Chapter 14: Active Directory Federation Services Flashcards
(15 cards)
Define a “Federation trust/service”
A web service that authenticates users from the Identity Provider (IdP) and provides access to claim-based applications from the Service Provider (SP)
What is another term for an Identity Provider (IdP)?
Claims Provider (CP)
What is another term for a Service Provider (SP)?
Relying Party (RP), in federation trust, this depends on the claims provided by the federation service to allow/deny access to the application
What ports are needed for a federation service?
LDAP/LDAPs (389/636), DNS/DNSSEC (53), HTTPS (443)
What level of access does federation allow for remote/eternal users?
Access can only be allowed to claims-aware applications
Define a “claim” in terms of federation
A claim is simply a statement about a user that is used for the authorization purposes of claim-aware applications
How do claims play a role in access to a federated service?
The federation service will request access from the SP based on the claims. If the SP’s application doesn’t understand claims, it cannot decide whether to allow or deny access
What are commonly used claims?
Claim type Description
-UPN UPN of the user
-Email RFC 5322-type email address
-Given name Given name of the user
-CN CN value of the user account
-Name Name of the user
-Surname Surname of the user
-Windows account name Domain account in domain/user format
-Group Group the user belongs to
-Role Role of the user
-AD FS 1.x UPN UPN of the user when interacting with AD FS 1.x
-AD FS 1.x email address RFC 5322-type email address of the user when interacting with AD FS 1.x
What is the role of Security Assertion Markup Language (SAML) in a federated environment?
The IdP and the SP need to exchange authentication
and authorization data; SAML is an XML-based open standard that is used to pass authorization credentials from IdP to SP.
How are claims requested/processed when implementing SAML?
The claim requesting and claim processing process is almost the same, with the only difference being the format of the token request and response; SAML uses a signed XML file as the token. In SAML terminology, the security tokens generated at the IdP end are called asserts, and the decryption and processing of asserts at the SP end is called assertion.
What does “WS-*” stand for?
“Web Services”
Define “Security Token Service(STS)-Token Generation”
A web service that generates and issues security tokens; makes assertions based on evidence that it trusts; AD FS implements several federation frameworks and protocols because there are multiple ideas of federation and of what a security token is and how it is consumed
Define “WS-Federation”
Provides the general language and mechanism to connect users and resources across security boundaries (IdP and SP); Fundamental goal of WS-Federation is to simplify the development of federated services through the cross-realm communication and management of federation
Define “WS-Trust”
WS-Trust defines the protocols used in requesting and issuing security tokens by WS-Security; Includes Security Token Service
(STS), used to convert locally issued security
tokens into other security token formats that can be processed by the application. It
can also convert incoming security tokens into supported token formats
