Federation Services
0 likes361 views
Federation Services (AD FS) allows secure sharing of identity information between business partners across an extranet using a claims-based system and policies. It provides single sign-on, support for web services and claim mapping, and centralized management of federated partners. AD FS uses proxies, servers, and databases to authenticate users and issue tokens to grant access to applications across organizational boundaries. Certificates are required for token signing, server communication, and SSL to secure traffic between AD FS components.
Federation Services
- 1. Federation Services Basics and considerations Eguibar Information Services S.L. © 2015 1April 6th. 2015
- 2. What is Federation Services AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet by using a claim- based system and policies. This is considered as a “Trust Relationship” between companies. Eguibar Information Services S.L. © 2015 2April 6th. 2015
- 3. Do I need Federation Services Single Sing On (SSO) Web Services Claim mapping Centralized federated partner management Extensible architecture Eguibar Information Services S.L. © 2015 3April 6th. 2015
- 4. Components Legend Component Description Internet Internet Public DMZ Demilitarized zone. Usually published services are located here. Site LAN Internal Local Area Network Site with Federation Server Site where a FS server will be located, usually part of a FS farm. Potential site for FS Proxy Site without FS Server, but with a FS Proxy acting as an entrance point to federate. Site without FS servers No FS server or proxy, but potentialy candidate to become one Federation Services Proxy FS Proxy server to enable external secured Access to the internal Federation Services server. Federation Services Server The server which host the Federation Services on the internal network Stateful Firewall Firewalle used to secure the internal network and control the DMZ Eguibar Information Services S.L. © 2015 4April 6th. 2015
- 5. How does it Works (Internal) 1. User request Access to the APP/Service 2. APP/Service request token 3. User request token to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token 7. User send the token in order to get Access. Eguibar Information Services S.L. © 2015 5April 6th. 2015
- 6. How does it Works (External) 1. User request Access to the APP/Service 2. APP/Service request token to the FS Proxy 3. FS Proxy forward the request to FS 4. FS request Authentication to AD 5. AD Authenticates 6. FS Issues token to the requesting FS Proxy 7. FS Proxy send the token to the APP/Service 8. APP/Service grants Access. Eguibar Information Services S.L. © 2015 6April 6th. 2015
- 7. Windows Internal Database Max 5 Federation Services. Only 1 database writable. Automatic pull replication of databases. 100 trust relationships or less Federation Services using WID (Windows Internal Database) Primary WID Read & Write Secondary WID Read Secondary WID Read Pull every 5 mins Pull every 5 mins Eguibar Information Services S.L. © 2015 7April 6th. 2015
- 8. SQL Server DB handled by SQL server All instances are writable and can support over 100 Trust Relationships SQL to provide fault tolerance and redundancy No Federation Server limit Support for token replay detection (a security feature) and artifact resolution (part of the Security Assertion Markup Language (SAML) 2.0 protocol) Federation Services using SQL Server Federation Server SQL Server Federation Server Federation Server SQL Server SQL Fault Tolerance & Redundancy SQL Fault Tolerance & Redundancy SQL Server Read & Write Eguibar Information Services S.L. © 2015 8April 6th. 2015
- 9. Selecting and Utilizing a Federation Service Name The Federation Service Name must never equal any machine name in the Active Directory forest when you are deploying a AD FS 2.0 farm The HOST/<Federation Service Name> SPN must be registered to the AD FS 2.0 service account The subject of all SSL certificates in the farm, including all Federation Servers and Federation Server Proxies, must utilize the Federation Service Name The subject of the Service Communications certificate must utilize the Federation Service Name The Federation Service Name must be registered as a host record in DNS The Federation Service Name must be set in the Federation Service Properties When directing clients, whether passive (typically browser clients) or active (rich clients), to the Federation Service, the host name the clients utilize must be the Federation Service Name Eguibar Information Services S.L. © 2015 9April 6th. 2015
- 10. Certificates Certificate Type Description Token-signing certificate A token-signing certificate is an X509 certificate. Federation servers use associated public/private key pairs to digitally sign all security tokens that they produce. This includes the signing of published federation metadata and artifact resolution requests Service communication certificate Federation servers use a server authentication certificate, also known as a service communication for Windows Communication Foundation (WCF) Message Security. By default, this is the same certificate that a federation server uses as the Secure Sockets Layer (SSL) certificate in Internet Information Services (IIS). Secure Sockets Layer (SSL) certificate Federation servers use an SSL certificate to secure Web services traffic for SSL communication with Web clients and with federation server proxies. Token-decryption certificate This certificate is used to decrypt tokens that are received by this federation server. Eguibar Information Services S.L. © 2015 10April 6th. 2015
- 11. The Big Picture FS farm & FS proxy Internal WAN FS Proxy Firewall FS Proxy Firewall Site03 FS Proxy Firewall FS Proxy Firewall Site05AD FS Farm AD FS Farm AD FS Farm Site 02 Site04 Site01 Site06 Eguibar Information Services S.L. © 2015 11April 6th. 2015