1、WIN322利用Windows Server 2003 R2中的Active Directory Federation Services实现Web SSO和联合身份验证,Feifei Qian Technical Solution ProfessionalMicrosoft C,目标听众,那些需要实现Web Single Sign On(SSO)和联合身份验证(Identity Federation)并希望了解微软解决方案的技术决策人和IT专业人士本课程将介绍什么是ADFS以及ADFS能够解决什么问题:什么是ADFS?ADFS如何帮助我?,使用微软的身份管理和访问控制平台来解决您的企业在Web
2、单点登陆和联合身份验证方面的问题,将您的Windows用户身份扩展到企业/组织网络以外,为您开始设计和开发基于这一平台的解决方案获取足够信息,希望您能够有下列收获,内容,企业面临的问题概述身份联合(Identity Federation)如何帮助我们解决问题ADFS应用场景ADFS工作原理Demo:通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO问题解答,扩展身份验证和访问控制: Vision,一次登陆,安全访问两个基本的,缺一不可的原则Leverage identity and services as broadly as pos
3、sibleExtend to “unreachables” via integration solutions like MIIS,Windows集成身份验证,登陆到 Windows,灵活多样的验证方法:KerberosX.509 v3/Smartcard/PKIVPN/802.1x/RADIUSLDAPPassport/Digest/Basic (Web)SSPI/SPNEGO,单点登陆(SSO)到:Windows File/Print serversMicrosoft applications390/AS400 (Host Integration Server)ERP (BizTalk,
4、SharePoint ESSO)Third-Party Integrated AppsWeb Applications via IISUnix/J2EE (Services for Unix, Vintela),Exchange,Web应用,文件共享,Windows IntegratedApplications,您的公司和员工,您的远程和虚拟用户,您的客户,Customer satisfaction & customer intimacyCost competitivenessReach, personalization,CollaborationOutsourcingFaster busin
5、ess cycles; process automationValue chain,M&AMobile/global workforceFlexible/temp workforce,企业/组织希望将访问进行扩展,Privacy protection SOX, HIPAA, etc. Auditing and reporting,Forgotten passwords Logon frequency Provisioning latency Mobile access,Account provisioning requests Password reset requests Account p
6、roliferation Service levels,Redundancy Centralized policy management Inflexibility Integration and heterogeneity Scalability,Orphaned or inaccurate accounts Compromised passwords Hackers Firewall Least access,法规执行力,最终用户生产力,IT/Helpdesk效率,将访问进行扩展时所面临的挑战,IT/Developer架构,安全性,解决问题现行的方法,身份管理(IdM)的愿景通过Web s
7、ervices将访问控制进行扩展,过去,现在,未来,Connected SystemsIdentity FederationBuilt to ExtendLow cost to value,Application SilosID for Each SystemInternally FocusedLimit to Biz Value,Custom IntegrationIdentity IntegrationInternal & External High cost to value,Identity IntegrationProducts and Services,Platform Capab
8、ilitiesWeb Services Interop,The Transition,Active Directory Federation Services将AD扩展到Forest(森林)之外,使得客户/合作伙伴/供应商/雇员都能够按全的访问位于其自身Domain/Forest之外的Web应用提供IT人员、开发人员以及最终用户的效率提高安全性和法律法规执行力AD为SOA架构提供服务的第一步,内容,企业面临的问题概述身份联合(Identity Federation)如何帮助我们解决问题ADFS应用场景ADFS工作原理Demo:通过ADFS实现Windows Sharepoint Service
9、s(WSS)的联合身份验证和Web SSO问题解答,ADFS应用场景,Web单点登陆 (SSO)Business to employee (B2E)Business to consumer (B2C)身份联合 (Identity Federation )Business to business (B2E)Business unit to business unit (B2B),应用场景: Web SSO,在资源方(Resource Side),身份数据在AD/ADAM中存储和管理 多种身份验证手段:forms, Basic, client-side certs 多种授权方案:AzMan, AS
10、P.NET Roles, NT Impersonation & ACLs, raw claims 为Web服务器场提供SSO,客户,商业合作伙伴,企业员工,应用场景: Identity Federation,Credentials, authentication managed in “home realm” by partner organization, in AD or other solution多种身份验证手段:forms, Basic, client-side certs多种授权方案:AzMan, ASP.NET Roles, NT Impersonation & ACLs, ra
11、w claims跨安全边界的SSO,BusinessPartners,ADFS Identity FederationProjects AD Identities to other security realms,FederationServer,Federation Server,Federation Servers,Manage: Trust Keys Security Claims required Privacy Claims allowed Audit Identities, authorities,SecurityTokenService,HTTPReceiver,HTTP mes
12、sages,WS-FederationCross-organization, multi-vendor interoperability,Web Services Federation LanguageDefines messages to enable security realms to federate and exchange security tokensBuilt upon WS-Security, WS-TrustWide industry supportAuthors: BEA, IBM, Microsoft, RSA, VeriSign3/04 Workshop: IBM,
13、OpenNetwork, Oblix, Netegrity, RSA, PingIDTwo “profiles” of the model definedPassive (Web browser) clients HTTP/SActive (smart/rich) clients SOAP,SOAP messages,SOAPReceiver,ADFS v2,ADFS v1,内容,企业面临的问题概述身份联合(Identity Federation)如何帮助我们解决问题ADFS应用场景ADFS工作原理Demo:通过ADFS实现Windows Sharepoint Services(WSS)的联合
14、身份验证和Web SSO问题解答,ADFS组件,ADFS组件,Active Directory or ADAMWindows 2000/2003Authenticates users Manages attributes,ADFS组件,Federation Server (FS)Security token service (STS) Issues security tokensManages federation trust policy,Populates claims Statements an authoritymakes about securityprincipals,ADFS组件
15、,Federation Server Proxy (FSP)Client proxy for token requestsProvides UI for browser clients,ADFS组件,Web Server (WS),SSO Agent,Application,Enforces user authenticationCreates user authorization context,NT Impersonation and ACLsASP.NET IsInRole()AzMan RBAC integrationASP.NET Raw Claims API,Federated B
16、2B Flow,Federation Trust,通过ADFS实现Windows Sharepoint Services(WSS)的联合身份验证和Web SSO,ADFS价值: 提升企业/组织效率,ADFS价值: 增强安全性以及法律法规的执行力度,通过Federation实现跨Extranet访问权限的自动de-provisioning,避免遗留orphaned accounts基于证书的通讯集中在HTTPS 443,无需额外的防火墙设置通过SSL/TLS所有ADFS相关组件之间的通讯,Security,立刻行动起来:,体验ADFSADFS动手实验!ADFS in R2 Beta 2 Enco
17、urage claims-aware application development today; get federation “for free” when R2 shipsAuthorization ManagerASP.NET IsInRole,更多资源,Visit MIdentity Management - http:/ - http:/ Windows Server System - http:/ Microsofts .NET Show on ADFShttp:/ familiar with Web Services security and identity modelhttp:/ WS-* workshops http:/ Get started with WS-* using Web Services Enhancements http:/ of Identities in a Web Services World”“Federated Identity Management Interoperability” 视频:http:/
