Federation Services Terminology

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the ITT free training video on Federation Services terminology this video will look at all the terminology you need to understand in order to start using Federation services effectively as you can see there are 17 different terms that I will look at in this video Federation Services has its share of terminology but don't worry I have sorted them into a logical order to make it easy to understand so let's get started the first term that I will look at is the account partner organization this is simply the organization that contains the users that will be used with Federation services in this example there are users in the domain IT free training these users will be the users that will access resources using Federation services the important point to remember is the account partner organization contains the users their passwords and other relevant information about those users so this brings up the next question what are these users accessing these users access resources in the resource partner organization a resource partner organization is simply an organization that hosts Federation applications for example these could be held in a child domain and external business domain or services in a cloud the important point to remember is that a resource partner organization allows users from an account partner to access services using web services for example a resource partner may have services like email or applications like office that the user can access using web protocols the next point to consider is how the account partner organization and resource partner organization are connected in order to connect both a Federation trust is created if you are familiar with an Active Directory trust you will know that a connection based trust means data is required to travel over it otherwise the trust is not usable a federation trust is different in that it is a non connection style trust this means no communication happens over the trust unlike an Active Directory trust it is possible to set up the trust by accessing the other company's Federation service however it is also possible to set up the trust manually without access to the other server the important point is that a certificate is required in the resource partner organization so this will need to be transferred and imported into the resource organization effectively the resource partner organization is saying that I trust the users in the account partner organization and will allow them access but how does the user request this access in order to grant access the Federation server in the accounts partner organization creates a claim a claim contains identification details of the user asking for the access and also which service they would like access to essentially a claim is just file in other videos from this course I will go into more detail about how the claim file works and how it is used in Federation services in this example notice that the user and email service is added to the claim the claim is signed by the server and presented to the other Federation server in the resource partner organization this is a simplification of the process but you should get the idea that a claim is essentially a statement about who the user is and what they would like access to this brings us to the next term claims provider trust now we already know that a Federation trust is required for Active Directory Federation services to work however Active Directory Federation services supports two kinds of trusts the first one be in the claims provider trust a claims provider trust is normally created in the resource partner organization and essentially defines how the other organization will access the resources so this includes the basic rules for the Trust's what it can access and who can use this trust or in simple terms defines who and how the trust is used personally I think the name is misleading you would think that a claims provider trust would claims however it does the opposite and accepts them normally a file would be provided to the resource partner organization with this information but if it is not the information can be entered in manually once created this defines the rules the resource partner organization will use to provide access to resources the next trust that I will look at is the relying party trust it is a simple thing to say I trust another organisations users to access Active Directory Federation services however for the whole system to work Active Directory Federation services needs to access non Federation services for example when a user requests access they must be authenticated and this means the Federation server must contact a service like Active Directory domain services this requires a relying party trust the relying party trust in this case is essentially the configuration created on Active Directory Federation services that describes how it will access other resources in this example how it will access Active Directory the relying party trust is also used in the resource partner organization for example to access a claim aware application in order for this to occur the Federation server must trust the server run in the claim aware application once again the relying party trust is created on Active Directory Federation services and defines the trust relationship between it and the claim aware application so essentially a relying party trust is used by Active Directory Federation services to issue claims if you get confused remember claims provided trusts accept claims relying party trust s-- create claims in later videos I will look at how to create these trusts a claims provider trust will be on one side and relying party trust on the other if you are not sure which ask yourself which side is accepting claims and this will be the claims provider trust in later videos when I set up Active Directory Federation services this will make more the next term I will look at is claims provider the claims provider is the organization that provides a claim to its users in most cases this is the account partner organization the claims are used by claims aware applications and this can happen in a number of different ways let's consider a domain that is holding the Active Directory Federation services which creates claims for its users these claims are used to access claim aware applications this will normally be in an external domain however could also be in the cloud or in some cases in the same domain as the Active Directory Federation server you can see how there is a lot of flexibility in how these claims can be used by an organization why would you use Active Directory Federation services in the same domain if the user was mobile some organizations will place the claims aware application in their perimeter network for the mobile users to access this is one way a company can choose to keep their network secure the next term I will look at is Federation server this is simply a server that is configured to run Active Directory Federation services in other words the Active Directory Federation services role has been added and configured the next term is account Federation server this is an Active Directory Federation server that issues security tokens to a user to understand what a security token is consider that you have an Active Directory Federation server and a user the Active Directory Federation server will create a security token inside this security token is placed a claim the security token is then given to the user thus an account federation server provides security tokens to the user so the question is where does the Federation server obtain the information to put inside the security token and the claim to obtain information to create a token information is obtained from an attribute store this is essentially a database common databases that are used are Active Directory domain services and sequel server so essentially this database contains details about the users it should be pointed out that this is different from authentication for example a user could be authenticated by a domain controller and then additional attributes obtained from the sequel server having said this the user could also be authenticated by a domain controller and then details like their first and last name could be obtained from the domain controller you can see the attribute store simply contains information that is used to create the claim for example suppose there is a requirement that all claims have a picture of the user in them Active Directory does not include this ability by default it can be added but most administrators do not like adding features like this as it involves changing the schema which cannot be reversed once done to get around this after the user is authenticated a claim is created with information like the username obtained from Active Directory however the picture is obtained from a sequel server you can see how an attribute store is used to hold information to be used in the claim you can see that even though Active Directory can be used as an attribute store this is separate from authentication essentially the attribute store is a database that is used to obtain information to store in a claim the next point to consider is how configuration information is transferred between different Active Directory Federation services if you consider an account and resource organization a trust needs to be created between these two this can be done manually but this involves some extra work rather than performing the step manually the configuration data can be exported this can then be transferred to the other server using any method for example via the network email or through the postal service this data is then imported into the other server thus essentially the Federation metadata is the data format used for configuration it uses security assertion markup language for the data format it is not important that you understand how this works at present as it will be covered in more detail in a later video each Active Directory Federation service instance stores its data in a database this is referred to as a DFS configuration database if you have sequel server on your network you can use this to store the configuration in if you do not you can use the internal windows database to store the data in the important point to remember is that an ad FS configuration database is required in order to run Active Directory Federation services the next term I would like to look at is the primary Federation server when you create a form of Active Directory Federation servers the first server added to the farm is the primary Federation server this server has a rewrite copy of the configuration database if you add additional Federation servers to the farm these Federation servers will have a read-only copy of the database these Federation servers will need to replicate any changes made to the configuration database to the primary Federation server holding a read/write copy of the database the next term I will look at is federated users a federated user is a user that has been provided with a claim this claim allows them to access an application or resource for example if a Federation server were to issue a claim to a user this user would now be a federated user the next term is relying party this is simply the organization that receives and processes the claim essentially this is the resource partner so if you see this term you know it is referring to the resource partner organization the next term I will look at is resource Federation server this is a Federation server in the resource partner organization what a resource Federation server will typically do is this a user will obtain a security token from their account Federation server this will have the claim information inside it but does not give them access to anything the security token is presented to the resource Federation server the security token is checked to make sure it is valid and then the claim removed from the inside this claim is used to create a new claim and then the old claim is destroyed the point to remember here is that this new claim is based off the old claim this new claim defines what the user can have access to it is then placed inside a security token and given to the user the user is free then to use this security token to access services or resources if this is confusing think of it like this it's like getting a letter telling you your driver's license has been approved if you head off to collect your driver's license the person at the counter looks at the letter and sees it as legitimate they then say I cannot issue you a driver's license you need to go see this person the person behind the counter keeps the letter but they give you another document so that you can claim your driver's license all you need to do now is see that person give them the document that you were given and you will be able to collect your driver's license a resource Federation server works off the same principle you give a claim to the resource server they look at what you are asking for and then give you a different claim back so that you can access what you asked for these claims are stored in a security token so that they can be checked to make sure they are legitimate the last term I will look at is claims aware application this is any application that can accept claims for example a user that is given a security token from a resource federation server can then give the security token to a claims aware application the claims aware application will then provide the user with the resource or service that they are requesting for example Microsoft Office is an example of a claim aware application there has been a lot covered in this video but unfortunately it is necessary to get the building blocks in place before looking at how to use Federation services I would like to thank you for watching this video and hope you found it useful I also hope to see you in the other free Federation service videos from us thanks and see you next time
Info
Channel: itfreetraining
Views: 43,668
Rating: 4.9786096 out of 5
Keywords: Active Directory Federation Services Definitions, Federation Services Definitions, ITFreeTraining
Id: ZAkmmqImqzY
Channel Id: undefined
Length: 15min 28sec (928 seconds)
Published: Tue Jun 17 2014
Related Videos
DATA FEDERATION
Tech With Fru
1.1K
Claim Based Identity Systems
itfreetraining
60K
Relying Party Trust Theory
itfreetraining
26K
Understanding Active Directory - Active Directory Federation Services FS
IT Refresher Courses
680
What are certificates?
itfreetraining
687K
Cleaning a Computer Keyboard
itfreetraining
1K
Installing Enterprise CA for AD FS
itfreetraining
56K
What is the difference between Cmd, PowerShell, and Bash? | One Dev Question
Microsoft Developer
53K
Intro to SAML: What, How and Why
Ping Identity TV
364K
Claims explained
itfreetraining
34K
Azure AD B2B authentication and federation | Azure Active Directory
Microsoft Azure
9.1K
How do you use the Command line? PowerShell, cmd, bash? - Computer Stuff They Didn't Teach You #13
Scott Hanselman
27K
Installing ADFS on Windows Server 2012 R2
itfreetraining
118K
What is Virtual Desktop Infrastructure (VDI)?
2DeCipher
206K
A Cloud Security Architecture Workshop
RSA Conference
48K
AWS Concepts: Understanding S3
Linux Academy
51K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.