SlideShare uma empresa Scribd logo

Twobo LDAP Attribute Store for ADFS

Twobo Technologies
Twobo Technologies
Tecnologia
1 de 19
Baixar para ler offline
Twobo LDAP Attribute Store for ADFS Using ADFS with LDAP servers that don’t support Windows authentication Copyright © 2013 Twobo Technologies AB. All rights reserved
Agenda  Limitations and restrictions of ADFS 2  Possible workarounds  Alternatives   Open source From Twobo  Installation and use Copyright © 2013 Twobo Technologies AB. All rights reserved
Restrictions in ADFS 2 Out-of-the-box LDAP attribute store requires Windows authentication “When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores [besides AD], you must connect to an LDAP-capable server that supports Windows Integrated Authentication” -- TechNet (http://bit.ly/1bWt3rn) Copyright © 2013 Twobo Technologies AB. All rights reserved
Workarounds 1. Enable Windows Authentication on the LDAP server 2. Connect ADFS to some other IP-STS and use ADFS as an FPSTS only 3. Use an alternative LDAP attribute store that supports other authentication schemes Copyright © 2013 Twobo Technologies AB. All rights reserved
Open Source LDAP Attribute Stores A few open source options available  Limited features (purpose built)  Limited testing  Unproven  Undocumented  Unsupported  None with communities Copyright © 2013 Twobo Technologies AB. All rights reserved
Twobo LDAP Attribute Store  Supports simple and anonymous bind  Supports multi-value attributes  Supports decoding binary data fields based on various encodings  Supports LDAPS  Works with ADFS 2.0 and 2.1  Better documentation  Rule-specific scope and search base  Commercially supported by a security company Copyright © 2013 Twobo Technologies AB. All rights reserved
Configuration  Normal attribute store configuration   Use ADFS cmdlets Use ADFS Management Console Copyright © 2013 Twobo Technologies AB. All rights reserved
Configuration Options Setting servername* defaultRoot* port defaultScope secured password username encoding Description Name or IP of LDAP server Default search location Port of LDAP server Default search scope Use of LDAP or LDAPS Password used when binding Username used when binding Code page to use when decoding binary data Copyright © 2013 Twobo Technologies AB. All rights reserved
Using the Attribute Store  Use with custom rules wherever ADFS allows (issuance, authorization, etc.) Copyright © 2013 Twobo Technologies AB. All rights reserved
Typical Issuance Rule c:[Type == "http://schemas.xmlsoap.org/.../upn"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", Input claim Store name "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Substitution value Copyright © 2013 Twobo Technologies AB. All rights reserved Attributes in LDAP LDAP filter Output claims
When User IDs Don’t Match 1. Add a new input claim from AD Copyright © 2013 Twobo Technologies AB. All rights reserved
When User IDs Don’t Match 2. Derive it using an “add” rule followed by an “issue” Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of an “Add” Rule c:[Type == "http://schemas.microsoft.../windowsaccountname"] => add(Type = "_uname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace( c.Value, "(?<domain>[^]+)(?<user>.+)", "${user}"), ValueType = c.ValueType); Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of an “Add” Rule c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved
Example of Non-default Base and Scope c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uidou=People,dc=example,dc=comSubtree", param = c.Value); Rule-specific search base Copyright © 2013 Twobo Technologies AB. All rights reserved Rule-specific search scope
Example of Retrieving a Disguised Name c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}distinguishedName", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved Distinguished name can be treated as an attribute though it is not; “dn” works as well.
Tested Systems  LDAP Servers     OpenLDAP using anonymous bind and simple bind with and without SSL (on Linux) AD LDS using simple bind (on W2K8 R2) Siemens DirX Directory using simple bind with and without SSL (on *NIX) ApacheDS using simple bind (on Linux)  ADFS   2.0 2.1 Copyright © 2013 Twobo Technologies AB. All rights reserved
Questions & Thanks @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved www.2botech.com
Twobo LDAP Attribute Store for ADFS

Recomendados

Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuthTwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 

Recomendados

Designing an API
Designing an APIDesigning an API
Designing an APITwobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security StackTwobo Technologies
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuthTwobo Technologies
 
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldNordic APIs - Integrated Social Solutions for a Cloudy, Mobile World
Nordic APIs - Integrated Social Solutions for a Cloudy, Mobile WorldTwobo Technologies
 
Launching a Successful and Secure API
Launching a Successful and Secure APILaunching a Successful and Secure API
Launching a Successful and Secure APINordic APIs
 
Authorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleAuthorization The Missing Piece of the Puzzle
Authorization The Missing Piece of the PuzzleNordic APIs
 
Secure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectSecure your APIs using OAuth 2 and OpenID Connect
Secure your APIs using OAuth 2 and OpenID ConnectNordic APIs
 
Synergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherSynergies of Cloud Identity: Putting it All Together
Synergies of Cloud Identity: Putting it All TogetherTwobo Technologies
 
Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Web Services
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuthDan Brinkmann
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep DiveAmazon Web Services
 
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009Corey Roth
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Client Server Security with Flask and iOS
Client Server Security with Flask and iOSClient Server Security with Flask and iOS
Client Server Security with Flask and iOSMake School
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloudNagraj Rao
 
Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Advania
 

Mais conteúdo relacionado

Mais procurados

Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appNordic APIs
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)Nordic APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesTwobo Technologies
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01Nordic APIs
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsNordic APIs
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsNordic APIs
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Amazon Web Services
 
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009Corey Roth
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsCA API Management
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0Mika Koivisto
 
Client Server Security with Flask and iOS
Client Server Security with Flask and iOSClient Server Security with Flask and iOS
Client Server Security with Flask and iOSMake School
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Amazon Web Services
 

Mais procurados (20)

Incorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile appIncorporating OAuth: How to integrate OAuth into your mobile app
Incorporating OAuth: How to integrate OAuth into your mobile app
 
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
OAuth 2.0 and the Internet of Things (IoT) (Jacob Ideskog)
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
1400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-011400 ping madsen-nordicapis-connect-01
1400 ping madsen-nordicapis-connect-01
 
Integrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashupsIntegrated social solutions, the power and pitfalls of mashups
Integrated social solutions, the power and pitfalls of mashups
 
OAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page ApplicationsOAuth Assisted Token Flow for Single Page Applications
OAuth Assisted Token Flow for Single Page Applications
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Cognito Customer Deep Dive
Cognito Customer Deep DiveCognito Customer Deep Dive
Cognito Customer Deep Dive
 
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
Deploying Binaries To The Bin Folder Share Point Saturday Kc 2009
 
Enterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIsEnterprise Access Control Patterns for Rest and Web APIs
Enterprise Access Control Patterns for Rest and Web APIs
 
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Client Server Security with Flask and iOS
Client Server Security with Flask and iOSClient Server Security with Flask and iOS
Client Server Security with Flask and iOS
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...Authentication & Authorization for Connected Mobile & Web Applications using ...
Authentication & Authorization for Connected Mobile & Web Applications using ...
 
Saml in cloud
Saml in cloudSaml in cloud
Saml in cloud
 

Destaque

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure APITwobo Technologies
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Advania
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSOHuy Pham
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platformsTwobo Technologies
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLJ V
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPSAshish Jain
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012Twobo Technologies
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteTwobo Technologies
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016Amazon Web Services
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in PracticeForgeRock
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseDenis Gundarev
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Amazon Web Services
 

Destaque (20)

Nordic APIs - Building a Secure API
Nordic APIs - Building a Secure APINordic APIs - Building a Secure API
Nordic APIs - Building a Secure API
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Transforming organizations into platforms
Transforming organizations into platformsTransforming organizations into platforms
Transforming organizations into platforms
 
Beveiliging en REST services
Beveiliging en REST servicesBeveiliging en REST services
Beveiliging en REST services
 
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAMLAlfresco: Implementing secure single sign on (SSO) with OpenSAML
Alfresco: Implementing secure single sign on (SSO) with OpenSAML
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers#dd12 OAuth for Domino Developers
#dd12 OAuth for Domino Developers
 
SCIM presentation from CIS 2012
SCIM presentation from CIS 2012SCIM presentation from CIS 2012
SCIM presentation from CIS 2012
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
The JSON-based Identity Protocol Suite
The JSON-based Identity Protocol SuiteThe JSON-based Identity Protocol Suite
The JSON-based Identity Protocol Suite
 
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
AWS Directory Service and Hybrid Strategy | AWS Public Sector Summit 2016
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Federation in Practice
Federation in PracticeFederation in Practice
Federation in Practice
 
SAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your EnterpriseSAML and Other Types of Federation for Your Enterprise
SAML and Other Types of Federation for Your Enterprise
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud Running Active Directory in the AWS Cloud
Running Active Directory in the AWS Cloud
 
IBM Single Sign-On
IBM Single Sign-OnIBM Single Sign-On
IBM Single Sign-On
 

Semelhante a Twobo LDAP Attribute Store for ADFS

AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 mins
AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 minsAWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 mins
AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 minsAWS User Group - Thailand
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best PracticesDoiT International
 
Best Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsBest Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsAmazon Web Services
 
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...javier ramirez
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID VaultLuis Guirigay
 
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developers
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developersChris O'Brien - Best bits of Azure for Office 365/SharePoint developers
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developersChris O'Brien
 
Office 365 APIs for your Applications
Office 365 APIs for your ApplicationsOffice 365 APIs for your Applications
Office 365 APIs for your ApplicationsRuhani Arora
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiGirish Kalamati
 
Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAmbientia
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
All ivanti is a secure workspace - Bsides Delft 2018
All ivanti is a secure workspace - Bsides Delft 2018All ivanti is a secure workspace - Bsides Delft 2018
All ivanti is a secure workspace - Bsides Delft 2018Johanna Curiel
 
Java Web Programming on Google Cloud Platform [1/3] : Google App Engine
Java Web Programming on Google Cloud Platform [1/3] : Google App EngineJava Web Programming on Google Cloud Platform [1/3] : Google App Engine
Java Web Programming on Google Cloud Platform [1/3] : Google App EngineIMC Institute
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworksKen Yee
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1Shawn Ismail
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfAmazon Web Services
 
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...Amazon Web Services
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Amazon Web Services
 

Semelhante a Twobo LDAP Attribute Store for ADFS (20)

AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 mins
AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 minsAWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 mins
AWS Community Day Bangkok 2019 - Build a Serverless Web Application in 30 mins
 
SHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPSSHIFT LEFT WITH DEVSECOPS
SHIFT LEFT WITH DEVSECOPS
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
Best Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS WorkloadsBest Practices for Integrating Active Directory with AWS Workloads
Best Practices for Integrating Active Directory with AWS Workloads
 
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...
Consulta cualquier fuente de datos usando SQL con Amazon Athena y sus consult...
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
 
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developers
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developersChris O'Brien - Best bits of Azure for Office 365/SharePoint developers
Chris O'Brien - Best bits of Azure for Office 365/SharePoint developers
 
Office 365 APIs for your Applications
Office 365 APIs for your ApplicationsOffice 365 APIs for your Applications
Office 365 APIs for your Applications
 
Azure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish KalamatiAzure from scratch part 2 By Girish Kalamati
Azure from scratch part 2 By Girish Kalamati
 
Authentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplicationsAuthentication and beyond, Atlassian aplications
Authentication and beyond, Atlassian aplications
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Deep Dive on AWS Lambda
Deep Dive on AWS LambdaDeep Dive on AWS Lambda
Deep Dive on AWS Lambda
 
All ivanti is a secure workspace - Bsides Delft 2018
All ivanti is a secure workspace - Bsides Delft 2018All ivanti is a secure workspace - Bsides Delft 2018
All ivanti is a secure workspace - Bsides Delft 2018
 
Java Web Programming on Google Cloud Platform [1/3] : Google App Engine
Java Web Programming on Google Cloud Platform [1/3] : Google App EngineJava Web Programming on Google Cloud Platform [1/3] : Google App Engine
Java Web Programming on Google Cloud Platform [1/3] : Google App Engine
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
 
48. Azure Active Directory - Part 1
48. Azure Active Directory - Part 148. Azure Active Directory - Part 1
48. Azure Active Directory - Part 1
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
 
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdfDesign for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
Design for Compliance - AWS FS Cloud Symposium Apr 2019.pdf
 
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...
Accelerating Application Development with Amazon Aurora (DAT312-R2) - AWS re:...
 
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
Enterprise Governance: Build Your AWS Landing Zone (ENT351-R1) - AWS re:Inven...
 

Último

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Último (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Twobo LDAP Attribute Store for ADFS

  • 1. Twobo LDAP Attribute Store for ADFS Using ADFS with LDAP servers that don’t support Windows authentication Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 2. Agenda  Limitations and restrictions of ADFS 2  Possible workarounds  Alternatives   Open source From Twobo  Installation and use Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 3. Restrictions in ADFS 2 Out-of-the-box LDAP attribute store requires Windows authentication “When you work with other Lightweight Directory Access Protocol (LDAP)-based attribute stores [besides AD], you must connect to an LDAP-capable server that supports Windows Integrated Authentication” -- TechNet (http://bit.ly/1bWt3rn) Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 4. Workarounds 1. Enable Windows Authentication on the LDAP server 2. Connect ADFS to some other IP-STS and use ADFS as an FPSTS only 3. Use an alternative LDAP attribute store that supports other authentication schemes Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 5. Open Source LDAP Attribute Stores A few open source options available  Limited features (purpose built)  Limited testing  Unproven  Undocumented  Unsupported  None with communities Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 6. Twobo LDAP Attribute Store  Supports simple and anonymous bind  Supports multi-value attributes  Supports decoding binary data fields based on various encodings  Supports LDAPS  Works with ADFS 2.0 and 2.1  Better documentation  Rule-specific scope and search base  Commercially supported by a security company Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 7. Configuration  Normal attribute store configuration   Use ADFS cmdlets Use ADFS Management Console Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 8. Configuration Options Setting servername* defaultRoot* port defaultScope secured password username encoding Description Name or IP of LDAP server Default search location Port of LDAP server Default search scope Use of LDAP or LDAPS Password used when binding Username used when binding Code page to use when decoding binary data Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 9. Using the Attribute Store  Use with custom rules wherever ADFS allows (issuance, authorization, etc.) Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 10. Typical Issuance Rule c:[Type == "http://schemas.xmlsoap.org/.../upn"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", Input claim Store name "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Substitution value Copyright © 2013 Twobo Technologies AB. All rights reserved Attributes in LDAP LDAP filter Output claims
  • 11. When User IDs Don’t Match 1. Add a new input claim from AD Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 12. When User IDs Don’t Match 2. Derive it using an “add” rule followed by an “issue” Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 13. Example of an “Add” Rule c:[Type == "http://schemas.microsoft.../windowsaccountname"] => add(Type = "_uname", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = regexreplace( c.Value, "(?<domain>[^]+)(?<user>.+)", "${user}"), ValueType = c.ValueType); Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 14. Example of an “Add” Rule c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uid", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 15. Example of Non-default Base and Scope c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}mail,uidou=People,dc=example,dc=comSubtree", param = c.Value); Rule-specific search base Copyright © 2013 Twobo Technologies AB. All rights reserved Rule-specific search scope
  • 16. Example of Retrieving a Disguised Name c:[Type == "_uname"] => issue(store = "2BOLDAP", types = ("http://schemas.xmlsoap.org/.../emailaddress", "http://schemas.xmlsoap.org/.../privatepersonalidentifier"), query = "uid={0}distinguishedName", param = c.Value); Copyright © 2013 Twobo Technologies AB. All rights reserved Distinguished name can be treated as an attribute though it is not; “dn” works as well.
  • 17. Tested Systems  LDAP Servers     OpenLDAP using anonymous bind and simple bind with and without SSL (on Linux) AD LDS using simple bind (on W2K8 R2) Siemens DirX Directory using simple bind with and without SSL (on *NIX) ApacheDS using simple bind (on Linux)  ADFS   2.0 2.1 Copyright © 2013 Twobo Technologies AB. All rights reserved
  • 18. Questions & Thanks @2botech Copyright © 2013 Twobo Technologies AB. All rights reserved www.2botech.com