Authenticating to your network through your online Credentials

Published 05 August 11 03:54 PM | forefrontsecurity

Now off to another subject: ADFS!

Active Directory Federation service v2.0 is the newest trend. Using your Live ID or Google ID to Log into your domain, and access your domain resources is a great new topic that very exciting to work with.

clip_image002

In this example I will show you how to use your Live ID to logon to your UAG server and then access your resources and application that way. I’ll add to that a small ADFS custom Store so that you can see the possibilities lying behind all of that.

What you need to do that:

· UAG 2010 SP1

· ADFS 2.0

· Domain Controller

· Windows Azure Account

· SQL DB

Here is a small architecture design of what you could have:

clip_image004

Let me explain what going on here:

A user wants to access his corporate application; he goes to his UAG portal URL. UAG was configured with ADFS as an authentication method and redirects all users to the ADFS home page which asks the users about what authentication method they want to use.

The user chooses Live ID and authentication to the UAG portal through his Hotmail or MSN account.

Once on the portal he needs to access his resource, some technical stuff go on, ADFS turns the LiveID into something your domain might understand and UAG will map this info to a shadow account and through KCD will log you into your application ! Cool ain’t it?

Now let’s see how to do that:

First you need to have an ADFS server configured

This is how I configured mine but you could have anything here

clip_image006

Next is to configure the ADFS trust with UAG as per my previous article: http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2011/01/07/uag-sp1-transparent-logon-with-adfs-v2.aspx

This first step will get you to the first milestone where you can logon to your UAG with ADFS.

However until now ADFS was configured to get your SAML ticket info from Active Directory only.

Let’s set up the link with other services such as Microsoft’s Live ID authentication.

In ADFS it’s basically a new Claim provider trust that you’re adding:

clip_image008

You then need to tell your claim rule to transmit the information that it gets from the claim provider as let’s say an account name.

Technically this means that the SAML ticket will have the Live ID or Google ID you logon in as an account name attribute.

clip_image010

Now that the link is set between your UAG ADFS and Azure you need to tell the relaying party trust you created between your UAG and your ADFS server to transmit to UAG the information it got form the provider to the relying party (in that case it’s UAG).

That can be done by editing the relying party claim rule and telling it to transmit to UAG an account name, or in that case create a custom rule like I did :

In my ADFS console I had added an SQL Database to which I added each user’s Live ID and mapped it to an Active Directory account (or group).this can of course be any data storage system (Active Directory, Oracle DB).

clip_image012

What we’ll do here is access the relaying party trust we created between ADFS and UAG and write down a custom rule that will give us the AD account to which the live ID is mapped!

Check it out:

Edit your claim rule and create a new Custom claims rule:

clip_image014

This rule will look like that:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"] => issue(store = "SQL Attribute Store", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "SELECT Role FROM URT WHERE UserName={0}", param = c.Value);

This rule will access the SQL DB store you created and get the role from the table where username = you live ID account.

When you access your UAG portal you will be given the choice to logon with your usual Active Directory ADFS SAML ticket or with your windows Azure à live ID account!

Here is what it looks like (note that this page is completely customizable)

You first get a choice between your usual active directory Provider and now you have a new one: AZURE!

clip_image016

And once you select azure:

clip_image018

Once you enter your Live ID credentials ADFS will process the information and send it to the UAG portal and you will be logged in as anything you set in your rule J in my case the group it retrieved from my sql database !

However this account will allow you to access the portal only and unless your application is claims aware, you will need to map this account to an active directory shadow account to be able to access non claims aware applications.

And now let’s configure your application to turn your SAML information intro a Kerberos Ticket:

Access the application you to give access to and go the authentication TAB:

clip_image020

Choose the KCD option and choose the claim type value to turn into a Kerberos ticket: I chose the name since this is where my info is stored in my SAML ticket.

The last part is to enable KCD on the application:

UAG will create an LDIF file for you through this menu

clip_image022

Apply this file to your UAG computer domain and you will have enabled KCD.

And now you can access you application by using your windows Live ID account !

Very cool!

Cheers

Published by Hicham Bardawil

Filed under: , , , , , , ,

Comments

No Comments

This Blog

News

    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.

Syndication