Claims-Based Identity
Magnus JungåkerPartner Technology Advisor, Core InfraMicrosoft AB
Problem Statement
Every app must handle two functionsAuthenticate userGet information about user to drive behavior
Many different technologies to do thisName/pwd, X.509, Kerberos, SAML, LDAP, …Scenario drives technology choice
App bound to constraints of technologyModern apps face increasing requirements: federation, strong authentication, SOA, cloud…
Problem Statement
ADDB
App1
DB
App2
AD
App4
App6
AD
App5
Intranet Intranet Extranet
Extranet
Cloud
AD
App3
DB
DB
SSO
SeparateSign-in
SeparateSign-in
SeparateSign-in
SeparateSign-in
SeparateSign-in
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
AdditionalProvisioning
Claims-Based Identity
Abstraction layer hides detail of authenticating user, getting information about user
Application logic exposed to claims only; claims = information about the user
Change details after deployment without changing application code
Claims-Based Identity
Claims Framework
Your App
4. Send claims
trust
2. Look up claims, transform for
application
1. A
uthe
ntica
te
3. R
etur
n
claim
s
Relying PartyClient
Identity Provider
Fed Client (optional)
Introducing "Geneva"
“Geneva” Framework
Your App
trust
Relying PartyClient
“Geneva” ServerActive DirectorySQL
AttributeStore
Windows CardSpa
ce “Geneva
”
Official Names
Windows Identity
Foundation
Your App
trust
Relying PartyClient
Active DirectoryFederation Services
2.0
Active DirectorySQL
AttributeStore
Windows CardSpace 2.0
Federated Collaboration
trust
trust
Relying PartyFrank Miller
SharePoint 2007
2. Redirect to STS
1. Attempt access
3. Home re
alm
discovery
4. Redire
ct to STS
5.
Auth
entic
ate
Fabrikam Contoso
Windows Identity
Foundation
AD FS 2.0 AD FS 2.0
trust
trust
Relying partyFrank Miller
SharePoint 2007
9. Post claims
7. Post
claim
s
8. Get c
laims
6. G
et c
laim
s
Fabrikam Contoso
Federated Collaboration
Windows Identity
Foundation
From Fabrikam
To LOB Application
[type == “Role”, value == “Plant Manager”] => issue(type = “Role”, value = “Buyer”);
FabrikamAuthority
Policy
{Role, Plant Manager}
To SharePoint
[type == “Role”, value == “Buyer”] => issue(type = “Role”, value = “Purchaser”);
AutoParts
RelyingPartyPolicy
[type == “Role”, value == “Buyer”] => issue(type = “Role”, value = “Visitor”);
SharePointRelyingPartyPolicy
{Role, Purchaser}
{Role, Visitor}
ContosoAD FS
2.0Server
{Role, Buyer}
AD FS 2.0 Microsoft Federation Gateway
trust
trust
Relying partyFrank Miller
SharePointOnline
Fabrikam MicrosoftOnline
Federation with Microsoft Online
ExchangeOnline
CRM Online
…
Applications
Sharepoint 2007Sharepoint 2010Exchange 2010OCS 14RMSBPOSLive@edu
Benefits of claims model for SharePoint 2010Support existing identity infrastructure
Active DirectoryLDAP, SQLWebSSO and Identity Management Systems
Multiple authentication methods per SharePoint Web ApplicationEnable automatic, secure identity delegation
Cross-machines & cross-farm
Support “no-credential” connections to External web servicesStandards-based and Interoperable
Identity in SharePoint 2010 is built on WIF
Windows Identity Foundation (WIF)Framework for building claims-aware applications & STS Standards-based and interoperableTargets ASP.NET and WCF developers
WS-Federation (Passive) ASP.NETWS-Trust (Active) WCF
Offers unified programming model
Identity Delegation
Front End
AD FS 2.0
Frank Miller
Windows Identity
Foundation
Web Application
Back End
Windows Identity
Foundation
Web Service
1. Post claims
2. Get claims
3. Send claims
trust trust
Interoperability ScenarioSTS „Geneva“ Server (Beta 2)
Web Service ProviderSAP NetWeaver 7.02
Web Service Consumer.NET 3.5
Trust
User Mapping in AD/“Geneva“ Server
Registration of SAP Enterprise Service as Relying Party in „Geneva“ Server STS
Configuration of „Geneva“ Server in SAP
Generated Consumer WCF Binding based on Provider Policy
Demo
Deployment
Deployment Goals
Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services
SSO for internal useProvide Your Active Directory Users Access to the Applications and Services of Other Organizations
SSO to outsourced services or the cloudProvide Users in Another Organization Access to Your Claims-Aware Applications and Services
Providing outsourced services
Implementing Deployment Goals
Bing “AD FS 2.0 Deployment” for the AD FS 2.0 Design and Deployment GuidesDesign considerations
Web SSOAccount side onlyResource side only
Large or small deployment?Perimeter networks required?
AD FS 2.0
Card Issuance
Token Issuance
Management APIs and UX
Metadata
AD FS 2.0 Proxy
Token Issuance
Proxy
Metadata Proxy
Internet Client
Configuration
Database
Intranet Client
Attribute Stores
AD FS 2.0 Components
Large Enterprise Federation Deployment
Active Directory
Configuration SQL Cluster
Load Balancer
Intranet AD FS 2.0 Farm
Perimeter Network
Proxy Farm
All Intranet Servers
Domain Joined
Load Balancer
CertificatesIf it’s not a typo, it’s PKI, if it’s not PKI, it’s a typo
AD FS 2.0 certsToken SigningEncryptionService Communications & SSLCard Signing
AD FS 2.0 Proxy certsProxy Client AuthenticationSSL
Summary
DetailsAll components are Windows componentsSchedule
WIF RTM 2009-11-17ADFS 2.0, RTM 2010-05-05CardSpace 2.0, CTP Q2 2010
Supported platformsAD FS 2.0
Windows Server 2008 and higherRequires .Net Framework 3.5 SP1
Windows Identity FoundationWindows Vista, Windows Server 2003 and higherRequires .Net Framework 3.5 SP1
Windows CardSpace 2.0Windows Vista, Windows Server 2008 and higher
ADFS 2.0 RTW 2010-05-05http://channel9.msdn.com/shows/Identity/Active-Directory-Federation-Services-v2-Ships/http://www.microsoft.com/adfs
Enables Single User Access ModelAccess On-Premises and in the CloudUses Standard ProtocolsEnhanced Federated Identity ManagementAvailability as an Integrated Server RoleIntegration with Microsoft TechnologiesEnhanced Developer experiencesImproved Administration
FeaturesFramework
Claims programming model, integrated with .Net roles based securityWS-Trust, WS-FederationSupport for SharePoint 2007Visual Studio integration: tools, templates, local development STS
ServerEasy trust setup and automatic trust managementSAML 2.0 protocol – IdP Lite, SP Lite, eGov profilesRule-based claims transformation engineIdentity delegationAD LDS and SQL attribute store providers, custom store extensibilitySupport for federated Rights Management ServicesPowershell
CardSpaceSmall download, fast & streamlined UXPush information cards via group policyPush card selection decisions via group policy
Learn More
Onlinehttp://www.microsoft.com/iamWhitepapers, videos, training kits, virtual machines with step by step walkthrough guidesSample scenarios
Federated collaboration using SharePoint 2007Build and deploy ASP.Net web apps and WCF web servicesSet up access to Microsoft Online Services
Identity Developer Training Kit
Summary
Claims based identityAbstraction layer hides details of identityApplication logic exposed to claims onlyChange details later without changing codeBased on interoperable, standard protocols
AD FS 2.0, WIF, and CardSpaceServer, client and framework for building claims-aware apps on Microsoft platformExtending Active Directory and .Net to new scenarios, to reduce cost and increase security
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related