5.6. Active Directory Federation ServicesIn today's business environment, you're likely finding that your organization's partners and vendors need to work with equipment and resources that cross organizational boundaries. For instance, your business partner may need access to your ordering system, your vendor has to have a way to submit invoices to your accounting department, and your alliance's R&D teams need to collaborate with documents and presentations across different platforms and different security boundaries. Today, it's not about being an information siloit's about securely managing access to information, both internally and externally. But with this new model of sharing information comes an interesting problem that's one of trust, particularly across security boundaries. Here, I'm digging at a core problem that's facing IT in larger organizations today. Let's look at this in terms of an example. Let's say that TrinketBuild, Inc. sells trinkets, and TreasureBuild, Inc. sells treasures. To build a trinket, one needs to include a treasure, which is a core component of the trinket. TrinketBuild has come to an agreement with TreasureBuild to get treasures at a lower price in a large quantity. TreasureBuild uses an externally facing application to take orders and process payment for their orders, and their customers' employees (in this case, TrinketBuild's employees) have traditionally had accounts to be able to access this application. When we introduce the concept of accounts into this example, we introduce an issue known as identity management. In a nutshell, how does one manage all of the accounts that one person has to his name? For example, TrinketBuild's employees probably have several accounts: one to log in to the network each day, perhaps a separate email account, accounts to access mainframe business applications, andif they're like any other corporationprobably ten more accounts for various resources. Now upon the signing of this agreement with TreasureBuild, some TrinketBuild employees will have still one more account added to their load of usernames and passwords: the one used to access TreasureBuild's ordering and billing application. But wouldn't it be great, from a lot of angles, if TrinketBuild employees could use their own Active Directory username and passwordthe one they use each dayto access TreasureBuild's extranet application? What if the two companies' IT departments could come to some sort of trust agreement, wherein the TreasureBuild department trusts certain Active Directory accounts (and more specifically, some attributes from those accounts) from TrinketBuild to access their application with their own credentials, without requiring a local TreasureBuild account? What benefits would this bring? Here are just a few:
By integrating this sort of trust in their accounting and transactions, TrinketBuild and TreasureBuild are participating in federated identity management (FIM). FIM is a standards-based technology and process that enables identification, authentication, and authorization information to transcend traditional security boundaries. The idea of federation is one of heterogeneity: different companies use different technologies, identity storage and security approaches, and programming models, but they still need to interact with other companies with still different technologies, identity storage and security approaches, and programming models. Among these differences, there should be a standardized way of advertising the types of services one offers externally, but also of accepting trusts, credentials, and policy information from other organizations. In Windows Server 2003 R2, Microsoft has included Active Directory Federation Services, a new component, which integrates the concept of FIM into Windows using Active Directory as the base identity store. By using ADFS, you can eventually enable secure access to web applications outside of a user's home domain or forest. ADFS uses all of the identity information in AD and "projects" that information outside of the local AD forest into the realm of the extranet, if there are applications out there, or to other organizations for their use. Doing so, of course, improves security, enables auditing and tracking (which is an important capability to have in today's regulatory environment), and increases end-user productivity. 5.6.1. ScenariosADFS supports a couple of scenarios natively: web single sign-on, and the traditional identity federation model. Let's look at the single sign-on model first. If you use Windows Server 2003 R2 and IIS 6 for an externally accessible web application, you can use forms-based authentication and give users a single-sign on session cookie, which removes the need for them to log on to access any other resources in a trusted domain. In this way, users will log in once when they access the first web application, and then this cookie will be used to answer any future credential challenges by other resources in the domain. Since one web "application" is usually actually a collection of multiple applications, you remove the need for repeatedly requesting user credentials. The second scenario involves regular identity federation. The difference here is fundamental: identity federation separates authentication (verifying an identity) from the access control, or authorization, decision, and places it squarely on the account side of the relationship rather than on the resource side. So instead of a user authenticating to an extranet site by entering his credentials, the user's home Active Directoryotherwise known as his "home realm"authenticates the user and then automatically generates a security token for the end user. The user then presents that token to target application, and the application itself uses that token to grant access rights. The key to this process is the federated trust that the two partners set up, which includes exchange of keys and standardization on the types of information about users the application will require. (These pieces of information are called claims .) Thus, through the process of federation, the end user signs on once to all of their internal network applications through the regular Windows authentication process, but he also gets seamless access to partner applications without having to sign on again. 5.6.2. ArchitectureADFS is basically made up of four components: Active Directory, where the identity information is stored; a federation server, a federation server proxy, and an agent that runs on a web server. The AD component is simpleyou have a repository of identity data that ADFS will make use ofso let's move to the other parts of the architecture . The federation server is a service that handles and processes security tokens. The federation server also contains the tools needed to manage federated trusts between business partners. The server takes user information and claims and populates these security tokens with the claims. Common claims might include a user's job title, department, level of access to a particular function, a credit or purchasing limit, and approval requirements. The federation server proxy is a machine to which the client will connect to request the security token. It also provides all the UI that the browser would potentially need to display for youit basically acts as a front end for clients to all of the magic of ADFS. The last component is an agent that runs on the web server that makes sure the end user is authenticated. Once this is done, the agent creates a context for the user. If you have a classic client-server application that requires an NTLM security context (one where you assign permissions based on ACLs and such), the agent will actually create that context after it decides the security token was valid. Windows SharePoint Services, among other applications, works really well with this type of context. If you have a claims-aware applicationthat is, one that recognizes roles and claims within its own processesthen you can use Authorization Manager for role-based access control. 5.6.3. The Flow of Applications and ClaimsLet's step through the flow of a typical federation transaction.
You can see this process depicted graphically in Figure 5-55. 5.6.3.1. Claims TransformationThe pieces of information being exchanged about a trusted partners' usersrecall that these are called claimshave a flow all their own. Organizational claims are made by the user's home realm; most commonly, these organizational claims are simply attributes in Active Directory that each user possesses. It's just a standard way for your organization to think about the information that it stores about its userswhat groups they belong to, their addresses, phone numbers, title, and identity information. The utility of ADFS is the capability to transform those claims into the label that the resource side of the trust is expecting. For example, TreasureBuild might expect a user's title to be Purchaser, but TrinketBuild uses the Purchasing Agent identifier internally. This is really the only point in which you need to fully understand and expect the format in which the resource side needs its claim information. The same type of transformation can take place on the resource side. Different applications need different types of claims, so the order application might take Purchasing Agent, the ERP application might use Buyer, and the tracking application might use Purchases. The resource federation server knows about these peculiarities and can further transform these claims into what these applications and systems need. A key point here: this stuff doesn't matter to the account side. The account federation server only needed to know in what format the resource federation server expected the data; how the data is subsequently transformed is of no concern to the account side. Figure 5-55. The ADFS application flowYou can see this process diagrammed in a flowchart in Figure 5-56. Figure 5-56. The ADFS claims flow5.6.4. Demo: Collaboration with Windows SharePoint ServicesSo let's put all of this to use. It's difficult to put together an in-depth demo about ADFS within this book because where ADFS really shines is when claims-aware applications are used. Since there isn't a standard claims-aware application available to use for this demo (at least at the time of this printing), we'll demonstrate the concepts of federation using Windows SharePoint Services by setting up a trust between two distinct business units so that they can each access WSS and bring in new users. To get started, you will need to install Windows Server 2003 R2 on three machines: one that will act as the SharePoint server; one as a federation server for the account side, and the third as the federation server on the resource side. Once you have all three machines running, install ADFS and the Federation Server components on two of them. You can do this from the Windows Components section of Add/Remove Programs within Control Panel. On the third, install Windows SharePoint Services 2.0 and also select the ADFS Web Agent software, which is under the Active Directory Federation Services option. (Choose the traditional application option.) Then, to the third machine, add an administrator account which will be used to manage SharePoint. The SharePoint machine needs some additional configuration. Step through the following process to get it ready:
On each of the federation servers, do the following:
In terms of accounts, you also have a couple of options. You can, for example, create a local account for each user accessing the site. These local accounts will never actually be logged into a directory and the user will never need to know the password. As a matter of fact, the user will never even need to know the account exists. The advantage of this option is that you can control the access to each SharePoint site on a per-user basis, and you can go through the SharePoint invite process that's built into the product. The disadvantage is the Active Directory administrator will need to create a local AD accounts for each incoming user. If that option doesn't appeal to you, your second option involves using a feature in ADFS called Group-to-UPN mapping. With this feature, the administrator creates one or more accounts locally that will have certain privileges in SharePoint. The user will also have a group claim that will be mapped to his or her local user account. The benefits for this method: you reduce the number of local accounts that a site will need to have; the account/ADFS administrator can now choose who has access to the SharePoint site, and the resource-side administrator can manage what groups have access. However, you lose the granular access control provided in the first option, and can't send standard SharePoint invitation messages. If you choose option one, you should create local accounts for each user that will need to access the SharePoint Site. The UPN of the local account will need to be the same as the UPN coming across in the security token from the account federation server. Launch the Active Directory Domains and Trusts administrative tool to set up new UPN suffices. On the Active Directory Domains and Trusts node in the left pane, right-click and select Properties. In the Alternative UPN Suffixes text box, enter the UPN suffix of a federation-aware domain, then click the Add button. After all suffixes are entered, click the OK box and close the application. Then, to create new user accounts for accessing SharePoint, you can create a new OU to house the partner accounts, or they can be put anywhere else in your AD structure. Within ADUC, right-click the container you want to create the local account in, select New, and then select User. Proceed through the wizard as previously outlined in this chapter; however, in the User logon name box, enter the first part of the users UPN, then in the drop-down box on the left, select the user's UPN suffix. In the User logon name (pre-Windows 2000) box, make sure the name is unique. This unique name is not actually used, so you can enter whatever you want. Click the Next key after all the fields have been populated, And then enter a dummy password and finish the wizard. After all of these steps are accomplished, the standard SharePoint invitation messages will work. If you choose option two, open the ADFS Management tool on the SharePoint server, and do the following:
After that's complete, you're all set. Users from both the account and resource sides can use the WSS site, and if you chose option one, you can bring new people into the site by simply issuing a SharePoint invitation. 5.6.5. More InformationThere are quite a few resources that Microsoft has made available for users interested in learning more about ADFS. For a more visual introduction to the concepts here, check out the .NET Show episode with David McPherson and Don Schmidt, where the two talk about ADFS' inherent capabilities. You can find that episode at: There is also a whitepaper on Microsoft's web site explaining scenarios, requirements, and terminology in further detail than what I've covered here. This paper is located at: And finally, for a step-by-step single sign-on lab setup, you can check out the document located at: |