March 15, 2011

Active Directory Federation Services 2.0 Overview

InCommon Service Provider Training

04/18/23 2

What is it?

A SAML implementation (both IdP and SP) from Microsoft

A WS-Fed implementation (Passive Requester)

An AD-based single signon system

A server role in Windows Server 2008

Some Terminology…

Security token – This refers to the assertion from the IdP.

Claim – a “claim” is just an attribute from the IdP’s assertion.

Claims Provider – This is just the ADFS term for an IdP.

Relying Party – This is just the ADFS term for an SP (a consumer of claims).

Claim Rules – these are instructions that tell ADFS how to deal with a “claim” or attribute. You can check attributes for compliance with certain policies (like scoped attributes) and you can transform attributes (from Shibb format to ADFS format, for example).

More:• http://technet.microsoft.com/en-us/library/adfs2-help-terminology(WS.10).aspx

04/18/23 3

04/18/23 4

What can it do?

Act as an IdP (Claims Provider)

Act as an SP (Relying Party)

Seamlessly integrate with growing list of apps:• Sharepoint 2010:

– http://blogs.msdn.com/b/spidentity/archive/2010/01/23/claims-based-authentication-cheat-sheet-part-2.aspx

• Microsoft Unified Access Gateway (proxy):– http://technet.microsoft.com/en-us/library/gg470578.aspx

• Citrix:– http://support.citrix.com/servlet/KbServlet/download/9932-102-15146/WI%20for

%20ADFS%20FAQ.pdf

Interoperate with other SAML 2.0 solutions (like Shibboleth)

What are the limitations?

Metadata support

Certificate support

WAYF/DS support

Forced Authentication support

Other?

04/18/23 5

Resources

ADFS Home:• http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx

Using ADFS with Shibboleth and InCommon:• http://go.microsoft.com/fwlink/?LinkId=204784

More How-To Guides:• http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides

(WS.10).aspx

Claims Rule syntax:• http://technet.microsoft.com/en-us/library/dd807118(WS.10).aspx

Shibboleth wiki on ADFS interop:• https://spaces.internet2.edu/display/SHIB2/MicrosoftInterop

04/18/23 6

Adding Shibboleth Claims Providers

ADFS can’t deal with a federation metadata file

• No support for <EntitiesDescriptor>

This can be handled via script/app• Uses MS PowerShell to import into ADFS• Import one at a time• Must force only one encryption cert• No other entity can use the same encryption cert

The Microsoft ADFS/InCommon doc has code for a python script

• Dealing with multiple federations?

04/18/23 7

How to Integrate Sharepoint

Install ADFS according to documentation

Create a new Relying Party on the ADFS server• Configure the RP manually

• SP-to-ADFS uses the WS-Fed Passive protocol (ADFS to Shibb uses SAML 2)

• The identifier/entityID is https://<yourFQDN>/_trust/• For claims rules, you can just use “Pass-Through” rules (since Shibb-

sourced claims will be transformed on the Claims Provider configuration and AD-based logins don’t need to be transformed)

On the Sharepoint server, use PowerShell to add a new Security Token Service (STS):

• Use the New-SPTrustedIdentityTokenIssuer scriptlet (see link below)• Consider adding some custom code to sync SP profiles

– Hook the “OnSignedIn” event of the “federatedAuthentication” module

– Use SP’s UserProfileManager class

http://shannonbray.wordpress.com/2010/10/02/claims-based-authentication-made-simple/ 04/18/23 8

How to Integrate Your Own App

Developer’s machine:• Install WIF runtime (KB974405)

• Install WIF SDK (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c148b2df-c7af-46bb-9162-2c9422208504&displaylang=en

)

Web Server• Install WIF runtime (KB974405)

• Set your app’s App Pool property for “loadUserProfile” to ‘true’

04/18/23 9

How to Integrate Your Own App (cont)

For the app itself (assuming VS2008):• Ensure that build target is .NET 3.5 (or greater)

• Check out (from source control) the app’s web.config file (next step needs to write to it)

• Right-click web site/project in Solution Explorer, choose ‘Add STS Reference’

– Choose your app’s web.config file– Use your app’s URL as the application URI, making sure to include the

trailing slash (Ex. https://serverFQDN/app/)– Choose to “Use an Existing STS” and point to your ADFS server’s

metadata• https://<yourADFS-FQDN>/FederationMetadata/2007-06/

FederationMetadata.xml

– Accept other defaults

04/18/23 10

How to Integrate Your Own App (cont)

• Edit the attributes/claims that your app requests– Web site: Edit the <microsoft.identitymodel> section of web.config, uncomment

needed attributes, then choose ‘Update Federation Metadata’ from the project’s right-click menu in Solution Explorer

– Web project: You’ll need to first edit your app’s web.config as described above, then also either manually edit your app’s metadata file, located at <app root>/FederationMetadata/2007-06/FederationMetadata.xml or you use can use the VS2008 FedUtil (click Tools->Run Federation Utility tool). If you choose the first option:

• Look for the <fed:ClaimsTypesRequested> section• Add new <auth:ClaimType> elements as needed• Name and Role enabled by default, consider adding these:

– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />

– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />

– <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />

04/18/23 11

How to Integrate Your Own App (cont)

On ADFS Server• Add a new Relying Party

– Auto-configure from metadata:• https://<WebServerFQDN>/app/FederationMetadata/2007-06/FederationMetadata.xml

• Create ‘Pass-Through’ Claims Rules for new RP. Consider pass-through rules for these claims (as so-named in the ADFS RP Claim Rules GUI)

– “Name” is the userID/sAMAccountName/ePPN– “Given Name” is the user’s first name– “Surname” is the user’s last name– “E-Mail Address” is the user’s email address– “Role” is the user’s role (or eduPersonAffiliation, etc)

12

How to Integrate Your Own App (cont)

App code references:• Add reference to Microsoft.IdentityModel (after installing WIF

runtime)

App Code:• using Microsoft.IdentityModel.Claims;

• using System.Threading;

In Page.Load()• IClaimsIdentity claimsIdentity =

((IClaimsPrincipal)Thread.CurrentPrincipal).Identities[0];

Microsoft Reference:• http://www.microsoft.com/downloads/en/details.aspx?

FamilyID=BB9AB270-473B-4852-B26E-031A88EDD113

13

How to Integrate Your Own App (cont)

string GIVENNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";

string SURNAME_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";

string EMAIL_CLAIM_TYPE = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";

string ROLE_CLAIM_TYPE = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role";

string UID,FName, LName, EmailAddr, Role = "";

bool AuthOK,roleFound = false;

if (claimsIdentity != null)

{

AuthOK = claimsIdentity.IsAuthenticated;

UID = claimsIdentity.Name;

foreach (Claim c in claimsIdentity.Claims)

{

if (c.ClaimType == GIVENNAME_CLAIM_TYPE)

FName = c.Value;

if (c.ClaimType == SURNAME_CLAIM_TYPE)

LName = c.Value;

if (c.ClaimType == EMAIL_CLAIM_TYPE)

EmailAddr = c.Value;

if (c.ClaimType == ROLE_CLAIM_TYPE)

{

//role is mutlivalued, so build one semicolon-delimited string

if (roleFound)

Role += ";" + c.Value;

else

{

Role += c.Value;

roleFound = true;

}

}

}

}

14

DiscoveryService/WAYF??

ADFS does not support the OASIS DiscoveryService profile

To discover a user’s home institution, ADFS uses a process called “Home Realm Discovery”

This is very customizable, as it is just a .NET page (.aspx)

• Page is at (by default) c:\inetpub\adfs\ls\HomeRealmDiscovery.*

• Search-as-you-type

• Cookie name

• Multi-Fed Selector

15

Demo

Claims Provider Properties

Claims Provider Claims Rules

Relying Party Properties

Relying Party Claims Rules

Sharepoint Login• Custom code to sync SP profiles

– Hooks the “OnSignedIn” event of the “federatedAuthentication” module

– Uses SP’s UserProfileManager class

Custom app integration

16