Claim Based Identity Systems

This video looks at Claim Based/Identity Based systems using Active Directory Federation Services as an example. Check out http://itfreetraining.com for more of our always free training videos. An example of a claim based system is where the user logs into a system like a web page using another system, for example a Facebook login.

Download the PDF handout http://ITFreeTraining.com/handouts/fe...

Example
In this fictional example, it shows the key points to a Federation Service. Federation Services work by a user wanting to access a system which belongs to a 3rd party. In order to do this, the first party needs to provide something the 3rd party can check to ensure the person is allowed access. It is still up to the 3rd party if they will allow them access or not. The point is that business B can check that the employee is a valid employee without having to contact business A to check.

In this example, an Active Directory Federation Services model would work the following way.
1) The user contacts the web server in business B in order to obtain access to a service.
2) The web server rejects the request as the web server does not know who they are. The web server refers them to Federation Server in business B in order to get a claim in order to access the web server.
3) The user then contacts the Federation Server in the business B network.
4) The Federation Server does not know who the user is, so it says to get authorization first.
5) The user contacts the Federation Server in its DMZ and requests to be authenticated.
6) The Federation Server will pass the username and password the user provided to a Domain Controller.
7) The Domain Controller will respond back to the Federation Server that they have been authenticated.
8) The Federation Server will give the user a claim. This claim contains information indicating the user has been authenticated.
9) This claim is presented to the Federation Server in business B.
10) The Federation Server will accept the claim. Although not shown in this video, the Federation Server will often create a new claim that would be given to the user to grant them access services.
11) The user will use the claim with the web server.
12) The web server will accept the claim and connect to a file server.
13) The file server will give the information to the web server.
14) The web server will then present the information to the user.

AD Example
In order to have authentication occur between two businesses using Active Directory, a trust relationship needs to be created between the two businesses. In order for this to occur, firewall changes need to made. An Active Directory trust is also connection based, which means a direct connection between the two businesses must also be present. If you want to allow services like file transfers you also need to make additional changes to the firewall. Companies often do not want to make changes to their firewall and do not want to establish direct permanent connections between different businesses.

Advantages of Federation Services
Federation Services does not require a connection style trust in order to work. It only requires a certificate to be exported and imported on the other side before the trust can be configured. Federation Services also uses standard HTTP and HTTPS protocols and thus these ports are most likely already open on the companies file firewall. Companies are more likely to agree to open these ports than open less commonly used ports. Federation Services uses standard protocols and thus can work with other systems. For example, a Windows based Federation Server can also work with a Linux based Federation Server.

Description to long for YouTube. Please see the following link for the rest of the description.
http://itfreetraining.com/federation#...

See    / itfreetraining   or http://itfreetraining.com for our always free training videos. This is only one video from the many free courses available on YouTube.

References
"Active Directory Federation Services Overview" http://technet.microsoft.com/en-us/li...
"Federated identity" http://en.wikipedia.org/wiki/Federate...