Post on 18-Dec-2015
March 15, 2011
Active Directory Federation Services 2.0 Overview
InCommon Service Provider Training
04/18/23 2
What is it?
A SAML implementation (both IdP and SP) from Microsoft
A WS-Fed implementation (Passive Requester)
An AD-based single signon system
A server role in Windows Server 2008
Some Terminology…
Security token – This refers to the assertion from the IdP.
Claim – a “claim” is just an attribute from the IdP’s assertion.
Claims Provider – This is just the ADFS term for an IdP.
Relying Party – This is just the ADFS term for an SP (a consumer of claims).
Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example).
More:• http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx
04/18/23 3
04/18/23 4
What can it do?
Act as an IdP (Claims Provider)
Act as an SP (Relying Party)
Seamlessly integrate with growing list of apps:• Sharepoint 2010:
– http://blogs.msdn.com/b/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx
• Microsoft Unified Access Gateway (proxy):– http://technet.microsoft.com/en-us/library/gg470578.aspx
• Citrix:– http://support.citrix.com/servlet/KbServlet/download/9932-102-15146/WI%20for
%20ADFS%20FAQ.pdf
Interoperate with other SAML 2.0 solutions (like Shibboleth)
What are the limitations?
Metadata support
Certificate support
WAYF/DS support
Forced Authentication support
Other?
04/18/23 5
Resources
ADFS Home:• http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx
Using ADFS with Shibboleth and InCommon:• http://go.microsoft.com/fwlink/?LinkId=204784
More How-To Guides:• http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides
(WS.10).aspx
Claims Rule syntax:• http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx
Shibboleth wiki on ADFS interop:• https://spaces.internet2.edu/display/SHIB2/MicrosoftInterop
04/18/23 6
Adding Shibboleth Claims Providers
ADFS can’t deal with a federation metadata file
• No support for <EntitiesDescriptor>
This can be handled via script/app• Uses MS PowerShell to import into ADFS• Import one at a time• Must force only one encryption cert• No other entity can use the same encryption cert
The Microsoft ADFS/InCommon doc has code for a python script
• Dealing with multiple federations?
04/18/23 7
How to Integrate Sharepoint
Install ADFS according to documentation
Create a new Relying Party on the ADFS server• Configure the RP manually
• SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2)
• The identifier/entityID is https://<yourFQDN>/_trust/• For claims rules, you can just use “Pass-Through” rules (since Shibb-
sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed)
On the Sharepoint server, use PowerShell to add a new Security Token Service (STS):
• Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below)• Consider adding some custom code to sync SP profiles
– Hook the “OnSignedIn” event of the “federatedAuthentication” module
– Use SP’s UserProfileManager class
http://shannonbray.wordpress.com/2010/10/02/claims-based-authentication-made-simple/ 04/18/23 8
How to Integrate Your Own App
Developer’s machine:• Install WIF runtime (KB974405)
• Install WIF SDK (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504&displaylang=en
)
Web Server• Install WIF runtime (KB974405)
• Set your app’s App Pool property for “loadUserProfile” to ‘true’
04/18/23 9
How to Integrate Your Own App (cont)
For the app itself (assuming VS2008):• Ensure that build target is .NET 3.5 (or greater)
• Check out (from source control) the app’s web.config file (next step needs to write to it)
• Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’
– Choose your app’s web.config file– Use your app’s URL as the application URI, making sure to include the
trailing slash (Ex. https://serverFQDN/app/)– Choose to “Use an Existing STS” and point to your ADFS server’s
metadata• https://<yourADFS-FQDN>/FederationMetadata/2007-06/
FederationMetadata.xml
– Accept other defaults
04/18/23 10
How to Integrate Your Own App (cont)
• Edit the attributes/claims that your app requests– Web site: Edit the <microsoft.identitymodel> section of web.config, uncomment
needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer
– Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at <app root>/FederationMetadata/2007-06/FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option:
• Look for the <fed:ClaimsTypesRequested> section• Add new <auth:ClaimType> elements as needed• Name and Role enabled by default, consider adding these:
– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
04/18/23 11
How to Integrate Your Own App (cont)
On ADFS Server• Add a new Relying Party
– Auto-configure from metadata:• https://<WebServerFQDN>/app/FederationMetadata/2007-06/FederationMetadata.xml
• Create ‘Pass-Through’ Claims Rules for new RP. Consider pass-through rules for these claims (as so-named in the ADFS RP Claim Rules GUI)
– “Name” is the userID/sAMAccountName/ePPN– “Given Name” is the user’s first name– “Surname” is the user’s last name– “E-Mail Address” is the user’s email address– “Role” is the user’s role (or eduPersonAffiliation, etc)
12
How to Integrate Your Own App (cont)
App code references:• Add reference to Microsoft.IdentityModel (after installing WIF
runtime)
App Code:• using Microsoft.IdentityModel.Claims;
• using System.Threading;
In Page.Load()• IClaimsIdentity claimsIdentity =
((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];
Microsoft Reference:• http://www.microsoft.com/downloads/en/details.aspx?
FamilyID=BB9AB270-473B-4852-B26E-031A88EDD113
13
How to Integrate Your Own App (cont)
string GIVENNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
string SURNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
string EMAIL_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
string ROLE_CLAIM_TYPE = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";
string UID,FName, LName, EmailAddr, Role = "";
bool AuthOK,roleFound = false;
if (claimsIdentity != null)
{
AuthOK = claimsIdentity.IsAuthenticated;
UID = claimsIdentity.Name;
foreach (Claim c in claimsIdentity.Claims)
{
if (c.ClaimType == GIVENNAME_CLAIM_TYPE)
FName = c.Value;
if (c.ClaimType == SURNAME_CLAIM_TYPE)
LName = c.Value;
if (c.ClaimType == EMAIL_CLAIM_TYPE)
EmailAddr = c.Value;
if (c.ClaimType == ROLE_CLAIM_TYPE)
{
//role is mutlivalued, so build one semicolon-delimited string
if (roleFound)
Role += ";" + c.Value;
else
{
Role += c.Value;
roleFound = true;
}
}
}
}
14
DiscoveryService/WAYF??
ADFS does not support the OASIS DiscoveryService profile
To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery”
This is very customizable, as it is just a .NET page (.aspx)
• Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.*
• Search-as-you-type
• Cookie name
• Multi-Fed Selector
15
Demo
Claims Provider Properties
Claims Provider Claims Rules
Relying Party Properties
Relying Party Claims Rules
Sharepoint Login• Custom code to sync SP profiles
– Hooks the “OnSignedIn” event of the “federatedAuthentication” module
– Uses SP’s UserProfileManager class
Custom app integration
16