Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Thomas Stensitzki
AD FS | Deep Dive
Page 2
AD FS Concept
Page 3
Issuer
Key Concepts Identity Provider (IP)
Security Token Service (STS)
Authentication request
User / Subject / Principal Active
Directory
ST Issues Security Token
Security Token
contains claims about the user
For example:
Name Security Token Authenticates
Group membership user to the application
User Principal Name (UPN)
Email address of user
Email address of manager Relying Party / Resource Provider
Phone number
Other attribute values
The application makes authorization decisions based on the claims contained in the
security token
- No longer required to make authentication decisions
Page 5
Passive Client
Not authenticated
Redirected to STS
Authenticate
Return Security Token
ST Query for user attributes
Send Token
ST
Page 6
X.509 Certificates
Private Key
During the establishment of the issuer / relying party trust, both parties will require
configuration which includes
- End-points for communication
- Claims offered by issuer
- Claims accepted by replying party
- Public keys for signing and encryption
This information can be manually configured or automatically via the exchange of federation
metadata
- Federation metadata can be automatically updated
Page 8
Offered Claims Types
Page 9
Claims Pipeline How a Security Token is build
Claims
Specify the users that are permitted to access the
Provider
relying party
Input Input
Issuance Acceptance
Authorization Rules Transform Rules
Permits/denies rule processing and Specify incoming claims that will be accepted from the
claims issuance claims provider and the outgoing claims that will be sent
to the relying party trust
Output Input
Issuance
ST
Transform Rules
Page 10
Claim Rules
Multiple claim rules can be specified and are processed in top to bottom order
- Results from previously processed claims can be used as the input for subsequent rules
Page 11
Creating Claim Rules
Condition
Issuance Statement
Page 13
Claim Rule Language
After a claim is issued it is added to both the input and output claims set allowing the transformed
claim to be processed by subsequent rules
To make a processed claim available just for reprocessing replace the issue statement with add
Page 14
How do to allow access for Partners?
To allow partners to access your systems you must trust them to authenticate your partners
users
Page 15
Partner organization Your organization
Partner ADFS Your AD FS
STS & IP STS
Claims Trust
Claims Trust
Relying Party Trust
Relying
Your STS now trusts your partner to provide a security token containing claims for their Party X
users
Your STS is no longer responsible for identifying the user but still processes the claims from
the partner as previously described
Page 16
Summary
Your Organization AD FS
Partner user Security Token Service (STS)
ST from Partner
ST Trusted
Claims Trust
Partner
Client request token for access
to Relying Party X
ST
ST
Processes
ST Acceptance Transform Rules
Returns token
for Relying Party X Relying
Party X
Processes If denied
Issuance Authorization Rules processing ends
If allowed processes
Page 17 Issuance Rules
Passive Client
Partner user Your Claims-aware App Your ADFS STS Partner ADFS STS & IP Active Directory
Browse app
Not authenticated
Page 19
Questions
Thomas Stensitzki
Expert
Granikos GmbH & Co. KG
MCSM Messaging, MCM: Exchange 2010
MCT, MCSE, MCITP, MCTS, MCSA, MCSA:M
E-Mail: thomas.stensitzki@granikos.eu
Web: http://www.Granikos.eu
Blog: http://blog.Granikos.eu
Blog: http://JustCantGetEnough.Granikos.eu
Page 20