction to Information Card Barry Dorrans Charteris plc

An Introduction to Information Card Barry Dorrans Charteris plc
SIM402. Kerberos, NTLM, Basic, Digest, Forms?

SIM402. Kerberos, NTLM, Basic, Digest, Forms?
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Similar presentations

Ads by Google