SlideShare uma empresa Scribd logo

Single Sign On using ADFS.pptx

Transferir como PPTX, PDF
Alireza Vafi
Alireza Vafi

An specific detail on how ADFS works as Microsoft Single-SignOn solution for enterprises using Active Directory.

Software
1 de 44
ADFS Active Directory Federation Services
What is ADFS?  AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
ADFS Features  Manage Risk with Conditional Access Control • AD FS provides a rich level of authorization that controls who has access to what applications. This can be based on • User attributes (UPN, email, security group membership, authentication strength, etc.) • Device attributes (whether the device is workplace joined) • Request attributes (network location, IP address, or user agent) • Flexible per-application access policy based on user data, device data, or network location.
ADFS Features  Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications • AD FS allows you to control policies to potentially require multi- factor authentication on a per application basis. • AD FS provides extensibility points for any multi-factor vendor to integrate deeply for a secure and seamless multi-factor experience for end users
ADFS Features  Device Workplace Join By using Workplace Join, information workers can join their personal devices with their company's workplace computers. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication to workplace resources and applications. Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using Workplace Join.  Configure Additional Authentication Methods for AD FS Support for third-party and custom built authentication methods when configuring multi-factor authentication.
ADFS Features  Customization of web themes • Unified customization of the AD FS service (the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm)  Simplified deployment experience • Remote installation and configuration through Server Manager. • Scaling Out Easily • SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. • Group Managed Service Account support.
Key concepts Identity Provider (IP) Active Directory Security Token Service (STS) User / Subject /Principal Requests token for AppX Issues Security Token crafted for Appx Relying party (RP)/ Resource provider Issuer IP-STS Trusts the Security Token from the issuer The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Security Token “Authenticates” user to the application ST Signed by issuer AppX
Key Concepts
An essential tool
Fiddler as a man in the middle  Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website  Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
How Works? AD FS STS Claims-aware app Active Directory Browse app Not authenticated Redirected to STS Authenticate Our user Query for user attributes Return security token Return cookies and page Send Token App trusts STS
First redirect to STS Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z %2f decodes to /
Web page returned after authentication  The SAML data is always signed, it can be encrypted if required
MSISSelectionPersistent: identifies authenticating IP-STS Located through Home Realm Discovery (HRD) MSISAuth…: authenticated session cookies MSISAuthenticated: time when the authentication took place MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time AD FS cookies
Allows browser session to remain authenticated to web application Web app cookies
Main token types JSON Web Tokens (JWT) Simple Web Token (Microsoft, Google, Yahoo)
AD FS architecture Active Directory Firewall & Load Balancer Perimeter network Web Application Proxy farm Firewall & Load Balancer Internet Intranet AD FS farm Configuration database The WAP stores/retrieves it configuration on/from AD FS Remote user CorpNet users Forms Authentication
DNS requirements  CNAME entries must be added for the device registration service  enterpriseregistration.<upn suffix> CNAME sts.example.com  A CNAME entry will be required for each of the upn suffixes used in the AD Perimeter network WAP farm Intranet AD FS farm sts.example.com sts.example.com sts.example.com resolves to external WAP VIP sts.example.com resolves to the AD FS VIP Add host file records If the intranet DNS cannot be used by the WAP
Installation prerequisites  Decide on the configuration database  Install the SSL certificate into local computer store on each farm node  Enable the creation of Group Managed Service Accounts  Not required, but recommended  Active Directory Windows 2008 or later  Server 2003 functional level or later
Two options for the configuration database  Windows Internal Database (WID)  Each farm member holds a copy  Maximum of five farm members  The first server in the farm is referred to as the primary federation server  Has read/write copy of the configuration database  Subsequent servers added to the farm are called secondary federation servers  Read only copy to the configuration database  Changes updated every 5 minutes from the primary federation server  SQL  You must add appropriate SQL redundancy to avoid a single-point of failure
SQL database  SQL 2008 or newer  No theoretical limit to farm size  Provides AD FS functionality not available with WID  SAML artifact resolution  RP retrieves token from claims provider  SAML/WS-Federation token replay detection  Protects both WS-Federation passive profile and the SAML WebSSO profile  Resource server detect replay of token from account server
Load-balancing & firewall settings  NLB or a hardware load-balancer can be used with the proxy and AD FS farms  NLB cannot be used for AD FS if it is running on a domain controller  Firewall  Port 443 must be enabled  Must allow port 49443 if certificate authentication is to be used
AD FS farm SSL certificate  The subject name and subject alternative name must match the farm url  sts.example.com or *.example.com  For workplace join a subject alternative name (SAN) of enterpriseregistration.<upn suffix> is required  A SAN for each upn suffix in the AD must be added  Recommendations:  Use the same certificate on all nodes of the farm  Use the same certificate on the WAP farm nodes  Obtain the certificate from a public CA
Group Managed Service Account (gMSA)  The AD FS service account can be a gMSA  A gMSA can be run across multiple servers  The password (120 characters) for a gMSA is maintained by the Key Distribution Service (KDS) running on a Windows Server 2012 domain controller  The password is calculated using the KDS Root Key, the current time and the gMSA SID  The KDS Root Key must be created using PowerShell  At least one 2012 DC is required  Recommended a minimum of 2 DCs
Create the KDS Root Key  Before any gMSA accounts can be created the KDS Root Key must be generated using PowerShell  Add-KdsRootKey –EffectiveImmediately  There is an enforced delay of 10 hours before a gMSA can be created after running the command  This is to “guarantee” that the key has propagated to all 2012 DCs  For lab work the delay can be overridden using  Add-KdsRootKey –EffectiveTime (get-date).addhours(-10)
Creating a gMSA  Can be created with PowerShell  Let the ADFS wizard do it for you  Updates the PrincipalsAllowedToRetrieveManagedPassword property with the DN of the server node being installed  Sets the service principal name
Adding additional farm members
Adding additional farm members
Reasons for deployment AD RP1 Your AD FS Your users AD RP1 Your ADFS Your users Partner or 3rd party STS Trust Trust Trust External users Your claims-aware applications Identity store Your claims-aware applications Claims-aware applications may be hosted on-premises or in the cloud
AD Your AD FS Your users Partner or 3rd party services (claims-aware) Trust STS Reasons for deployment (continued)
Resource STS RP2 Trusts RP1 RP4 Trusts RP3 Resource STSs apply application authorization rules STS owned, managed and run by business unit
Process token Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Return new ST Working with partners Your AD FS STS Your Claims-aware app Active Directory Partner user Partner AD FS STS & IP Redirected to your STS Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your STS App trusts STS Your STS trusts your partner’s STS
Validating the install  Access the federation metadata  https://sts.example.com/FederationMetadata/2007-06/FederationMetadata.xml  If the browser does not show the page as XML, switch to compatibility view  Try the IdP initiated sign on  https://sts.example.com/adfs/ls/IdpinitiatedSignOn.aspx
Web Application Proxy Web application ADFS Claims-aware web application Web application with Windows Authentication AD FS preauthentication Kerberos constrained delegation Publish applications and services to the Internet WAP Users are authenticated and authorized before gaining access to the corporate network Pass-through KCD
Kerberos Constrained Delegation Firewall WAP DC Web application using Windows Authentication (Kerberos) The SPN for the application must be registered on the service account running the application The WAP computer account must be configured for constrained delegation with protocol transition to the SPN of the web application AD FS preauthentication required
Network Topology Backend Server Backend Server AD FS Backend Server Config. Store Web Application Proxy DMZ AD FS Proxy Firewall Load Balancer Load Balancer Firewall Active Directory Domain Controller Client (browser, Office client or modern app) Corporate Network Internet HTTP/S HTTP/S AuthN Config. API over HTTPS AuthN Web UI Claims, KCD, OAuth, MSOFBA, or pass-through Obtain KCD ticket for IWA AuthN
WAP Reverse Proxy Functionalities  Network Isolation: even in pass-through, even post pre-auth, backend is never exposed directly  Basic DOS: throttling, queuing, session establishing, before routing to backend  URL Translation: HTTP header level translation enables publishing non-FQDN URLs, and HTTPSHTTP  Selective Publishing: per internal application endpoint  AD FS Proxy services: FS, MFA, DRS  Web Protocols Only: HTTP, HTTPS
WAP Pre-Authentication Functionalities  Rich Policy: user + device identity, application identity, network location  MFA Options: smartcards, phone factor, soft password lockout  Multiple Authentication Methods: KCD, claims, OAuth, MSO- FBA, …  SSO: Avoid requesting credentials again, after first pre-auth  Via a dedicated security token of AD FS
WAP requirements  One or two network cards  In some scenarios DirectAccess and/or VPN can be supported on the same server  See http://technet.microsoft.com/en-us/library/dn383647.aspx  Install the AD FS SSL certificate on each WAP node  A certificate will be required for each published application  To use KCD the WAP must be domain joined
Installing the Web Application Proxy
Running the wizard  The same method is used to add one or more nodes
Single Sign On using ADFS.pptx

Recomendados

Transparency and Auditing on AWS
Transparency and Auditing on AWSTransparency and Auditing on AWS
Transparency and Auditing on AWSAmazon Web Services
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDSAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 

Recomendados

Transparency and Auditing on AWS
Transparency and Auditing on AWSTransparency and Auditing on AWS
Transparency and Auditing on AWSAmazon Web Services
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access managementDinusha Kumarasiri
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTRadhakrishnan Govindan
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS SecurityAmazon Web Services
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWSAmazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best PracticesAmazon Web Services
 
Deep Dive: Amazon RDS
Deep Dive: Amazon RDSDeep Dive: Amazon RDS
Deep Dive: Amazon RDSAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
Full stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure MonitorFull stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure MonitorSquared Up
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD ConnectSasha Rosenbaum
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementMario Worwell
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWSAWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWSAmazon Web Services
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06Computer Networking
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05Computer Networking
 
Understanding Azure Networking Services
Understanding Azure Networking ServicesUnderstanding Azure Networking Services
Understanding Azure Networking ServicesInCycleSoftware
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
Red hat lvm cheatsheet
Red hat lvm cheatsheetRed hat lvm cheatsheet
Red hat lvm cheatsheetPrakash Ghosh
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security ChecklistAmazon Web Services
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overviewgjuljo
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 

Mais conteúdo relacionado

Mais procurados

Full stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure MonitorFull stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure MonitorSquared Up
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementMario Worwell
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
AWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWSAWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWSAmazon Web Services
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptxAdiWidyanto2
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An IntroductionVenkatesh Narayanan
 
Understanding Azure Networking Services
Understanding Azure Networking ServicesUnderstanding Azure Networking Services
Understanding Azure Networking ServicesInCycleSoftware
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101OneLogin
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a serviceBizTalk360
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveAmazon Web Services
 
Red hat lvm cheatsheet
Red hat lvm cheatsheetRed hat lvm cheatsheet
Red hat lvm cheatsheetPrakash Ghosh
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory ServicesVarun Arora
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptxsyedasadraza13
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overviewgjuljo
 

Mais procurados (20)

Full stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure MonitorFull stack monitoring across apps & infrastructure with Azure Monitor
Full stack monitoring across apps & infrastructure with Azure Monitor
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
 
Azure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity ManagementAzure Just in Time Privileged Identity Management
Azure Just in Time Privileged Identity Management
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
AWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWSAWS Workshop Series: Microsoft licensing and active directory on AWS
AWS Workshop Series: Microsoft licensing and active directory on AWS
 
02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx02-Active Directory Domain Services.pptx
02-Active Directory Domain Services.pptx
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
 
Azure Active Directory - An Introduction
Azure Active Directory - An IntroductionAzure Active Directory - An Introduction
Azure Active Directory - An Introduction
 
MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05MCSA 70-412 Chapter 05
MCSA 70-412 Chapter 05
 
Understanding Azure Networking Services
Understanding Azure Networking ServicesUnderstanding Azure Networking Services
Understanding Azure Networking Services
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep DiveWIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
WIN403_AWS Directory Service for Microsoft Active Directory Deep Dive
 
Red hat lvm cheatsheet
Red hat lvm cheatsheetRed hat lvm cheatsheet
Red hat lvm cheatsheet
 
Active Directory Services
Active Directory ServicesActive Directory Services
Active Directory Services
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
 
Active Directory Domain Services.pptx
Active Directory Domain Services.pptxActive Directory Domain Services.pptx
Active Directory Domain Services.pptx
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Azure Monitoring Overview
Azure Monitoring OverviewAzure Monitoring Overview
Azure Monitoring Overview
 

Semelhante a Single Sign On using ADFS.pptx

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudMaarten Balliauw
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followNCCOMMS
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITProceed
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKPeter Selch Dahl
 
Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2tameemyousaf
 
Technet System Center Mobile Device Manager Presentation
Technet System Center Mobile Device Manager PresentationTechnet System Center Mobile Device Manager Presentation
Technet System Center Mobile Device Manager Presentationjasonlan
 
WSO2Con 2011: Introduction to Stratos
WSO2Con 2011: Introduction to StratosWSO2Con 2011: Introduction to Stratos
WSO2Con 2011: Introduction to StratosAfkham Azeez
 
WSO2con 2011: Introduction to Stratos
WSO2con 2011: Introduction to StratosWSO2con 2011: Introduction to Stratos
WSO2con 2011: Introduction to StratosAfkham Azeez
 
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014Amazon Web Services
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónPlain Concepts
 
AD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewAD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewGranikos GmbH & Co. KG
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxhawkheadtrolley
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAnthony Clendenen
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processeswhite paper
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureSyed Irtaza Ali
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartITimothy Chen
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOPeter Selch Dahl
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOCoLaboraDK
 

Semelhante a Single Sign On using ADFS.pptx (20)

Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Azure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDKAzure Community Tour 2019 - AZUGDK
Azure Community Tour 2019 - AZUGDK
 
Windows server 2003_r2
Windows server 2003_r2Windows server 2003_r2
Windows server 2003_r2
 
Technet System Center Mobile Device Manager Presentation
Technet System Center Mobile Device Manager PresentationTechnet System Center Mobile Device Manager Presentation
Technet System Center Mobile Device Manager Presentation
 
WSO2Con 2011: Introduction to Stratos
WSO2Con 2011: Introduction to StratosWSO2Con 2011: Introduction to Stratos
WSO2Con 2011: Introduction to Stratos
 
WSO2con 2011: Introduction to Stratos
WSO2con 2011: Introduction to StratosWSO2con 2011: Introduction to Stratos
WSO2con 2011: Introduction to Stratos
 
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
(BIZ303) Active Directory in the AWS Cloud | AWS re:Invent 2014
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
AD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick OverviewAD FS Workshop | Part 1 | Quick Overview
AD FS Workshop | Part 1 | Quick Overview
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptx
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Amazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security ProcessesAmazon Web Services: Overview of Security Processes
Amazon Web Services: Overview of Security Processes
 
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure InfrastructureBecoming a Microsoft Specialist in Microsoft Azure Infrastructure
Becoming a Microsoft Specialist in Microsoft Azure Infrastructure
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI0505 Windows Server 2008 一日精華營 PartI
0505 Windows Server 2008 一日精華營 PartI
 
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSOColabora.dk - Azure PTA vs ADFS vs Desktop SSO
Colabora.dk - Azure PTA vs ADFS vs Desktop SSO
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSO
 

Último

Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypseTomasz Kowalczewski
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdftimtebeek1
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)Roberto Bettazzoni
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphNeo4j
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfryanfarris8
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksJinanKordab
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNeo4j
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Conceptsthomashtkim
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmuxevmux96
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 

Último (20)

Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 
Weeding your micro service landscape.pdf
Weeding your micro service landscape.pdfWeeding your micro service landscape.pdf
Weeding your micro service landscape.pdf
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with GraphGraphSummit Milan - Neo4j: The Art of the Possible with Graph
GraphSummit Milan - Neo4j: The Art of the Possible with Graph
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
Abortion Pill Prices Jozini ](+27832195400*)[ 🏥 Women's Abortion Clinic in Jo...
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
Novo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMsNovo Nordisk: When Knowledge Graphs meet LLMs
Novo Nordisk: When Knowledge Graphs meet LLMs
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Your Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | EvmuxYour Ultimate Web Studio for Streaming Anywhere | Evmux
Your Ultimate Web Studio for Streaming Anywhere | Evmux
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfAuto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 

Single Sign On using ADFS.pptx

  • 2. What is ADFS?  AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
  • 3. ADFS Features  Manage Risk with Conditional Access Control • AD FS provides a rich level of authorization that controls who has access to what applications. This can be based on • User attributes (UPN, email, security group membership, authentication strength, etc.) • Device attributes (whether the device is workplace joined) • Request attributes (network location, IP address, or user agent) • Flexible per-application access policy based on user data, device data, or network location.
  • 4. ADFS Features  Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications • AD FS allows you to control policies to potentially require multi- factor authentication on a per application basis. • AD FS provides extensibility points for any multi-factor vendor to integrate deeply for a secure and seamless multi-factor experience for end users
  • 5. ADFS Features  Device Workplace Join By using Workplace Join, information workers can join their personal devices with their company's workplace computers. When you join your personal device to your workplace, it becomes a known device and provides seamless second factor authentication to workplace resources and applications. Windows 8.1 and iOS 6.0+, and Android 4.0+ devices can be joined by using Workplace Join.  Configure Additional Authentication Methods for AD FS Support for third-party and custom built authentication methods when configuring multi-factor authentication.
  • 6. ADFS Features  Customization of web themes • Unified customization of the AD FS service (the changes are made once and then automatically propagated to the rest of the AD FS federation servers in a given farm)  Simplified deployment experience • Remote installation and configuration through Server Manager. • Scaling Out Easily • SQL Server merge replication support when deploying AD FS across globally dispersed datacenters. • Group Managed Service Account support.
  • 7. Key concepts Identity Provider (IP) Active Directory Security Token Service (STS) User / Subject /Principal Requests token for AppX Issues Security Token crafted for Appx Relying party (RP)/ Resource provider Issuer IP-STS Trusts the Security Token from the issuer The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Security Token “Authenticates” user to the application ST Signed by issuer AppX
  • 10. Fiddler as a man in the middle  Fiddler can intercept HTTPS traffic  Creates a certificate that represents the destination website  Browser will display certificate as invalid unless added to certificate store  If you add it to the store make sure you remove it after testing
  • 11. How Works? AD FS STS Claims-aware app Active Directory Browse app Not authenticated Redirected to STS Authenticate Our user Query for user attributes Return security token Return cookies and page Send Token App trusts STS
  • 12. First redirect to STS Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z %2f decodes to /
  • 13. Web page returned after authentication  The SAML data is always signed, it can be encrypted if required
  • 14. MSISSelectionPersistent: identifies authenticating IP-STS Located through Home Realm Discovery (HRD) MSISAuth…: authenticated session cookies MSISAuthenticated: time when the authentication took place MSISSignOut: Keeps track of all RPs to which the session has authenticated MSISLoopDetectionCookie: Prevents multiple authentication request due to configuration error Time-out default: 6 request for authentication to same RP within a short space of time AD FS cookies
  • 15. Allows browser session to remain authenticated to web application Web app cookies
  • 16. Main token types JSON Web Tokens (JWT) Simple Web Token (Microsoft, Google, Yahoo)
  • 17. AD FS architecture Active Directory Firewall & Load Balancer Perimeter network Web Application Proxy farm Firewall & Load Balancer Internet Intranet AD FS farm Configuration database The WAP stores/retrieves it configuration on/from AD FS Remote user CorpNet users Forms Authentication
  • 18. DNS requirements  CNAME entries must be added for the device registration service  enterpriseregistration.<upn suffix> CNAME sts.example.com  A CNAME entry will be required for each of the upn suffixes used in the AD Perimeter network WAP farm Intranet AD FS farm sts.example.com sts.example.com sts.example.com resolves to external WAP VIP sts.example.com resolves to the AD FS VIP Add host file records If the intranet DNS cannot be used by the WAP
  • 19. Installation prerequisites  Decide on the configuration database  Install the SSL certificate into local computer store on each farm node  Enable the creation of Group Managed Service Accounts  Not required, but recommended  Active Directory Windows 2008 or later  Server 2003 functional level or later
  • 20. Two options for the configuration database  Windows Internal Database (WID)  Each farm member holds a copy  Maximum of five farm members  The first server in the farm is referred to as the primary federation server  Has read/write copy of the configuration database  Subsequent servers added to the farm are called secondary federation servers  Read only copy to the configuration database  Changes updated every 5 minutes from the primary federation server  SQL  You must add appropriate SQL redundancy to avoid a single-point of failure
  • 21. SQL database  SQL 2008 or newer  No theoretical limit to farm size  Provides AD FS functionality not available with WID  SAML artifact resolution  RP retrieves token from claims provider  SAML/WS-Federation token replay detection  Protects both WS-Federation passive profile and the SAML WebSSO profile  Resource server detect replay of token from account server
  • 22. Load-balancing & firewall settings  NLB or a hardware load-balancer can be used with the proxy and AD FS farms  NLB cannot be used for AD FS if it is running on a domain controller  Firewall  Port 443 must be enabled  Must allow port 49443 if certificate authentication is to be used
  • 23. AD FS farm SSL certificate  The subject name and subject alternative name must match the farm url  sts.example.com or *.example.com  For workplace join a subject alternative name (SAN) of enterpriseregistration.<upn suffix> is required  A SAN for each upn suffix in the AD must be added  Recommendations:  Use the same certificate on all nodes of the farm  Use the same certificate on the WAP farm nodes  Obtain the certificate from a public CA
  • 24. Group Managed Service Account (gMSA)  The AD FS service account can be a gMSA  A gMSA can be run across multiple servers  The password (120 characters) for a gMSA is maintained by the Key Distribution Service (KDS) running on a Windows Server 2012 domain controller  The password is calculated using the KDS Root Key, the current time and the gMSA SID  The KDS Root Key must be created using PowerShell  At least one 2012 DC is required  Recommended a minimum of 2 DCs
  • 25. Create the KDS Root Key  Before any gMSA accounts can be created the KDS Root Key must be generated using PowerShell  Add-KdsRootKey –EffectiveImmediately  There is an enforced delay of 10 hours before a gMSA can be created after running the command  This is to “guarantee” that the key has propagated to all 2012 DCs  For lab work the delay can be overridden using  Add-KdsRootKey –EffectiveTime (get-date).addhours(-10)
  • 26. Creating a gMSA  Can be created with PowerShell  Let the ADFS wizard do it for you  Updates the PrincipalsAllowedToRetrieveManagedPassword property with the DN of the server node being installed  Sets the service principal name
  • 27.
  • 30. Reasons for deployment AD RP1 Your AD FS Your users AD RP1 Your ADFS Your users Partner or 3rd party STS Trust Trust Trust External users Your claims-aware applications Identity store Your claims-aware applications Claims-aware applications may be hosted on-premises or in the cloud
  • 31. AD Your AD FS Your users Partner or 3rd party services (claims-aware) Trust STS Reasons for deployment (continued)
  • 32. Resource STS RP2 Trusts RP1 RP4 Trusts RP3 Resource STSs apply application authorization rules STS owned, managed and run by business unit
  • 33. Process token Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Return new ST Working with partners Your AD FS STS Your Claims-aware app Active Directory Partner user Partner AD FS STS & IP Redirected to your STS Authenticate Send Token Return cookies and page Browse app Not authenticated Redirect to your STS App trusts STS Your STS trusts your partner’s STS
  • 34. Validating the install  Access the federation metadata  https://sts.example.com/FederationMetadata/2007-06/FederationMetadata.xml  If the browser does not show the page as XML, switch to compatibility view  Try the IdP initiated sign on  https://sts.example.com/adfs/ls/IdpinitiatedSignOn.aspx
  • 35.
  • 36. Web Application Proxy Web application ADFS Claims-aware web application Web application with Windows Authentication AD FS preauthentication Kerberos constrained delegation Publish applications and services to the Internet WAP Users are authenticated and authorized before gaining access to the corporate network Pass-through KCD
  • 37. Kerberos Constrained Delegation Firewall WAP DC Web application using Windows Authentication (Kerberos) The SPN for the application must be registered on the service account running the application The WAP computer account must be configured for constrained delegation with protocol transition to the SPN of the web application AD FS preauthentication required
  • 38. Network Topology Backend Server Backend Server AD FS Backend Server Config. Store Web Application Proxy DMZ AD FS Proxy Firewall Load Balancer Load Balancer Firewall Active Directory Domain Controller Client (browser, Office client or modern app) Corporate Network Internet HTTP/S HTTP/S AuthN Config. API over HTTPS AuthN Web UI Claims, KCD, OAuth, MSOFBA, or pass-through Obtain KCD ticket for IWA AuthN
  • 39. WAP Reverse Proxy Functionalities  Network Isolation: even in pass-through, even post pre-auth, backend is never exposed directly  Basic DOS: throttling, queuing, session establishing, before routing to backend  URL Translation: HTTP header level translation enables publishing non-FQDN URLs, and HTTPSHTTP  Selective Publishing: per internal application endpoint  AD FS Proxy services: FS, MFA, DRS  Web Protocols Only: HTTP, HTTPS
  • 40. WAP Pre-Authentication Functionalities  Rich Policy: user + device identity, application identity, network location  MFA Options: smartcards, phone factor, soft password lockout  Multiple Authentication Methods: KCD, claims, OAuth, MSO- FBA, …  SSO: Avoid requesting credentials again, after first pre-auth  Via a dedicated security token of AD FS
  • 41. WAP requirements  One or two network cards  In some scenarios DirectAccess and/or VPN can be supported on the same server  See http://technet.microsoft.com/en-us/library/dn383647.aspx  Install the AD FS SSL certificate on each WAP node  A certificate will be required for each published application  To use KCD the WAP must be domain joined
  • 42. Installing the Web Application Proxy
  • 43. Running the wizard  The same method is used to add one or more nodes