Enterprise Identity Steve Plank Microsoft Ivor Bright Charteris

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group

Agenda • Overview of Enterprise Federation Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”

Extranet Access with Identity Federation Exchange Active Directory SQL/File Servers Your EMPLOYEES on your NETWORK Logon to Windows Single Sign-on inside your NETWORK Web Servers App Servers Your SUPPLIERS and their NETWORKS

ADFS Identity Federation • Projecting user Identity from a single logon … • Providing distributed authentication & claims-based authorization … • Connecting islands (across security, organizational or platform boundaries) … • Enabling web single sign-on & simplified identity management

ADFS Components

ADFS Components Active Directory or ADAM Authenticates users Manages attributes Windows 2000 or 2003

ADFS Components Federation Service (FS) Security Token Service (STS) Maps user attributes to claims Issues security tokens Manages federation trust policy Requires IISv 6 Windows 2003 R 2

ADFS Components Federation Server Proxy (FSP) Client proxy for token requests Provides UI for browser clients Forms based auth Home realm discovery Requires IISv 6 Windows 2003 R 2

ADFS Components Web Agent Enforces user authentication Creates app auth. Z context from claims NT Impersonation and ACLs ASP. NET Is. In. Role() Az. Man RBAC integration ASP. NET Raw Claims API Requires IISv 6 Windows 2003 R 2

ADFS Authentication Flow A. Datum Account Forest Trey Research Resource Forest

Centrify support for ADFS Web SSO for non-IIS web servers • Direct. Control provides cross-platform equivalent of Microsoft ADFS SSO Agent for IIS 6 • Apache and popular J 2 EE web servers • BEA Web. Logic • Apache Tomcat • IBM Websphere • JBoss • Web agent is a direct drop in for non Microsoft web servers • Customer benefits • Simple and cost effective entrance into the Federated identity world • No modification of applications • Uses existing deployed infrastructure (AD)

Quest support for ADFS Web SSO for non-IIS web servers • ADFS supported in Vintela Single Sign-on for Java V 3. 1 • Existing Java apps need no modifications • VSJ 3. 1 ADFS servlet filter will: • Support ADFS authentication for Java applications in the resource domain • Allow Java application servers to leverage an existing ADFS infrastructure • Enable federation of Java/J 2 EE applications within ADFS-based trust fabric • Support NTLM, SPNEGO & WS-Federation based authentication • VSJ servlet filters work with any J 2 EE application server • No change required to the Java application – it “just works”

Shibboleth Interoperability Sponsored by Microsoft and ADFS • Standards based, open source • Shibboleth System 1. 3 release • Developing plug-ins for SAML 1. 1 Identity and Service Providers • Support WS-Federation Passive Requestor Interoperability Profile • Enables Interop with ADFS and other compliant vendor products

WS-Federation • Web Services Federation Language • Defines messages to enable security realms to federate & exchange security tokens • BEA, IBM, Microsoft, RSA, Veri. Sign • Two “profiles” of the model defined • Passive (Browser) clients – HTTP/S • Active (Smart) clients – SOAP HTTP messages SOAP messages HTTP Receiver SOAP Receiver Security Token Service

Passive Requestor Profile Supported by ADFSv 1 in W 2 K 03 R 2 • Binding of WS-Federation & WS-Trust for browser (passive) clients • Implicitly adhere to policy by following redirects • Implicitly acquire tokens via HTTP msgs • Authentication requires secure transport (HTTPS) • Client cannot provide “proof of possession” • Tokens subject to replay • Limited (time based) token caching

Authentication Message Flow Browser Client Account STS Web Server GET (to Web Server) 302 Redirect (to Resource STS) Detect user’s home realm 302 Redirect (to Account STS) Authenticate User POST “Redirect” security token (to Resource STS) POST “Redirect” security token (to Web Server) 200 OK Response (from Web Server) Resource STS

Active Requestor Profile Future ADFS release • Binding of WS-Federation & WS-Trust for SOAP/XML aware (active) clients • Explicitly determine token needs from policy • Explicitly request tokens via SOAP msgs • Strong authentication of all requests • Client can provide “proof of possession” • Supports delegation • Client can provide token for use on its behalf • Allows rich token caching at client • Improved performance w/o security risk

Sample Flow: Active Client WS-Policy used to route client token requests Requesting Service Identity Provider STS Target Service Fetch service policy Fetch SP policy Fetch IP policy Request token Return token Send secured request Return secured response Service Provider STS

Review • Overview of Enterprise Federation Challenges/Solutions • Individual Group Discussions (led) • Large Group “Debate”