Get documents about "Enterprise Identity
Document Sample
Enterprise Identity
Steve Plank – Microsoft
Ivor Bright – Charteris
Dave Nesbitt – Oxford Computer Group
Agenda
• Overview of Enterprise Federation
Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
Extranet Access with Identity Federation
Active Exchange
Directory
SQL/File
Servers
Your EMPLOYEES on Logon to Windows Web
your NETWORK Servers
Single Sign-on inside App Servers
your NETWORK
Your SUPPLIERS and
their NETWORKS
ADFS Identity Federation
• Projecting user Identity from a single logon …
• Providing distributed authentication & claims-based
authorization …
• Connecting islands (across security, organizational or
platform boundaries) …
• Enabling web single sign-on & simplified identity
management
ADFS Components
`
Client Web Browser
HTTPS
Active Directory
or ADAM
Web Server
Federation Service Federation Service
Proxy
ADFS Components
Active Directory or ADAM `
Authenticates users
Client Web Browser
Manages attributes
Windows HTTPS or 2003
2000
Active Directory
or ADAM
Web Server
Federation Service Federation Service
Proxy
ADFS Components
Federation Service (FS)
`
Security Token Service (STS)
Client Web Browser
Maps user attributes to claims
Issues security tokens
trust
Manages federationHTTPS policy
Requires IISv6 Windows 2003 R2
Active Directory
or ADAM
Web Server
Federation Service Federation Service
Proxy
ADFS Components
Federation Server Proxy (FSP)
`
Client proxy
Client Web Browser for token requests
Provides UI for browser clients
Forms based auth
HTTPS
Home realm discovery
Active Directory
Requires IISv6 Windows 2003 R2
or ADAM
Web Server
Federation Service Federation Service
Proxy
ADFS Components
Web Agent
Enforces user authentication `
Creates app authZ context from claims
Client Web Browser
NT Impersonation and ACLs
ASP.NET IsInRole() HTTPS
AzMan RBAC integration
ASP.NET Raw Claims API
Active Directory
or ADAM
Requires IISv6 Windows 2003 R2
Web Server
Federation Service Federation Service
Proxy
ADFS Authentication Flow
A. Datum Trey Research
Account Resource
Forest Active Directory Forest
Account Resource
Security Token Service Security Token Service
`
Internal Client Web Server
Centrify support for ADFS
Web SSO for non-IIS web servers
• DirectControl provides cross-platform equivalent of Microsoft ADFS SSO
Agent for IIS6
• Apache and popular J2EE web servers
• BEA WebLogic
• Apache Tomcat
• IBM Websphere
• JBoss
• Web agent is a direct drop in for non Microsoft web servers
• Customer benefits
• Simple and cost effective entrance into the Federated identity world
• No modification of applications
• Uses existing deployed infrastructure (AD)
Quest support for ADFS
Web SSO for non-IIS web servers
• ADFS supported in Vintela Single Sign-on for Java V3.1
• Existing Java apps need no modifications
• VSJ 3.1 ADFS servlet filter will:
• Support ADFS authentication for Java applications in the resource domain
• Allow Java application servers to leverage an existing ADFS infrastructure
• Enable federation of Java/J2EE applications within ADFS-based trust fabric
• Support NTLM, SPNEGO & WS-Federation based authentication
• VSJ servlet filters work with any J2EE application server
• No change required to the Java application – it “just works”
Shibboleth Interoperability
Sponsored by Microsoft and ADFS
• Standards based, open source
• Shibboleth System 1.3 release
• Developing plug-ins for SAML 1.1 Identity and
Service Providers
• Support WS-Federation Passive Requestor Interoperability
Profile
• Enables Interop with ADFS and other compliant vendor
products
WS-Federation
• Web Services Federation Language
• Defines messages to enable security realms to federate & exchange
security tokens
• BEA, IBM, Microsoft, RSA, VeriSign
• Two “profiles” of the model defined
• Passive (Browser) clients – HTTP/S
• Active (Smart) clients – SOAP
HTTP messages HTTP Security
Receiver
SOAP Token
SOAP messages Receiver Service
Passive Requestor Profile
Supported by ADFSv1 in W2K03 R2
• Binding of WS-Federation & WS-Trust for browser
(passive) clients
• Implicitly adhere to policy by following redirects
• Implicitly acquire tokens via HTTP msgs
• Authentication requires secure transport (HTTPS)
• Client cannot provide “proof of possession”
• Tokens subject to replay
• Limited (time based) token caching
Authentication Message Flow
Browser Client Account STS Web Server Resource STS
GET (to Web Server)
302 Redirect (to Resource STS)
Detect user’s home realm
302 Redirect (to Account STS)
Authenticate User
POST “Redirect” security token (to Resource STS)
POST “Redirect” security token (to Web Server)
200 OK Response (from Web Server)
Active Requestor Profile
Future ADFS release
• Binding of WS-Federation & WS-Trust for SOAP/XML aware
(active) clients
• Explicitly determine token needs from policy
• Explicitly request tokens via SOAP msgs
• Strong authentication of all requests
• Client can provide “proof of possession”
• Supports delegation
• Client can provide token for use on its behalf
• Allows rich token caching at client
• Improved performance w/o security risk
Sample Flow: Active Client
WS-Policy used to route client token requests
Requesting Service Identity Provider STS Target Service Service Provider STS
Fetch service policy
Fetch SP policy
Fetch IP policy
Request token
Return token
Request token
Return token
Send secured request
Return secured response
Review
• Overview of Enterprise Federation
Challenges/Solutions
• Individual Group Discussions (led)
• Large Group “Debate”
•http://blogs.charteris.com/blogs/IvorB
•Ivor.Bright@Charteris.com
