Transcript SIM402 Kerberos, NTLM, Basic, Digest, Forms? Federation of Identity Issuer IP-STS Identity Provider (IP) Security Token Service (STS) User / Subject /Principal The Security Token Contains claims.

SIM402
Kerberos, NTLM,
Basic, Digest,
Forms?
Federation of Identity
Issuer IP-STS
Identity Provider (IP)
Security Token Service (STS)
User / Subject /Principal
The Security Token
Contains claims about the user
For example:
• Name
• Group membership
• User Principal Name (UPN)
• Email address of user
• Email address of manager
• Phone number
• Other attribute values
Signed by issuer
Requests token for AppX
ST
Active
Directory
Issues Security Token
crafted for Appx
Security Token “Authenticates”
user to the application
AppX
Relying party (RP)/
Resource provider
Trusts the Security Token
from the issuer
Claims-aware app
Our user
ADFS STS
Active Directory
App trusts STS
Browse app
Not authenticated
Redirected to STS
Authenticate
Return Security Token
Send Token
Return cookies
and page
Query for user attributes
Your
ADFS STS
Your
Claims-aware app
Partner
user
App trusts STS
Browse app
Partner
ADFS STS & IP
Active
Directory
Your STS
trusts your
partner’s STS
Not authenticated
Redirect to your STS
Home realm discovery
Redirected to partner STS requesting ST for partner user
Authenticate
Return ST for consumption by your STS
Redirected to your STS
Return new ST
Send Token
Return cookies
and page
Process token
Relying party
Root for B
Issuer
A
Public key of C
D
B
Communication
Signing
ST
Encryption
ST
Root for A
C
Public key of D
Claims-aware
application
Active Directory
ADFS 2.0
Define AD as
claims provider
Define STS1 as
claims provider
APP1
STS1
Define APP1 as
Relying party
AD
Specify incoming claims that
will be accepted from the
claims provider and passed to
the pipeline
Permit: specifies claims that
will be sent to the relying party
Deny: Not processed
C
l
a
i
m
s
P
i
p
e
l
i
n
e
Specify the users that are
permitted to access the
relying party
ST
Condition
Issuance Statement
Partner organization
Your organization
Partner ADFS
STS & IP
Your ADFS
STS
Claims Trust
Claims Trust
Relying Party Trust
Relying
Party x
Your Organization ADFS
Security Token Service (STS)
Partner user
ST
ST from Partner
Claims Trust
Trusted
Partner
Client request token for access to
relying party x
ST
Returns token
for Relying Party x
ST
Processes
Acceptance
Transform Rules
Processes
Issuance
Authorization Rules
If allowed processes
Issuance Rules
Relying
Party x
If denied
Processing ends
Your
ADFS STS
Your
Claims-aware app
Partner user
Partner
ADFS STS & IP
Browse app
Not authenticated
Redirect to your STS
Home realm discovery
Redirected to partner STS requesting ST for partner user
Authenticate
Return ST for consumption by your STS
ST
Redirected to your STS
Return new ST
ST
Send Token
Return page
and cookie
Process token
ST
ST
Active
Directory
John has designed and implemented computing systems ranging
from high-speed industrial controllers through to distributed IT
systems with a focus on security and high-availability. A key player
in many IT projects for industry leaders including Microsoft, the UK
Government and multi-nationals that require optimized IT systems.
Developed technical training courses that have been published
worldwide, co-authored a highly successful book on Microsoft
Active Directory Internals, presents regularly at major international
conferences including, TechEd, IT Forum and European summits.
John can be engaged as a consultant or booked for speaking
engagements through XTSeminars. www.xtseminars.co.uk
Blue Section
http://www.microsoft.com/cloud/
http://www.microsoft.com/privatecloud/
http://www.microsoft.com/windowsserver/
http://www.microsoft.com/windowsazure/
http://www.microsoft.com/systemcenter/
http://www.microsoft.com/forefront/
http://northamerica.msteched.com
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn