Chaining Multiple STS

A few month ago I learned something about claims based authentication that I thought was not possible. Ever since starting working on federation solutions, and learning about it via training courses, reading white papers, specifications and presentations the following two topologies were always shown or discussed. The first one is where company has its own…

1

Authentication Assurance and Claims Based Authentication

Authentication Mechanism Assurance is described in the following Microsoft publication: http://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx. In this post I want to dig a bit more into different configuration options, show how it works and provide example of how it can be configured with AD FS 2. Authentication Mechanism Assurance is a new feature in Windows 2008 R2 AD DS…

2

Open Standard Authentication in the Enterprise, Part 3

  In previous post we started to talk about different SSO solutions.  This post will cover another common SSO approach. Current Solutions Federal Agencies employ two primary strategies to provide Single Sign On across multiple Domains, Applications and across Agency boundaries: Application Resource Forests; (covered in previous post) Password Synchronization across different directories.   Password…

0

Open Standard Authentication in the Enterprise, Part 2

  In previous post we started to talk about different complexities of SSO implementations. Lets review what type of solutions are common in current implementations. Current Solutions Federal Agencies employ two primary strategies to provide Single Sign On across multiple Domains, Applications and across Agency boundaries: Application Resource Forests; Password Synchronization across different directories. (covered…

0

Open Standard Authentication in the Enterprise, Part 1

  In the next few posts, I’m going to talk about SSO in Enterprise environments, with emphasis on Federal Government Agencies. Federal Agencies are facing multiple issues with managing digital identities for employees and contractors. While most Agencies use Active Directory as their primary authentication directories, most of them have a number of other authentication…

0

Levels of Assurance and Claims-based authentication

  Federal Agencies must comply with OMB 04-04 publication. There is an established framework asserting different levels of assurance for digital identities, such as user accounts/passwords, Smart Cards and other types of tokens. Claims-based authentication solutions must support the proper assertion of the level of assurance for couple different reasons: STS must be able to…

0

Token Policy and STS

If you are familiar with PKI projects you are probably know about Certificate Policy (CP) and Certificate Practice Statements (CPS). Both based on published RFC and usually required in most PKI implementations. CP specify the policy for PKI and CPS specifies how this policy is implemented by each CA in your PKI solution. Usually it…

0

Claim Based Authentication IV

In previous three posts we examined how claim authentication flow works for users in the same domain as SharePoint site and for users from other organizations. As we have seen, the value for Role claim was based on the Active Directory group membership. For instance, Frank Miller from Fabrikam was given role of DrugTrial1Auditors in…

0

Claims Based Authentication – Part III

This is continuation of two previous posts. Please check them out first, otherwise this one might not make much sense at all. Step 6 in step-step guide configures Fabrikam STS with Relying Party and shows how to configure Information Cards to automate home realm discovery. I’m not going to talk about Information Cards yet, for…

0