Category Archives: Identity Management

September 24, 2011 · 10:26 am

UAG and AD FS are Better Together – Publishing Non-Claims Based Applications

In article “UAG and AD FS are Better Together – UAG as AD FS Proxy”  we explored how user authenticates to UAG portal via claims based authentication and then accesses claims based application published via UAG portal. But what if published application does not support claims based authentication, after all how many applications out there that do? Fortunately, UAG is capable to publish and provide SSO experience for non-claims based applications as well. The caveat here is that they must support Kerberos authentication. If you remember this “UAG and ADFS are Better Together– Strong Authentication” topology where we provided access with strong authentication, we configured KCD authentication  between UAG and AD FS server. In this topology the configuration is slightly different but concept is the same. Instead of doing KCD between UAG and AD FS, we’ll need to configure KCD between UAG and the target application.

UAG is smart enough to transition from the claims based authentication and request Kerberos ticket from AD Domain Controller on behalf of the user. During application configuration you’ll need to specify what claim you’d like to use as a leading value to get the Kerberos ticket. UPN is a good choice. Also, the proper SPN must be configured in AD for the target application.

Figure 1 shows main aspects of this configuration and Figure 2 provides high level authentication steps of how this works. It is very similar to the previous configurations, just in slightly different order.

image

Figure 1

  1. First, user must authenticate to the portal with SAML token, this is done via authentication to the backend AD FS server.
  2. When user tries to access published application that was configured with Kerberos Authentication, the UAG server will contact AD Domain Controller and will get Kerberos Service ticket for the target application. It will use the claim value that was configured with this application in its request to Domain Controller.
  3. Then UAG will send Kerberos ticket to the target application. Application will use the Kerberos ticket for authentication and authorization decision.
  4. If authentication was successful target application will allow access to the end user.

image

Figure 2

This configuration has similar constraints as was discussed in topology with Smart Card authentication, they relate to the Kerberos constraints. In this configuration application servers must reside in the same Active Directory Domain as UAG server (obviously that means that UAG must belong to AD domain) and the user account must be in the same Active Directory Forest as UAG server as well. Also, there are requirements on the Domain and Forest Functional level, it must be at least at Windows 2003 level.

About these ads

Leave a Comment

Filed under AD FS, Cloud Security, Federation, Identity Management, Security, UAG

Tagged as , , , , ,

May 16, 2011 · 12:56 pm

WIF Extension for SAML 2.0 Protocol Community Technology Preview!

Today Microsoft announced availability of the WIF Extension for SAML 2.0 Protocol Community Technology Preview. Check this blog post for more information:

http://blogs.msdn.com/b/card/archive/2011/05/16/announcing-the-wif-extension-for-saml-2-0-protocol-community-technology-preview.aspx

Leave a Comment

Filed under AD FS, Federation, Identity Management

Tagged as ,

February 4, 2011 · 5:01 am

Implementing FIM 2010 Certificate Management (Part 4)

This is the fourth and final  installment in a four part series showing how to implement FIM 2010 Certificate Management solution. You can watch the previous three parts by going to each presentation:

  1. Implementing FIM 2010 Certificate Management (Part 1)
  2. Implementing FIM 2010 Certificate Management (Part 2)”
  3. Implementing FIM 2010 Certificate Management (Part 3)

If you wonder what is the final result of this specific implementation then please watch demonstration showing how to do manual certificate enrollment via FIM 2010 CM.

Todays demonstration covers the following tasks:

  • Configure Service Connection Point Permissions
  • Delegate Profile Template Permissions
  • Configure Permissions on Certificate Sponsor
  • Create SSL Profile Template
  • Configure Profile Details
  • Configure Enroll Policy
  • Configure Revoke Policy
  • Define Permissions on the SSL Profile Template
  • Request Certificate for FIM CM Portal
  • Fixing FIM 2010 CM Configuration (AES and CSP)
  • Request Certificate again
  • Installation of issued Certificate on the FIM 2010 CM
  • Set SPN for the new URL
  • Final test of the new Portal

For better experience please watch it in Full screen and enable HD.

Leave a Comment

Filed under FIM 2010 CM, Identity Management, PKI, Security, Video Demonstration, Video Presentation, Video Training

Tagged as , , , , ,

February 1, 2011 · 3:54 pm

Implementing FIM 2010 Certificate Management (Part 1)

Did you have a chance to watch demonstration on how to use FIM 2010 CM for manual certificate issuance? If not, you can watch it here.

If you are interested to learn how I configured FIM 2010 CM environment to be able to provide shown functionality then start watching the following demonstration. I broke down entire implementation into four parts and here is the first part of the series. Parts 2-4 are coming in the near future.

In this demonstration we will do the following tasks to prepare environment for FIM 2010 CM installation:

  • Modify AD Schema with FIM 2010 CM extensions
  • Create Required Accounts and Groups
  • Create Certificate Templates for FIM 2010 CM Agents
  • SQL Installation
  • Installation of IIS and disabling SSL 2.0
  • Installation of SMTP Service
  • FIM 2010 CM software installation
  • Enable Logon Locally for Agent Accounts
  • Deployment of Agent Certificates on the FIM 2010 CM Server

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

6 Comments

Filed under FIM 2010 CM, Identity Management, PKI, Security, Video Demonstration, Video Presentation, Video Training

Tagged as ,

January 29, 2011 · 7:29 pm

Manual Certificate Enrollment via FIM 2010 Certificate Management

This video demonstration shows how to use FIM 2010 Certificate Management to request and issue an SSL certificate. The solution shown in this demo is created to satisfy the following requirements:

  • SSL certificates must be approved by RA Manager.
  • Simplify the enrollment process and remove guessing from the subscriber.
  • Certificate Subject name must be in Geopolitical format, such as: cn=hostname, ou=devices, o=adatum, c=us
  • SubjectAltName extension must have actual name(s) for the URL the cert will be used for.
  • SubjectAltName must also include subscriber e-mail address.

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

If you would like to know how to build solution shown in this demonstration then stay tuned, because I’m going to show you in step-step video demonstration how to do just that. 

8 Comments

Filed under FIM 2010, FIM 2010 CM, Identity Management, PKI, Security, Video Demonstration, Video Presentation, Video Training

Tagged as , , , , ,

January 27, 2011 · 3:07 pm

PKI Installation Made Easy

Who said that implementing PKI is hard? The following one hour video demonstration shows how to implement the most common PKI solution – two tier PKI with Root CA and Subordinate Issuing CA. I’ll discuss the design and why it is done this way, discuss best settings for PKI implementation and show how to do it, step—by-step. After watching this video you will be able to do the same. This video is in High Definition, so you can through it on big screen if you like and watch in all glory details. You can forward and pause, rewind and watch it all over as long as you like.

Here is the basic flow of this video demonstration:

  1. Discuss two-tier PKI design.
  2. Show how to install Root CA.
  3. Perform post installation configuration on the Root CA.
  4. Perform pre installation tasks on the Issuing CA.
  5. Show how to install Issuing CA.
  6. Sign Issuing CA cert at the Root CA.
  7. Perform post installation configuration on the Issuing CA.
  8. Verify that our solution is healthy.
  9. Issue Domain Controller Certificate via auto-enrollment.

Stay tuned for future video demonstrations, I’m putting together demonstration on how to implement FIM 2010 Certificate Management solution and use it to issue SSL certificates with management approval workflow.

2 Comments

Filed under Identity Management, PKI, Security, Video Demonstration, Video Presentation, Video Training

Tagged as , ,

January 26, 2011 · 4:26 pm

FIM 2010 – Joining Data From Another MA

This video demonstration is another installment in the “Implementing FIM 2010”. It shows how to configure a Management Agent (MA) for joining and then do some breadcrumb of the dirty data. You can watch all video demonstration in the “Implementing FIM 2010” by going to my “Implementing FIM 2010” video channel.

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Leave a Comment

Filed under FIM 2010, Identity Management, Security, Video Demonstration, Video Presentation

Tagged as , , , ,

January 20, 2011 · 9:47 pm

FIM 2010–Importing and Synchronizing Data

This is a the second lab from the Implementing Forefront Identity Manager 2010 training. Before watching this demonstration it might be helpful to watch prior demonstrations, but not required.

In this demonstration we are going to perform the following tasks:

  • Connect to an HR data source and import identity data
    • Create an MA to connect to the HR SQL database
    • Create and Run Some Profiles
  • Examine the Metaverse
    • Search the metaverse and establish that the data has been projected
    • Create a search filter clause
    • Select which Columns to see
    • View the Search Results
    • Index the employeeID attribute
  • Importing Changes
    • Modify the HR Data and import it into FIM

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Leave a Comment

Filed under FIM 2010, Identity Management, Video Demonstration

· 9:46 pm

The FIM Experience–Exercise 4

This is a continuation of the first lab from the Implementing Forefront Identity Manager 2010 training. Before watching this demonstration it might be helpful to watch the prior two demonstrations, but not required.

In this demonstration we are going to perform the following tasks:

  • Log on to Windows as a Contractor employee and reset his password via FIM 2010 Password management
  • Use Microsoft Office Outlook 2007 to join a group and edit personal details
  • Log on as HR employee and see how different permissions being applied

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Leave a Comment

Filed under FIM 2010, Identity Management, Video Demonstration

· 9:44 pm

The FIM Experience–Exercise 2 and 3–Video Demonstration

This is a continuation of the first lab from the Implementing Forefront Identity Manager 2010 training. You can watch the first part of the lab here.

In this demonstration we are going to perform the following tasks:

  • Add new users and examine group memberships
    • Add full-time employee
    • Add a contractor
  • Examine how groups are managed
    • Criteria-based groups
    • Manager-based groups
    • Manual groups

Please watch this video in Full screen and in HD for higher quality and better user experience. Let me know if you have any questions.

Leave a Comment

Filed under FIM 2010, Identity Management, Video Demonstration