Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: •
Download ReportTranscript Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: •
Issuer IP-STS Identity Provider (IP) Security Token Service (STS) Requests token for AppX User / Subject /Principal The Security Token Contains claims about the user For example: • Name • Group membership • User Principal Name (UPN) • Email address of user • Email address of manager • Phone number • Other attribute values Signed by issuer ST Active Directory Issues Security Token crafted for Appx Security Token “Authenticates” user to the application AppX Relying party (RP)/ Resource provider Trusts the Security Token from the issuer Your Claims-aware app Partner user Your AD FS 2.0 STS App trusts STS Browse app Partner AD FS 2.0 STS & IP Active Directory Your STS trusts your partner’s STS Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Return ST for consumption by your STS Redirected to your STS Return new ST Send Token Return cookies and page Process token Authenticate appcmd.exe set config "Default Web Site/ADFS/ls" section:system.webServer/security/au thentication/windowsAuthentication /extendedProtection.tokenChecking:"N one" /extendedProtection.flags:"Proxy" /commit:apphost temporarily %2f decodes to / Decoded redirect URL: https://adfs.example.com/adfs/ls/? wa=wsignin1.0& wtrealm=https://site1.example.com/Federation/& wctx=rm=0&id=passive&ru=%2fFederation%2f& wct=2011-04-15T15:12:28Z STS ST User User trusts website and STS via SSL certificates Certificate path validated and CRL checked RP Specify the users that are permitted to access the relying party C AD Specify incoming claims that will be accepted from the claims provider and passed to the pipeline l a i m s P i Permit: specifies claims that will be sent to the relying party p Deny: Not processed l e i n e ST Step3 (on AD FS 2.0 server): Logon Event ID 4624 Event ID 324 Deny Issuance Authorization Rules input Event ID 299 Event ID 500 Issuance Transform Rules Acceptance Transform Rules Event ID 500 Permit process Issuance Rules output Claims provider input input Event ID 299 Event ID 501 AD FS 2.0 update rollup 2 AD FS 2.0 troubleshooting guide AD FS 2.0 SDK AD FS 2.0 content map John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. www.xtseminars.co.uk http://europe.msteched.com www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn http://europe.msteched.com/sessions