Microsoft Official Course

Module 8

Implementing Active Directory

Federation Services
Module Overview

Overview of AD FS
Deploying AD FS
Implementing AD FS for a Single Organization
• Deploying AD FS in a B2B Federation Scenario
Lesson 1: Overview of AD FS

What Is Identity Federation?

What Is Claims-Based Identity?
Web Services Overview
What Is AD FS?
How AD FS Enables SSO in a Single Organization
How AD FS Enables SSO in a Business-to-Business
Federation
• How AD FS Enables SSO with Online Services
What Is Identity Federation?

Identity Federation:
• Enables distributed identification, authentication, and
authorization across organizational and platform
boundaries
• Requires a federated trust relationship between two
organizations or entities
• Enables organizations to retain control over who can
access resources
• Enables organizations to retain control of their user and
group accounts
• Can be used within a single organization
 What Is Claims-Based Identity?

Identity ken ) Sec Application

T o (In u
Provider u r ity la im s com rity T Provider
Sec ing C in g o k e
u t go Cla n
Security (O im
s) Application
Token
Service
Claims provide information
about users. Information is
provided by the user’s
identity provider, and
accepted by the application
provider.
Web Services Overview

Web services use a set of open specifications to develop

applications that can interoperate across boundaries

Web services:
• Are developed using industry standards such as XML,
SOAP, WSDL, and UDDI
• Define the security specifications used by identity
federation systems
• Define the SAML standard for exchanging claims between
federation partners
What Is AD FS?

AD FS is the Microsoft identity federation solution that can

use claims-based authentication
AD FS includes the following features:
• Web SSO
• Web services interoperability
• Passive and smart client support
• Extensible architecture
• Enhanced security

The Windows Server 2012 version of AD FS includes:

• Integration with Dynamic Access Control
• Integration with the Windows Server 2012 operating system
• New Windows PowerShell cmdlets
How AD FS Enables SSO in a Single Organization

Perimeter Corporate
Network Network
AD DS Domain
Controller

6
7
7 Federation
4 5
T Service
Proxy
3

2
Federation Server

1 8
External Client
Web Server
How AD FS Enables SSO in a Business-to-Business
Federation

Trey Research A. Datum

Federation
7
Trust
6

Active Directory

Account Resource
Federation Server Federation Server
8
5 10
4
9
3

2
Web Server
Internal Client 1 11
Computer
How AD FS Enables SSO with Online Services

On Premises Exchange Online

7 Federation Trust
6

Active Directory

Federation Microsoft Online

Server Federation Server
8 10
4
5

9
3

2
Outlook Web
Client Computer 1 11
App server
Lesson 2: Deploying AD FS

AD FS Components
AD FS Prerequisites
PKI and Certificate Requirements
Federation Server Roles
• Demonstration: Installing the AD FS Server Role
AD FS Components

AD FS Components

• Federation server • Relying parties

• Federation server proxy • Claims provider trust
• Claims • Relying party trust
• Claim rules • Certificates
• Attribute store • Endpoints
• Claims providers
AD FS Prerequisites

Infrastructure critical to a successful AD FS deployment

includes:
• TCP/IP network connectivity
• AD DS
• Attribute stores
• DNS
• Compatible operating systems
PKI and Certificate Requirements

AD FS Federation Services require:

• SSL certificate
• Service communication certificates
• Token-signing certificates
• Token-decrypting certificates

When choosing certificates, ensure that:

• The SSL certificate and service communication certificate
are trusted by all federation partners and clients
• The token-signing and token-decrypting certificates are
trusted by federation partners
Federation Server Roles

Claims provider federation server:

• Authenticates internal users
• Issues signed tokens containing user claims
Relying party federation server:
• Consumes tokens from the claims provider
• Issues tokens for application access
Federation server proxy:
• Is deployed in a perimeter network
• Provides a layer of security for internal federation
servers
Lesson 3: Implementing AD FS for a Single
Organization

What Are AD FS Claims?

What Are AD FS Claim Rules?
What Is a Claims Provider Trust?
What Is a Relying Party Trust?
• Demonstration: Configuring Claims Provider and
Relying Party Trusts
What Are AD FS Claims?

Claims provide information about users from the claims

provider to the relying partner

AD FS:
• Provides a default set of built-in claims
• Enables the creation of custom claims
• Requires that each claim have a unique URI

Claims can be:

• Retrieved from an attribute store
• Calculated based on retrieved values
• Transformed into alternate values
What Are AD FS Claim Rules?

• Claim rules define how claims are sent and consumed by

AD FS servers

• Claims provider rules are acceptance transform rules

• Relying party rules can be:

• Issuance transform rules
• Issuance authorization rules
• Delegation authorization rules

• AD FS servers provide default claim rules, templates, and a

syntax for creating claim rules
What Is a Claims Provider Trust?

• Claims provider trusts:

• Are configured on the relying party federation server
• Identify the claims provider
• Configure the claim rules for the claims provider
• In a single organization scenario, a claims provider trust
named Active Directory defines how AD DS user
credentials are processed
• Additional claims provider trusts can be configured:
• By importing the federation metadata
• By importing a configuration file
• By configuring the trust manually
What Is a Relying Party Trust?

• Relying party trusts:

• Are configured on the claims provider federation server
• Identify the relying party
• Configure the claim rules for the relying party

• In a single organization scenario, a relying party trust

defines the connection to internal applications

• Additional relying party trusts can be configured:

• By importing the federation metadata
• By importing a configuration file
• By configuring the trust manually
Lesson 4: Deploying AD FS in a B2B Federation
Scenario

Configuring an Account Partner

Configuring a Resource Partner
Configuring Claims Rules for B2B Scenarios
How Home Realm Discovery Works
• Demonstration: Configuring Claims Rules
Configuring an Account Partner

An account partner is a claims provider in a B2B federation

scenario

To configure an account partner:

1. Implement the physical topology
2. Add an attribute store
3. Configure a relying party trust
4. Add a claim description
5. Prepare client computers for federation
Configuring a Resource Partner

A resource partner is a relying party in a B2B federation

scenario

To configure an relying party:

1. Implement the physical topology
2. Add an attribute store
3. Configure a claims provider trust
4. Create claim rule sets for the claims provider trust
Configuring Claims Rules for B2B Scenarios

• B2B scenarios may require more complex claims rules

• You can create claims rules using the following templates:

• Send LDAP Attributes as Claims
• Send Group Membership as a Claim
• Pass Through or Filter an Incoming Claim
• Transform an Incoming Claim
• Permit or Deny Users Based on an Incoming Claim

• You can also create custom rules using the AD FS claim

rule language
How Home Realm Discovery Works

• Home realm discovery is required on resource partners

when AD FS federations are configured with account
partners

• To enable home realm discovery, you can:

• Prompt the user for home realm information
• Modify the URL for the web application to specify the
home realm