SlideShare una empresa de Scribd logo

AD FS 2 & Claims-Based Identity

Descargar como PPTX, PDF
Nathan Winters
Nathan Winters

AD FS 2 & Claims-Based Identity provides a consistent identity layer across applications by extracting identity information from Active Directory and other sources and expressing it as standardized claims. This allows applications to authenticate users once via AD FS and receive attributes about the user, without the applications needing direct access to identity stores. Claims can include group memberships, email address, or any other identity attributes that can be used for authorization and personalization. AD FS supports web single sign-on, web services, and "claims-aware" applications via standards like WS-Federation, SAML 2.0, and can federate identity across organizations.

Tecnología
1 de 32
AD FS 2 & Claims-Based Identity Laura E. Hunter Identity Lady, AD FS Zealot laura.hunter@lhaconsulting.com http://www.shutuplaura.com @adfskitteh
The Problem? We Lack a Consistent Identity Layer for Applications
The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change
LDAP://dc1.bigfirm.com/ou=FTEs,dc=bigfirm,dc=com
filter = ((&(objectClass=user)(|(sn=*smith*)(displayName=*smith*)(givenName=*smith*)(cn=*smith*))))
How many different ways can you authenticate to an app?
Managing Application Identity – First Principles 1. Identify the Caller 2. Extract Information for AuthZ & Personalization
Windows Integrated Authentication Does Active Directory work everywhere?
What’s the Solution?
So What’s a Claim? “I am a member of the Marketing group” “My email address is …” “I am over 21 years of age” Populated using information from AD/ADAM/ADLDS SQL Expressed using the SAML format
<saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“> <saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"> <saml:Audience> https://contoso-dc1.contoso.com </saml:Audience> <saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"> <saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier> <saml:AttributeAttributeName="Group” <saml:AttributeValue> Administrators</saml:AttributeValue> <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature> </saml:Assertion> Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
AD FS is all about the apps!
Standards-based: WS-Federation WS-Trust SAML 2.0 Use cases: WebSSO Web Services (WCF) What is this…“claims-aware” application of which you speak?
What Can I do with this?
Application Access in a Single Org
Account Partner (ADATUM) Resource Partner (CONTOSO) A. Datum Account Forest Trey Research Resource Forest Federation Trust Federated Application Access
SSO to Service Providers
Cloudy with a Chance of Federation
So what does it look like?
WS-Fed Passive Profile Account Partner (Users) Resource Partner (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust
Something lost, something gained… What about passwords? What about deprovisioning?
Liberty Alliance Results… ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens IdP Lite SP Lite EGov 1.5 Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
If you remember nothing else but this…
I want the integrity of yourusers’ identity information when they access myresources…
…to be at least as good…
as the integrity of yourusers’ identity information when they access yourresources.
AD FS components are Windows components No additional server software costs …but it’s all about the apps! AD FSv2 (was “Geneva”) Release Candidate Available Now RTM…“Soon” Windows Identity Foundation .NET Developer Platform Free Download Available now! AD FS 2.0 Availability, Pricing
AD Cookbook, 3rd Edition Best selling Active Directory title What’s New? Windows Server 2008 coverage: Read Only Domain Controllers (RODCs) Fine Grained Password Policies (FGPPs) Exchange 2007 integration & scripting Identity Lifecycle Manager 2007 Windows PowerShell & Active Directory .NET programming New user interface features Always more than one way! Learn More! http://oreilly.com/catalog/9780596521103/
Thank You! mailto: laura.hunter@lhaconsulting.com blog: http://www.shutuplaura.com twitter: @adfskitteh

Recomendados

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Naohiro Fujie
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 

Recomendados

SharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudSharePoint 2010, Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010, Claims-Based Identity, Facebook, and the CloudDanny Jessee
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Danny Jessee
 
Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Understanding 'Authentication' and 'Identity Federation'
Understanding 'Authentication' and 'Identity Federation'Naohiro Fujie
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaicationSean Xiong
 
Asp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptAsp.net membership anduserroles_ppt
Asp.net membership anduserroles_pptShivanand Arur
 
Difference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netDifference between authentication and authorization in asp.net
Difference between authentication and authorization in asp.netUmar Ali
 
Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Deciphering 'Claims-based Identity'
Deciphering 'Claims-based Identity'Oliver Pfaff
 
ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAMRichard Harvey
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Perficient, Inc.
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationConcentrated Technology
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourseConcentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functionsmikepfeiffer
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2Concentrated Technology
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secretChris Conte
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateDon Reese
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent themConcentrated Technology
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d aConcentrated Technology
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash courseConcentrated Technology
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom propertiesConcentrated Technology
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingConcentrated Technology
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMIConcentrated Technology
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsConcentrated Technology
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesConcentrated Technology
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 

Más contenido relacionado

Destacado

Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsamitchachra
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Perficient, Inc.
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureSparkhound Inc.
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationConcentrated Technology
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functionsmikepfeiffer
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secretChris Conte
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administrationConcentrated Technology
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateDon Reese
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionRob Dunn
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingConcentrated Technology
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsConcentrated Technology
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesConcentrated Technology
 

Destacado (20)

ADFS + IAM
ADFS + IAMADFS + IAM
ADFS + IAM
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
 
Understanding Identity Management with Office 365
Understanding Identity Management with Office 365Understanding Identity Management with Office 365
Understanding Identity Management with Office 365
 
Identity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft AzureIdentity Management for Office 365 and Microsoft Azure
Identity Management for Office 365 and Microsoft Azure
 
PowerShell and the Future of Windows Automation
PowerShell and the Future of Windows AutomationPowerShell and the Future of Windows Automation
PowerShell and the Future of Windows Automation
 
PowerShell crashcourse
PowerShell crashcoursePowerShell crashcourse
PowerShell crashcourse
 
PowerShell Functions
PowerShell FunctionsPowerShell Functions
PowerShell Functions
 
No-script PowerShell v2
No-script PowerShell v2No-script PowerShell v2
No-script PowerShell v2
 
Ive got a powershell secret
Ive got a powershell secretIve got a powershell secret
Ive got a powershell secret
 
Free tools for win server administration
Free tools for win server administrationFree tools for win server administration
Free tools for win server administration
 
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - CertificateAdvanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
Advanced Tools & Scripting with PowerShell 3.0 Jump Start - Certificate
 
Basic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 sessionBasic PowerShell Toolmaking - Spiceworld 2016 session
Basic PowerShell Toolmaking - Spiceworld 2016 session
 
Ad disasters & how to prevent them
Ad disasters & how to prevent themAd disasters & how to prevent them
Ad disasters & how to prevent them
 
Best free tools for w d a
Best free tools for w d aBest free tools for w d a
Best free tools for w d a
 
PowerShell crash course
PowerShell crash coursePowerShell crash course
PowerShell crash course
 
PowerShell custom properties
PowerShell custom propertiesPowerShell custom properties
PowerShell custom properties
 
Managing enterprise with PowerShell remoting
Managing enterprise with PowerShell remotingManaging enterprise with PowerShell remoting
Managing enterprise with PowerShell remoting
 
PowerShell and WMI
PowerShell and WMIPowerShell and WMI
PowerShell and WMI
 
PowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint adminsPowerShell crashcourse for Sharepoint admins
PowerShell crashcourse for Sharepoint admins
 
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and UsesVDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
VDI-in-a-Box: Microsoft Desktop Virtualization for Smaller Businesses and Uses
 

Similar a AD FS 2 & Claims-Based Identity

Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionAmmar Hasayen
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...Amazon Web Services
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundaryDean Iacovelli
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityDmitry Iudin
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalVinod Kumar
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
Role-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role-Based Access ControlEmpowerID
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral AnalyticsAPIsecure_ Official
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainSplunk
 

Similar a AD FS 2 & Claims-Based Identity (20)

Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossAS
 
Secure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat ProtectionSecure Modern Workplace With Microsoft 365 Threat Protection
Secure Modern Workplace With Microsoft 365 Threat Protection
 
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
From Obstacle to Advantage: The Changing Role of Security & Compliance in You...
 
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary"Evolving Cybersecurity Strategies" - Identity is the new security boundary
"Evolving Cybersecurity Strategies" - Identity is the new security boundary
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
PeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W universityPeopleSoft: HACK THE Planet^W university
PeopleSoft: HACK THE Planet^W university
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
Role-Based Access Control
Role-Based Access ControlRole-Based Access Control
Role-Based Access Control
 
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics2022 APIsecure_Understanding API Abuse With Behavioral Analytics
2022 APIsecure_Understanding API Abuse With Behavioral Analytics
 
Basics of IT security
Basics of IT securityBasics of IT security
Basics of IT security
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Hands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill ChainHands-On Security - Disrupting the Kill Chain
Hands-On Security - Disrupting the Kill Chain
 

Más de Nathan Winters

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inalNathan Winters
 
Exchange 2010 storage improvements
Exchange 2010 storage improvementsExchange 2010 storage improvements
Exchange 2010 storage improvementsNathan Winters
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Nathan Winters
 
Sql server troubleshooting
Sql server troubleshootingSql server troubleshooting
Sql server troubleshootingNathan Winters
 
Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Nathan Winters
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiNathan Winters
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you thinkNathan Winters
 
Nathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters
 
Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Nathan Winters
 
Desktop virtualization scott calvet
Desktop virtualization scott calvetDesktop virtualization scott calvet
Desktop virtualization scott calvetNathan Winters
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters
 
OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009Nathan Winters
 
Introduction to Exchange 2010
Introduction to Exchange 2010Introduction to Exchange 2010
Introduction to Exchange 2010Nathan Winters
 
Eric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesEric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesNathan Winters
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeNathan Winters
 
Thomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshThomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshNathan Winters
 
Joe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessJoe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessNathan Winters
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsNathan Winters
 
Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters
 

Más de Nathan Winters (20)

Exch2010 compliance ngm f inal
Exch2010 compliance ngm f inalExch2010 compliance ngm f inal
Exch2010 compliance ngm f inal
 
Exchange 2010 storage improvements
Exchange 2010 storage improvementsExchange 2010 storage improvements
Exchange 2010 storage improvements
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
 
Sql server troubleshooting
Sql server troubleshootingSql server troubleshooting
Sql server troubleshooting
 
Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010Aidan finn vmm 2008 r2 - minasi forum 2010
Aidan finn vmm 2008 r2 - minasi forum 2010
 
The new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pkiThe new rocket science stuff in microsoft pki
The new rocket science stuff in microsoft pki
 
Today's malware aint what you think
Today's malware aint what you thinkToday's malware aint what you think
Today's malware aint what you think
 
Nathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and complianceNathan Winters Exchange 2010 protection and compliance
Nathan Winters Exchange 2010 protection and compliance
 
Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2Migrating to Exchange 2010 and ad 2080 r2
Migrating to Exchange 2010 and ad 2080 r2
 
Desktop virtualization scott calvet
Desktop virtualization scott calvetDesktop virtualization scott calvet
Desktop virtualization scott calvet
 
Nathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPCNathan Winters TechDays UK Exchange 2010 IPC
Nathan Winters TechDays UK Exchange 2010 IPC
 
OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009OCS Introduction for Learning Gateway Conference 2009
OCS Introduction for Learning Gateway Conference 2009
 
Introduction to Exchange 2010
Introduction to Exchange 2010Introduction to Exchange 2010
Introduction to Exchange 2010
 
Eric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 CompaniesEric Rux The Big One Merging 2 Companies
Eric Rux The Big One Merging 2 Companies
 
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And DoubletakeUltan Kinahan Business Continuity & Dr With Virtualization And Doubletake
Ultan Kinahan Business Continuity & Dr With Virtualization And Doubletake
 
Thomas Deimel The World Of Hackintosh
Thomas Deimel The World Of HackintoshThomas Deimel The World Of Hackintosh
Thomas Deimel The World Of Hackintosh
 
Joe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small BusinessJoe Mc Glynn Sbs 2008 For The Small Business
Joe Mc Glynn Sbs 2008 For The Small Business
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3
 
Roger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The InternetsRoger Grimes How I Fixed The Internets
Roger Grimes How I Fixed The Internets
 
Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2Nathan Winters What’s New And Cool In Ocs 2007 R2
Nathan Winters What’s New And Cool In Ocs 2007 R2
 

Último

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Último (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

AD FS 2 & Claims-Based Identity

  • 1. AD FS 2 & Claims-Based Identity Laura E. Hunter Identity Lady, AD FS Zealot laura.hunter@lhaconsulting.com http://www.shutuplaura.com @adfskitteh
  • 2. The Problem? We Lack a Consistent Identity Layer for Applications
  • 3. The Result?Hard-coded dependencies, “Continuous Wheel Re-Invention”Resistance to Change
  • 6. How many different ways can you authenticate to an app?
  • 7. Managing Application Identity – First Principles 1. Identify the Caller 2. Extract Information for AuthZ & Personalization
  • 8. Windows Integrated Authentication Does Active Directory work everywhere?
  • 9.
  • 10.
  • 12. So What’s a Claim? “I am a member of the Marketing group” “My email address is …” “I am over 21 years of age” Populated using information from AD/ADAM/ADLDS SQL Expressed using the SAML format
  • 13. <saml:AssertionAssertionID="..." IssueInstant="2006-07-11T03:15:40Z" Issuer=“https://adatum-dc1.adatum.com“> <saml:ConditionsNotBefore="2006-07-11T03:15:40Z" NotOnOrAfter="2006-07-11T04:15:40Z"> <saml:Audience> https://contoso-dc1.contoso.com </saml:Audience> <saml:AuthenticationStatementAuthenticationInstant="2006-07-11T03:15:40Z" AuthenticationMethod="urn:federation:authentication:windows"> <saml:NameIdentifierFormat="http://schemas.xmlsoap.org/claims/UPN">adamcar@adatum.com</saml:NameIdentifier> <saml:AttributeAttributeName="Group” <saml:AttributeValue> Administrators</saml:AttributeValue> <Signaturexmlns="http://www.w3.org/2000/09/xmldsig#"> ab315cdff14d</Signature> </saml:Assertion> Abridged SAML Token(Don’t Squint, Just Get the Big Idea!)
  • 14. AD FS is all about the apps!
  • 15. Standards-based: WS-Federation WS-Trust SAML 2.0 Use cases: WebSSO Web Services (WCF) What is this…“claims-aware” application of which you speak?
  • 16. What Can I do with this?
  • 17. Application Access in a Single Org
  • 18. Account Partner (ADATUM) Resource Partner (CONTOSO) A. Datum Account Forest Trey Research Resource Forest Federation Trust Federated Application Access
  • 19. SSO to Service Providers
  • 20. Cloudy with a Chance of Federation
  • 21. So what does it look like?
  • 22. WS-Fed Passive Profile Account Partner (Users) Resource Partner (Resource) A. Datum Account Forest Trey Research Resource Forest Federation Trust
  • 23. Something lost, something gained… What about passwords? What about deprovisioning?
  • 24. Liberty Alliance Results… ADFS 2 SAML 2.0 Interop Testing with Entrust, IBM, Novell, Ping, SAP, Siemens IdP Lite SP Lite EGov 1.5 Matrix testing results:http://www.projectliberty.org/liberty/liberty_interoperable/implementations/saml_2_0_test_procedure_v3_2_2_full_matrix_implementation_table_q309/
  • 25.
  • 26. If you remember nothing else but this…
  • 27. I want the integrity of yourusers’ identity information when they access myresources…
  • 28. …to be at least as good…
  • 29. as the integrity of yourusers’ identity information when they access yourresources.
  • 30. AD FS components are Windows components No additional server software costs …but it’s all about the apps! AD FSv2 (was “Geneva”) Release Candidate Available Now RTM…“Soon” Windows Identity Foundation .NET Developer Platform Free Download Available now! AD FS 2.0 Availability, Pricing
  • 31. AD Cookbook, 3rd Edition Best selling Active Directory title What’s New? Windows Server 2008 coverage: Read Only Domain Controllers (RODCs) Fine Grained Password Policies (FGPPs) Exchange 2007 integration & scripting Identity Lifecycle Manager 2007 Windows PowerShell & Active Directory .NET programming New user interface features Always more than one way! Learn More! http://oreilly.com/catalog/9780596521103/
  • 32. Thank You! mailto: laura.hunter@lhaconsulting.com blog: http://www.shutuplaura.com twitter: @adfskitteh

Notas del editor

  1. Hard-coded dependencies
  2. Re-inventing the wheel – asking our devs to be AD experts
  3. Resistance to change – smart card, cloud, etc.
  4. Identify the caller (AuthN)Grep information about the caller for AuthZ &amp; personalization
  5. Partner fed
  6. Fed with the cloud
  7. Hide.Fedutil, pre-baked RP trust
  8. For WinHIED
  9. For WinHIED