1
00:00:00,600 --> 00:00:06,510
Let's start a discussion on Active Directory Federation service Federation service allows identification

2
00:00:06,880 --> 00:00:11,550
authentication and authorization across organizational and platform boundaries.

3
00:00:11,730 --> 00:00:16,740
If you'd like to set it up it's going to require a federation trust relationship between two organizations

4
00:00:16,800 --> 00:00:18,260
or two entities.

5
00:00:18,300 --> 00:00:24,000
It's really a way to go with a trust relationship beyond the scope of our normal domain or forest environment

6
00:00:24,390 --> 00:00:30,920
Federation service will allow an organization to retain control over who can access resources.

7
00:00:30,930 --> 00:00:35,820
It will also allow the organization to retain control over their user group accounts.

8
00:00:35,820 --> 00:00:41,390
So you can still have control and allow people outside of your organization to use your resources.

9
00:00:41,400 --> 00:00:43,270
Let's see a little bit more about it.

10
00:00:43,290 --> 00:00:48,420
So what is a DFS Active Directory that ration services.

11
00:00:48,420 --> 00:00:55,040
It is a Microsoft identity Federation product that can be used with claims space authentication.

12
00:00:55,320 --> 00:01:01,560
When we talk about claims space with indication we're talking about using a way to authenticate someone

13
00:01:01,650 --> 00:01:06,100
other than using the traditional username and password.

14
00:01:06,200 --> 00:01:12,030
Some of the features involved with it is that you can use it for single sign on for your web based apps.

15
00:01:12,140 --> 00:01:17,100
You can also use that as a way to operate between web services on multiple platforms.

16
00:01:17,450 --> 00:01:22,400
You'll also note that you can use it to support many clients in web browsers mobile devices and apps

17
00:01:22,400 --> 00:01:27,350
that are available on the Internet and it's extendable with third party applications.

18
00:01:27,620 --> 00:01:30,650
You can customize your own claims to be able to work with it.

19
00:01:30,680 --> 00:01:36,110
One of the big benefits is it allows you to maintain your own account list in your own organization

20
00:01:36,380 --> 00:01:40,680
without having to have another for an organization work with that account list.

21
00:01:40,760 --> 00:01:42,840
I'll give you an example in just a moment.

22
00:01:42,910 --> 00:01:43,270
OK.

23
00:01:43,280 --> 00:01:47,630
So water claims based identity and claims based with indication.

24
00:01:47,690 --> 00:01:51,060
The idea here is really a very old idea.

25
00:01:51,320 --> 00:01:57,170
I would like to be able to use a resource in someone else's domain and we can do that very very easily

26
00:01:57,170 --> 00:01:59,690
and Active Directory for part of the same forest.

27
00:01:59,840 --> 00:02:04,160
And if we're not part of the same for us we can set up a forest trust I can access your resource.

28
00:02:04,280 --> 00:02:05,760
But how do I do that.

29
00:02:05,930 --> 00:02:10,880
If you don't have Active Directory and you don't have a forest maybe you're not even running a Microsoft

30
00:02:10,880 --> 00:02:11,360
Network.

31
00:02:11,360 --> 00:02:12,710
How could I do that.

32
00:02:12,740 --> 00:02:15,290
That's where this comes into play Federation server.

33
00:02:15,470 --> 00:02:19,680
So the idea here is that I need to use a resource in your network.

34
00:02:19,760 --> 00:02:24,140
But the problem with it is I don't really want to tell you my username password to store it in your

35
00:02:24,140 --> 00:02:27,030
system so that I can log into your system and access it.

36
00:02:27,110 --> 00:02:28,280
Plus even better.

37
00:02:28,280 --> 00:02:29,880
You don't want to have to maintain it.

38
00:02:30,110 --> 00:02:36,050
So you want me to maintain my own users and groups and permissions and passwords and you maintain yours

39
00:02:36,290 --> 00:02:41,550
and you don't want to have to go in and you know maintain each other's information so we can share resources.

40
00:02:41,570 --> 00:02:49,160
So what we do is we take that old idea here of being able to trust a remote domain or in this case a

41
00:02:49,160 --> 00:02:52,030
remote system with Federation services.

42
00:02:52,190 --> 00:02:56,660
So what you can see here is I've used quite a number of names with this because you'll see it called

43
00:02:56,660 --> 00:03:01,840
quite a number of things but essentially what we have is we have an account domain or a trusted domain

44
00:03:01,850 --> 00:03:04,100
if we were to use Microsoft language here.

45
00:03:04,220 --> 00:03:06,650
And this is where all the user accounts are.

46
00:03:06,770 --> 00:03:12,620
So the user accounts are here and I would like to use a resource out here which is essentially a resource

47
00:03:12,620 --> 00:03:16,140
domain a trusting domain an application provider.

48
00:03:16,190 --> 00:03:18,650
It's also known as a resource provider.

49
00:03:18,650 --> 00:03:22,680
So you'll hear the resource to Maine also known as a resource partner.

50
00:03:22,850 --> 00:03:27,310
And then you'll hear the account Dumaine also known as account an account partner.

51
00:03:27,320 --> 00:03:33,650
So as you can see this is really just taking the trusts that we would normally do within Microsoft and

52
00:03:33,650 --> 00:03:34,900
expanding it out.

53
00:03:35,180 --> 00:03:42,530
So I have my accounts that I maintain I want to use the resource on your site and you're not Microsoft

54
00:03:42,540 --> 00:03:45,800
so we're going to do Federation services to make the connection.

55
00:03:46,040 --> 00:03:50,750
So what happens is I'm going to have to set up trusts and the trust that I'm going to set up is going

56
00:03:50,750 --> 00:03:53,510
to be related to the claims that I'm going to provide you.

57
00:03:53,690 --> 00:03:58,970
So you tell me what you want me to tell you in order for me to use your resource and that could be anything

58
00:03:58,970 --> 00:04:01,390
like maybe you want to know my e-mail address.

59
00:04:01,550 --> 00:04:06,890
So maybe right now what's happening is we are doing a partnership and I need to use resources on your

60
00:04:06,890 --> 00:04:07,370
side.

61
00:04:07,370 --> 00:04:13,760
So you say everyone in the sales to everyone in the sales of you that has the a certain e-mail address

62
00:04:13,760 --> 00:04:14,670
attached to them.

63
00:04:14,720 --> 00:04:17,730
Those are the people that you want to have come in and use your resource.

64
00:04:17,780 --> 00:04:20,200
We simply set up a claim to do that.

65
00:04:20,450 --> 00:04:22,220
So that's where the claims come into place.

66
00:04:22,220 --> 00:04:25,420
We're not used to using a traditional used in the password.

67
00:04:25,430 --> 00:04:31,130
What we're doing is we're using attributes of you as a user and you maintain those attributes.

68
00:04:31,130 --> 00:04:36,200
I don't want to maintain them but when you come in use my resource Well guess what you've got to tell

69
00:04:36,200 --> 00:04:40,850
me some of those attributes maybe you belong to a certain group maybe you have a certain email address

70
00:04:40,880 --> 00:04:46,370
maybe you have a certain location that you're working out of I can use all those claims to authenticate

71
00:04:46,370 --> 00:04:46,760
you.

72
00:04:46,820 --> 00:04:48,400
And that's how this works.

73
00:04:48,410 --> 00:04:53,150
So it's the same domain model that we're used to but we're pulling it outside of a Microsoft Network

74
00:04:53,480 --> 00:04:58,160
and then we're using these trusts to work with our claims.

75
00:04:58,160 --> 00:05:03,790
Let's take a closer look at some of the ATF esque components if you'd like to set up a DFS.

76
00:05:04,010 --> 00:05:08,660
We are going to talk about the different models that you can use but what you'll note here is that we

77
00:05:08,660 --> 00:05:12,560
have an 80 FS server here out in our partner network.

78
00:05:12,560 --> 00:05:17,930
So they're a foreign system I want to be able to use resources with them and I have my internal network

79
00:05:17,930 --> 00:05:20,760
that also has an ATF ATF server.

80
00:05:20,900 --> 00:05:24,790
So my federation server out here is going to need to be installed.

81
00:05:24,830 --> 00:05:27,690
It's going to be installed just like we normally would do our installations.

82
00:05:27,800 --> 00:05:31,130
As we've seen in the past through and rolls and features.

83
00:05:31,550 --> 00:05:35,940
But my federation service here will also be a certain type of server.

84
00:05:36,140 --> 00:05:41,990
We can have a server that will have accounts on it and it could use an attribute store to do that.

85
00:05:42,020 --> 00:05:47,570
So I can store in my attributes store all of my user accounts and then the attributes that are associated

86
00:05:47,570 --> 00:05:50,590
to them that I'm going to use his claims to get them authenticated.

87
00:05:50,900 --> 00:05:54,310
Traditionally the attributes will probably be active directory.

88
00:05:54,620 --> 00:05:57,130
So that's where I'm going to go in and figure out.

89
00:05:57,230 --> 00:06:02,990
What about that user I need to use to figure out whether or not I can be allowed into a resource.

90
00:06:03,170 --> 00:06:09,470
So you can see that you're also going to note here will have a relaying party server the relaying party

91
00:06:09,470 --> 00:06:13,530
servers the server who has the application that we would like to access.

92
00:06:13,530 --> 00:06:16,390
So this is our research server that we would like to access.

93
00:06:16,550 --> 00:06:18,410
So they're going to say what they want.

94
00:06:18,410 --> 00:06:22,920
For me who provides the accounts to be able to use their applications.

95
00:06:22,970 --> 00:06:26,870
And so I just have to match those when we set up the trust relationship.

96
00:06:26,870 --> 00:06:29,960
You might also note and this is an optional component.

97
00:06:30,050 --> 00:06:34,250
You could have what's called a federation service proxy.

98
00:06:34,250 --> 00:06:40,790
It is now known as a web application proxy and it's just an extra layer protection so that when we work

99
00:06:40,790 --> 00:06:44,860
with external clients they don't have direct access to the Federation server.

100
00:06:44,870 --> 00:06:49,820
They've got to go through the proxy and what the proxy will do is the proxy will determine who to connect

101
00:06:49,820 --> 00:06:55,430
them to the proxy can actually pass them directly through to the application at the application to authenticate

102
00:06:55,430 --> 00:07:01,700
them or the proxy can pass them off to the Federation server and let the Federation server use its attributes

103
00:07:01,750 --> 00:07:05,320
or usually active directory to authenticate them.

104
00:07:05,450 --> 00:07:10,160
So the proxy just kind of runs interference an extra layer of protection if you'd like to use it.

105
00:07:10,370 --> 00:07:16,340
So as you can see all of this is going to run via these trusts and it really depends on what you're

106
00:07:16,340 --> 00:07:17,870
trying to access.

107
00:07:17,870 --> 00:07:20,930
We have a number of trust here that we can work with.

108
00:07:20,930 --> 00:07:25,190
You'll see that we have a claims provider trust.

109
00:07:25,310 --> 00:07:30,290
So this claims provider trust is going to be configured on the relay party.

110
00:07:30,290 --> 00:07:36,560
This is for the relay party which is essentially the resource domain to say exactly what they want what

111
00:07:36,560 --> 00:07:41,390
do they want to know about each of the users that would like to connect to the resource What do they

112
00:07:41,390 --> 00:07:45,860
want to know what what are they going to require that you belong to a certain group that you're at a

113
00:07:45,860 --> 00:07:49,220
certain location that you have a certain e-mail what are they going to require.

114
00:07:49,340 --> 00:07:55,790
And that will be built into the claims provider trust relying partly trust is going to be configured

115
00:07:56,180 --> 00:08:03,680
on our claims provider and it essentially has to match with whatever the resource wants.

116
00:08:03,680 --> 00:08:07,630
So I'm going to make certain that I put in there what does the resource want.

117
00:08:07,640 --> 00:08:08,510
I have to match that.

118
00:08:08,510 --> 00:08:11,420
So the two have to match in order for us to get a connection.

119
00:08:11,420 --> 00:08:16,610
So like I said this is kind of like the same model weve had for a while is just now were being able

120
00:08:16,610 --> 00:08:23,330
to use claims to get someone authenticated and some of the authenticated possibly who you know is outside

121
00:08:23,330 --> 00:08:24,600
of our organization.

122
00:08:24,620 --> 00:08:26,780
So thats kind of the idea with this.

123
00:08:26,840 --> 00:08:29,880
So we have certificates that this will use.

124
00:08:29,990 --> 00:08:37,610
We have claims and claim rules that we set up so the claims being the the user with the attributes and

125
00:08:37,610 --> 00:08:38,870
what attributes do we want to use.

126
00:08:38,870 --> 00:08:42,320
With that we have rules here that you can configure.

127
00:08:42,320 --> 00:08:47,630
So there is as you can see there's a lot of moving parts to this and this is kind of just scratching

128
00:08:47,630 --> 00:08:52,140
the surface getting a little idea of what's what.

129
00:08:52,170 --> 00:08:56,310
Let's take a closer look at some of the ATF s requirements for installation.

130
00:08:57,270 --> 00:09:04,500
You will need a TCAP IP network the client computer will need to be able to communicate using HTP which

131
00:09:04,500 --> 00:09:06,260
will require a certificate.

132
00:09:06,620 --> 00:09:10,440
They'll need to be able to communicate to the web application proxy.

133
00:09:10,440 --> 00:09:15,450
They'll also need to be able to communicate with the resource Federation server or the Federation server

134
00:09:15,450 --> 00:09:21,420
proxy and they also need to be able communicate with the application Federation's server the Federation

135
00:09:21,420 --> 00:09:28,410
server proxy must be able to communicate using HTP Yes with the Federation servers in the same organization.

136
00:09:29,300 --> 00:09:34,910
And then the Federation servers an internal client computers must communicate with domain controllers

137
00:09:34,910 --> 00:09:36,120
for authentication.

138
00:09:36,410 --> 00:09:41,130
So there's a lot of connectivity here that will need to be set up.

139
00:09:41,160 --> 00:09:43,850
You'll also want to work with active directory.

140
00:09:44,070 --> 00:09:48,250
So the Federation's server must be joined to the active directory domain.

141
00:09:48,360 --> 00:09:50,520
The proxy doesn't have to part of the domain.

142
00:09:50,520 --> 00:09:57,430
A lot of times the proxy will be in the extranet network and then you will need an attribute store that

143
00:09:57,430 --> 00:10:05,530
will usually be active directory there are some additional DFS requirements that involve DNS clients

144
00:10:05,540 --> 00:10:10,760
must be able to resolve DNS names for all Federation servers and for any web apps that they plan on

145
00:10:10,760 --> 00:10:17,540
connecting to external clients must resolve the DNS name for a web application proxy and not for an

146
00:10:17,540 --> 00:10:20,600
internal Federation's server.

147
00:10:20,730 --> 00:10:25,110
The web application proxy must resolve a name for the internal Federation's server.

148
00:10:25,110 --> 00:10:30,010
You're going to need to configure different DNS records in internal and external DNS zones.

149
00:10:30,090 --> 00:10:36,090
If the internal users have to directly access the internal Federation's server and if the external users

150
00:10:36,090 --> 00:10:38,820
must connect through the Federation server proxy.

151
00:10:39,090 --> 00:10:44,400
As you can see there's a lot of moving parts to active directory Federation server but as you'll work

152
00:10:44,400 --> 00:10:48,780
through this you'll see that it becomes just really like a you know the domains that were used to back

153
00:10:48,780 --> 00:10:49,920
an active directory.

154
00:10:50,010 --> 00:10:51,770
So it's not that big of a stretch.

155
00:10:51,840 --> 00:10:56,580
We just have to spend a little bit of time working extra with DNS and certificates to kind of bring

156
00:10:56,580 --> 00:11:23,080
everything together.