This document discusses establishing federated interoperability between Active Directory Federation Services (ADFS) and Shibboleth identity providers. It provides overviews of ADFS, Shibboleth, and Windows Live ID technologies. Configuration details are described for enabling ADFS to act as a relying party and Shibboleth to act as an identity provider. Demonstrations show a Shibboleth user accessing a sample application and a SharePoint portal through the federated systems, and passing Windows Live ID claims through Shibboleth to generate access tokens. The document concludes the interoperability was achieved with straightforward configurations and no custom software.

1. Active Directory Federation Services
Cross-Platform Interoperability
Windows Live@Edu – ADFS/Shibboleth

2. Agenda
Introduction

Project Background

Missouri, Oxford & Microsoft

Things we’ll cover:

Overview of Technologies

ADFS/Shibboleth Interoperability Demos


3. Project Background
Based on OCG White Paper:

Achieving interoperability between Active Directory Federation

Services (ADFS) and Shibboleth
Demonstrate interoperability between ADFS and

Shibboleth System 1.3c Release
Using ADFS plug-in for SAML 1.1 Identity and Service Providers

Support for WS-Federation Passive Requestor Interoperability Profile

Demonstrate interoperability with sample applications

- Microsoft Office SharePoint Server 2007 and Windows Live IDs

4. Technology Overview
Shibboleth

Standards-based, Open Source Middleware Software

Project of Internet2/MACE (Middleware Architecture Committee for

Education)
Internet2 – U.S. Advanced Networking Consortium led by the

education and research community (universities, partners,
laboratories, government agencies, etc.)
URL: http://shibboleth.internet2.edu/about.html

Implements the OASIS SAML v1.1 specification

December 2005 - Extension for ADFS support is developed

Implemented in Shibboleth versions 1.3.c and later

Platforms include: UNIX (Solaris, etc.), Linux (Fedora, Ubuntu, etc.),

Mac OS-X

5. Show of Hands
How many schools have a websso?

 How many use CAS?
 Pubcookie?
 Something else?
How many have a Shibboleth?

How many have ADFS?

How many run a websso & Shib or ADFS?

Does anyone run both ADFS & Shib?


6. Project Credits
Project Sponsors

Walter Harp, Microsoft Corporation

John DuBois, Microsoft Corporation

Credits and Contributions

Ryan Woodsmall, University of Missouri

Brian Dourty, University of Missouri

Edward D. McKinzie, University of Missouri

Bryan W. Roesslet, University of Missouri

Randy Wiemer, University of Missouri

Chris Calderon, Oxford Computer Group

Jim Muir, Oxford Computer Group


7. Technology Overview
Active Directory Federation Services (ADFS)

First introduced in Windows Server 2003 R2 to provide “Identity

Federation”
 Projecting user identity from a single logon…
 Providing single identity based entitlements…
 Connecting islands (across security, organizational or platform
boundaries)
 Result: Web single sign-on & simplified identity management
Web Services and WS-* Security Standards

Specifically implementing the WS-Federation and WS-Federation

Passive Requestor Profile specifications

8. Language Translation

9. Demonstration Overview
Establishing Federated Interoperability between ADFS
(Relying Party) and Shibboleth (Identity Provider)
Demonstration 2:
Shib.org User will access MOSS 2007
Extranet Portal.
Demonstration 1:
Shib.org User will access Sample Claims-
App that will display the set of claims,
associated with that user.

10. Configuration Details
ADFS Configuration Policy Requirements

Federation Service URI – This uniquely identifies a federated partner

Federation Service endpoint URL – The URL that partner organizations to send

requests and responses.
Token Signing Certificate – Relying Party requires a signing certificate that is used to

by the Identity Providers to digitally sign message exchanges.
ADFS Management Console - This is the primary management console for

administrative management of Account Partners (Identity Providers)

11. Configuration Details
Shibboleth Configuration Requirements

XML Metadata - Trust Policy Configuration
 idp.xml – (The main configuration file for the identity provider.)
Configures the Shibboleth ADFS extension

Provides key information for relying parties

Adds reference mapping support for identity claims (i.e. MS UPNs)

Adds the XML attribute namespace=http://schema.xmlsoap.org/claims to attribute definitions in

resolver.xml for any attributes that should be sent to ADFS providers.
resolver.xml – (Attribute extraction)

Defines the connection to attribute store

arp.site.xml– (Attribute release policy)

Defines which attributes are available to relying parties

Controls (Permits/Denies) attribute release rules


12. Demonstration Overview
Windows Live ID/Passport Interoperability
Demonstration 3:
Shib.org User access Windows Live@edu
by passing WLID through claims to generate
SLT. The Identity Provider (IdP) acts as the
Windows Live Account Store.

13. Configuration Details
Windows Live ID Interoperability

WLIDs (Short-live Tokens) – Can be used to further extending SSO into

Web Applications.
Benefits:

Windows Live ID users can access resources typically only available

only for AD accounts (SharePoint Sites, etc.)
Applications do not need to implement any Windows Live ID code

Single Account Management (instead of AD and Windows Live)


14. Summary
Successfully demonstrated the interoperability between

ADFS and Shibboleth:
Straight forward configurations

No special software or customization required by either party.

Language Translation (Understanding component relations of each

technology)
Lessons learned

Federating with Windows Live IDs

Microsoft Office SharePoint Server 2007 Compatibility
