420 likes | 642 Views
Required Slide. SESSION CODE: SIA302. Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0. Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation. Agenda.
E N D
Required Slide SESSION CODE: SIA302 Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 Brian Puhl Principal Technology Architect MSIT Identity & Access Management Microsoft Corporation
Agenda “Provide a secure identity management infrastructure which enables both on-premise and cloud applications to use common authentication and authorization foundations, regardless of the users source” • Identity Principles • Federated Identity • Deploying Active Directory Federation Services 2.0 • On-Premise Applications • Cloud/Hosted Applications
Identity Principles • MSIT is responsible for security of our data, regardless of where authentication or authorization policies occur • Manage consistency of data within the metasystem • Deliver services which ensure compliance with policy • Authentication and Authorization are independent • Provide Solutions to improve business, but don’t “be” the solution • Whoever owns the data, owns the Authorization policy • Drive policies as close to the data as possible • Some identity services are just for convenience, and that’s ok • Common infrastructure and application models regardless of location
Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery
Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery • Plan your namespace for multiple federation services
Deploying Active Directory Federation Services 2.0 • This display name is often used by partners during home realm discovery • Plan your namespace for multiple federation services • Choose your URI carefully Use a URL format Use HTTPS format
Federated Identity (the bouncy slide) Microsoft (Users) E-Company Store (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust
Authorization Infrastructure • Works well when scoped at application STS • Not intended for fine-grained data authorization • Requires in-application policy enforcement • Delegated Access solves KCD/NTLM problems • Chaining STS scopes tokens with performance impact • Improved authentication consolidated at STS LOBApplication 1 LOBApplication …2 LOBApplication …N SharePointSites File Servers AuthorizationComponents AuthenticationInfrastructure Services
Authorization Infrastructure • Works well when scoped at application STS • Not intended for fine-grained data authorization • Requires in-application policy enforcement • Delegated Access solves KCD/NTLM problems • Chaining STS scopes tokens with performance impact • Improved authentication consolidated at STS LOBApplication 1 LOBApplication …2 LOBApplication …N SharePointSites File Servers Authentication and AuthorizationInfrastructure Services
Authorization Example Business Policy Acct Mgrs: Read contracts in their region Edit contracts their country Create new contractsSales Rep: Edit contracts they own Application Roles: CreateRead Update How do you build the token for Ariel? <102>Read</102>??? This doesn’t work <roles>Create</roles> - doesn’t reflect the policy<roles>Read</roles> <role>Create~102/Read~103/Update~104/Update~105/Read</role> Token bloat with too many values
STS Architecture How many STS’s do I need? Exactly as many as you need. App Suite STS - Augmented claims- Authorization tokens Identity STS - Authentication- Partner Federation - Identity Normalization- Immutable Identifiers
Authentication Transitivity Application 1 Service Provider Contoso ADFS issues authentication tickets to the PARTNER REALM, not to any specific application Application 2 Application 3 Once a user is authenticated by ADFS, the PARTNER ADFS SERVER will issue tokens for any application which trusts it without going back for authorization Application 4
Authentication Transitivity Application 1 Service Provider Contoso Application 2 Application 3 App 4 is actuallyanother STS
Authentication TransitivityBusiness to Business Relationships Application 1 Service Provider Contoso Application 2 Application 3 Application 4
Authentication TransitivityBusiness to Business Relationships Application 1 Service Provider Contoso Application 2 X Application 3 X Policy does not allow service to issue a token based on the SERVICE PROVIDERS policy(ex. Subscription to services) Application 4
Authentication TransitivityBusiness to Business Relationships This RelationshipequalsThis relationship Application 1 Service Provider Contoso Application 2 X Application 3 X Application 4
Authentication TransitivityFederation Broker This is theRelationship Microsoft BPOS Exchange Online Windows Live ID Contoso Sharepoint Online SkyDrive Policy must reflect the application access CONTOSO has for it’s users, but is enforced at the federation broker STS HealthVault
It’s 11:30, do you know where your ID’s are? Challenge with federation transitivity, is the breadth of applications which your users can access • Loss of personal/confidential data • Recoverability after termination • The enterprise should not have to provide access to corporate ID’s • Users should not have to find and re-permission their data to a new account
Personal Data vs. Business Data 3 Examples • Customer access to enterprise applications • Easy provisioning • Hybrid access to corporate applications • Family access to corporate benefits • Convenient access to personal data • W2, 401k, etc…
It’s 11:30, do you know where your ID’s are? Challenge with federation brokers, is the breadth of applications which your users can access • Corporate reputation for “business inappropriate” use of corporate brand
It’s 11:30, do you know where your ID’s are? Challenge with federation brokers, is the breadth of applications which your users can access • Data islands
Data Islands • When you begin to investigate the cloud, find out if your users have beat you to it… http://www.google.com/a/cpanel/premier/new
Online Services Authentication Exchange Online Microsoft FederationGateway Corporate Network
Online Services Authentication Provision Accts&ACL Mailboxes Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com Directory Sync ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 Basic Auth - UPN & PW PUID: E0A178MAIL: joe@corp.com SSL TUNNEL ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN & PW Home Realm Discovery STS URL ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN & PW ID: 12345 UPN: joe@foo.localPUID: E0A178 joe@foo.local & 12345 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178 Joe@foo.local & 12345 E0A178 ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178PWD: P@ssword ID: 12345 UPN: joe@foo.localPUID: E0A178 UPN: joe@foo.localPUID: E0A178MAIL: joe@corp.com ID: 12345UPN: joe@foo.local Corporate Network
Online Services Authentication Exchange Online Microsoft FederationGateway ID: 12345 UPN: joe@foo.localPUID: E0A178PWD: P@ssword ID: 12345 UPN: joe@foo.localPUID: E0A178 PUID: E0A178MAIL: joe@corp.com RPC/HTTPS ID: 12345UPN: joe@foo.local Corporate Network
Online Service Authentication • Federated namespace is UPN namespace not the email namespace • UPN’s are used as logon name • Renames allowed • Immutable ID’s map to the WLID account • ID changes = new account • Authentication via ADFS Proxies • Active Authentication endpoints • User confusion when UPN != SMTP
Summary • Plan for a successful deployment of ADFS 2.0 • Authentication determines identity • Authorization policy determines access • Common infrastructure for premise and cloud • Policy data doesn’t always fit inside the token • Controls over where and how ID’s can be used
Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content Breakout Sessions SIA321 |Business Ready Security: Exploring the Identity and Access Management Solution SIA201 |Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA302 | Identity and Access Management: Centralizing Application Authorization Using Active Directory Federation Services 2.0 SIA303|Identity and Access Management: Windows Identity Foundation and Windows Azure SIA304 | Identity and Access Management: Windows Identity Foundation Overview SIA305 | Top 5 Security and Privacy Challenges in Identity Infrastructures and How to Overcome Them with U-Prove SIA306 | Night of the Living Directory: Understanding the Windows Server 2008 R2 Active Directory Recycle Bin SIA307 | Identity and Access Management: Deploying Microsoft Forefront Identity Manager 2010 Certificate Management for Microsoft IT SIA318 | Microsoft Forefront Identity Manager 2010: Deploying FIM SIA319 | Microsoft Forefront Identity Manager 2010: In Production SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown SIA327 | Identity and Access Management: Managing Active Directory Using Microsoft Forefront Identity Manager SIA01-INT | Identity and Access Management: Best Practices for Deploying and Managing Active Directory Federation Services (AD-FS) 2.0 SIA03-INT | Identity and Access Management: Best Practices for Deploying and Managing Microsoft Forefront Identity Manager SIA06-INT | Identity and Access Management Solution Demos • Hands-On Labs • SIA02-HOL | Microsoft Forefront Identity Manager 2010 Overview • SIA06-HOL | Identity and Access Management Solution: Business Ready Security with Microsoft Forefront and Active Directory • Product Demo Stations • Red SIA-5 & SIA-6 | Microsoft Forefront Identity and Access Management Solution
Track Resources Learn more about our solutions: • http://www.microsoft.com/forefront Try our products: • http://www.microsoft.com/forefront/trial
Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.