Ing Ondej eveek GOPAS a s MCM Directory

Ing. Ondřej Ševeček | GOPAS a. s. | MCM: Directory Services | MVP: Enterprise

AD FS XML over HTTP/S based authentication and "trust" Replacement for AD trusts Free

AD FS vs. local user stores Local user stores AD LDS (LDAP), SQL, XML,

Share. Point WS Federation passive URL This is the resulting redirection after client is

Share. Point realm Used to identify the calling application it is the thing that

Share. Point incoming claim types http: //msdn. microsoft. com/en-us/library/system. identitymodel. claims. claimtypes. aspx ADFS

Claim types and Share. Point Only Identifier. Claim is saved in user's "settings" page

More groups as a single claim c: [Type == ”http: //schemas. microsoft. com/ws/2008/06/identity/claims/ groupsid”,

Slides: 13

Download presentation

AD FS XML over HTTP/S based authentication and "trust" Replacement for AD trusts Free download

AD FS vs. local user stores Local user stores AD LDS (LDAP), SQL, XML, … you must manage the accounts you know their passwords you must reset and unlock and disable AD FS leaves account management on the account partner side you never see their password

AD FS principles

Internal partners - most common

Share. Point WS Federation passive URL This is the resulting redirection after client is authenticated and claims are processed and signed https: //intranet. gopas. cz/_trust/

Share. Point realm Used to identify the calling application it is the thing that Share. Point sends to ADFS to identify itself urn: something-else urn: intranet. gopas. virtual: sharepoint

Share. Point incoming claim types http: //msdn. microsoft. com/en-us/library/system. identitymodel. claims. claimtypes. aspx ADFS Incoming Claim Type ADFS Outgoing Claim Type to Share. Point URI ID SAM-Account-Name ID nameidentifier E-Mail-Addresses E-Mail Address emailaddress Token-Groups Role role Given-Name Given Name givenanme Surname surname User-Principal-Name Windows Account Name windowsaccountname

Claim types and Share. Point Only Identifier. Claim is saved in user's "settings" page Other claim types can be used to authorize access to resources with People Picker No lookup for account partner claim values

More groups as a single claim c: [Type == ”http: //schemas. microsoft. com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1 -5 -21 -573680338 -1201701862760492540 -1037”, Issuer == “AD AUTHORITY”] && c 1: [Type == ”http: //schemas. microsoft. com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1 -5 -21 -573680338 -1201701862760492540 -1185”, Issuer == “AD AUTHORITY”] && c 2: [Type == ”http: //schemas. microsoft. com/ws/2008/06/identity/claims/ groupsid”, Value == “S-1 -5 -21 -573680338 -1201701862760492540 -1139”, Issuer == “AD AUTHORITY”] => issue(Type = “http: //schemas. sp. local/can. Do. It”, Value = “true”, Issuer =c. Issuer, Original. Issuer = c. Original. Issuer, Value. Type = c. Value. Type);