SIM 402 Kerberos NTLM Basic Digest Forms Partner
SIM 402
Kerberos, NTLM, Basic, Digest, Forms?
Partner organization Your Organization
Federation of Identity
Authenticates user User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for App. X ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application App. X Relying party (RP)/ Resource provider Trusts the Security Token from the issuer
demo
Claims-aware app Our user Browse app ADFS STS Active Directory App trusts STS Not authenticated Redirected to STS Return Security Token ST Send Token Return cookies and page Authenticate ST Query for user attributes
Your ADFS STS Your Claims-aware app Partner user Active Directory Your STS trusts your partner’s STS App trusts STS Browse app Partner ADFS STS & IP Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS ST Return new ST ST Send Token Return cookies and page Process token ST ST
Relying party Root for B Issuer A Public key of C D B Communication Signing ST Encryption ST Root for A C Public key of D
Active Directory ADFS 2. 0 Claims-aware application Define AD as claims provider Define STS 1 as claims provider APP 1 STS 1 Define APP 1 as Relying party
demo
Claims Provider Trusts AD Acceptance Transform rules Specify incoming claims that will be accepted from the claims provider and passed to the pipeline Permit: specifies claims that will be sent to the relying party Deny: Not processed C l a i m s P i p e l i n e Specify the users that are permitted to access the relying party Issuance Authorization rules ST Issuance Transform rules Relying Party Trusts Claims Provider Trusts
Condition Issuance Statement
Claim Rule Language
demo
Partner organization Your organization Partner ADFS STS & IP Claims Trust Your ADFS STS Claims Trust Relying Party Trust Re lyin g. P art y. T rus t Relying Party x
Your Organization ADFS Security Token Service (STS) Partner user ST ST from Partner Client request token for access to relying party x Rely ing P ST Returns token for Relying Party x ST Trusted Partner Claims Trust Processes Acceptance Transform Rules Processes Issuance Authorization Rules If allowed processes Issuance Rules arty Trus t Relying Party x If denied Processing ends
Your ADFS STS Your Claims-aware app Partner user Partner ADFS STS & IP Browse app Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS ST Redirected to your STS Return new ST ST Send Token Return page and cookie Process token ST ST Active Directory
John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including, Tech. Ed, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www. xtseminars. co. uk
Blue Section http: //www. microsoft. com/cloud/ http: //www. microsoft. com/privatecloud/ http: //www. microsoft. com/windowsserver/ http: //www. microsoft. com/windowsazure/ http: //www. microsoft. com/systemcenter/ http: //www. microsoft. com/forefront/
Connect. Share. Discuss. http: //northamerica. msteched. com Sessions On-Demand & Community Microsoft Certification & Training Resources www. microsoft. com/teched www. microsoft. com/learning Resources for IT Professionals Resources for Developers http: //microsoft. com/technet http: //microsoft. com/msdn
Scan the Tag to evaluate this session now on my. Tech • Ed Mobile
- Slides: 41