Microsoft Jump Start ®

M12: Implementing Active

Directory Federation
Services

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal
Jump Start Target Agenda | Day One

Day 1 Day 2
Module 1: Installing and Configuring Module 7: Implementing Failover
Servers Based on Windows Server Clustering
2012
Module 2: Monitoring and Module 8: Implementing Hyper-V
Maintaining Windows Server 2012
Module 3: Managing Windows Server Module 9: Implementing Failover
2012 by Using PowerShell 3.0 Clustering with Hyper-V
- MEAL BREAK - - MEAL BREAK -
Module 4: Managing Storage for Module 10: Implementing Dynamic
Windows Server 2012 Access Control
Module 5: Implementing Network Module 11: Implementing Active
Services Directory Domain Services
Module 6: Implementing Direct Access Module 12: Implementing Active
Directory Federation Services
Module Overview

• Overview of Active Directory Federation Services

• Deploying Active Directory Federation Services
• Implementing AD FS for a Single Organization
• Deploying AD FS in a Business to Business
Federation Scenario
What Is Identity Federation?

• Enables distributed identification, authentication, and

authorization across organizational and platform
boundaries.
• Requires a federated trust relationship between two
organizations or entities.
• Enables organizations to retain control over who can
access resources.
• Enables organizations to retain control of their user and
group accounts.
 What is Claims-Based Identity?

Identity Application
Provider Provider

Security Application
Token
Service
Claims provide information
about users who the identity
provider authenticates,and
which the application
provider accepts
Web Services Overview

Web services use a set of open specifications to develop

applications that can interoperate across boundaries

• Are developed using industry standards such as XML,

SOAP, WSDL, and UDDI
• Define the security specifications used by Identity
Federation systems
• Define the SAML standard for exchanging claims between
federation partners
What Is AD FS?

AD FS is the Microsoft identity federation solution

that can use claims-based authentication

• AD FS includes the following features:

• Web SSO
• Web services interoperability
• Support for passive and smart clients
• Extensible architecture
• Enhanced security
AD FS and SSO in a Single Organization

Perimeter Corporate
Network Network

AD DS Domain
Controller

6
7
7 Federation
4 5
T Service
Proxy
3

2
Federation Server

1 8
External Client
Web Server
AD FS and SSO in a B2B Federation

Trey Research A. Datum

7 Federation Trust
6

Active Directory

Account Resource
Federation Server Federation Server

8
5 10
4
9
3

2
Web Server
Internal Client 1 11
Computer
AD FS and SSO with Online Services

On Premises Exchange Online

7
Federation Trust
6

Active Directory

Federation Microsoft Online

Server Federation Server
8 10
4
5

9
3

2
Outlook Web
Client Computer 1 11
App server
AD FS Components

• Federation Server • Relying Parties

• Federation Server Proxy • Claims Provider Trust
• Claims • Relying Party Trust
• Claim Rules • Certificates
• Attribute Store • Endpoints
• Claims Providers
AD FS Prerequisites

Infrastructure critical to a successful AD FS

deployment include:
• TCP/IP network connectivity
• AD DS
• Attribute stores
• DNS
• Compatible operating systems
PKI and Certificate Requirements

• AD FS federation services require:

• ServiceCommunication Certificates
• Token-Signing Certificates
• Token-Decrypting Certificates

• When choosing certificates, ensure that the

Service Communication Certificate and the
Token-Signing Certificate are trusted by all
federation partners and clients
Federation Server Roles

AD FS Server Role Description

Claims Provider federation • Authenticates internal users
server • Issues signed tokens
containing user claims
Relying Party federation • Consumes tokens from the
server Claims Provider
• Issues tokens for application
access
Federation server proxy • Deployed in a perimeter
network
• Provides a layer of security
for internal federation servers
DEMO: Installing the AD FS Server Role

• In this demonstration, you will see how to install and

configure the AD FS server role
What are AD FS Claims?

Claims used to provide information about users

from the Claims Provider to the Relying Partner

• AD FS:
– Provides a default set of built-in claims
– Enables the creation of custom claims
– Requires that each claim have a unique URI

• Claims can be:

– Retrieved from an attribute store
– Calculated based on retrieved values
– Transformed into alternate values
What Are AD FS Claim Rules?

• Claims rules define how claims are sent and

consumed by AD FS servers
• Claims provider rules are acceptance transform
rules
• Relying party rules can be:
– Issuance transform rules
– Issuance authorization rules
– Delegation authorization rules

• AD FS servers provide default claims rules,

templates and a syntax for creating claims rules
What Is a Claims Provider Trust?

• Claims provider trusts:

– Are configured on the relying party federation server
– Identify the claims provider
– Configure the claims rules for the claims provider

• In a single organization scenario, a claims provider

trust called Active Directory defines how AD DS
user credentials are processed
• Additional claims provider trusts can be
configured:
– By importing the federation metadata
– By importing a configuration file
– By manually configuring the trust
What is a Relying Party Trust?

• Relying party trusts:

– Are configured on the claims provider federation server
– Identify the relying party
– Configure the claims rules for the relying party

• In a single organization scenario, a relying party

trust defines the connection to internal
applications
• Additional relying party trusts can be configured:
– By importing the federation metadata
– By importing a configuration file
– By manually configuring the trust
DEMO: Configuring Claims Provider and Relying
Party Trusts
• In this demonstration, you will see how to:
• Configure a claims provider trust
• Configure a Windows Identity Framework application
for AD FS
• Configure a relying party trust
Configuring an Account Partner

• An account partner is a claims provider in a B2B

federation scenario

• To configure an account partner:

1. Implement the physical topology
2. Add an attribute store
3. Configure a relying party trust
4. Add a claim description
5. Prepare client computers for federation
Configuring a Resource Partner

An resource partner is a relying party in a B2B

federation scenario

To configure an relying party:

1. Implement the physical topology
2. Add an attribute store
3. Configure a claims provider trust
4. Create claim rule sets for the claims provider
trust
Configuring Claims Rules for Business to Business
Scenarios

• Organization to organization scenarios may

require more complex claims rules
• You can create claims rules by using the following
templates:
– Send LDAP attributes as claims
– Send group membership as a claim
– Pass through or filter an incoming claim
– Transform an incoming claim
– Permit or deny users based on an incoming claim

• You can also create custom rules by using the AD

FS Claim Rule Language
How Home Realm Discovery Works

Home realm discovery is required on the resource

partner when it has configured AD FS federations
with account partners

• To enable home realm discovery, you can:

– Prompt the user for home realm information
– Modify the URL for the web application to specify the
home realm
– Configure a SAML profile called IdPInitiated SSO to
direct users to the account partner site first
DEMO: Configuring Claims Rules

• In this demonstration, you will see how to configure

claims rules
Microsoft Jump Start ®

BONUS SESSION

Rick Claus | Technical Evangelist | Microsoft

Ed Liberman | Technical Trainer | Train Signal