Que es Identidad Federada? Autenticacion basada en claims? STS? Geneva Server? Como empiezo?

November 14th, 2009

Esto va en castellano en honor a mi lengua nativa, quisiera compartir con ustedes una camino para IT Pros para meterse en el mundo de los STSs e Identidad Federada de la mano de Windows Identity Foundation (ADFS v2.0). Al momento ya desplegué varios laboratorios y 2 ambientes de pre-producción de Geneva Server Beta 2 y es momento de recapitular un poco de donde salieron las cosas,

Para llegar a primera base y tener los conceptos básicos, les recomiendo leer un artículo que me hizo entender que habáía atrás de todo el tema de identidad y STS, es parte de la entrega 16 del Architecture Journal dedicada a identidad, el artá­culo es Claims and Identity: On-Premise and Cloud Solutions de Vittorio Bertocci. A modo de introducción también pueden rememorar la charla que dio Matias Woloski en Microsoft este año Microsoft Architecture Day: Roadmap to Identity.

Con la visión, Tokens, Claims y STSs en el bolsillo, vamos en concreto a la implementación de Microsoft que es ADFS v2 (aka Geneva Server). La mejor documentación técnica al momento se ve en el Site de ADFS v2 dentro de TechNET. Geneva Server está documentado alineado con dos casos de uso, “Web SSO Design” y “Federated Web SSO Design” si bien el segundo es el mas rico por atacar el tema de federación es importante que se entiendan ambos. Luego de comprendido el tema de Federation Server, saltamos al tema deProxy Server que utilizamos para acomodarnos a DMZs, al leer estas secciones presten especial atención al tema DNS.

Es importante manejar el tema de certificados (Sobre todo si usan publicaciones con proxy reverso de ISA Server). Hay certificados en cada Federation Server y en cada Proxy Server para garantizar autenticación segura con tokens. Finalmente, esto tiene que ver con la capa de STS exclusivamente. Recordemos que debajo de esta capa seguramente tengamos una granja NLB de Windows 2008 R2 que es un tema aparte.

Espero sea de ayuda y quisiera en futuros posts profundizar en detalles de implementación que han surjido en la práctica,

Posted by aortega Filed in Identity Management, Windows Server 2008 R2
1 Comment »

[OpsMgr] ACS: How to enable auditing in Geneva Server Beta

July 22nd, 2009

Before OpsMgr ACS is able to collect token related audit events (Event ID 299), auditing needs to be enabled on each Geneva Server on the farm. This will create a lot of audits, which you may need to filer using Noise Filtering on your assigned Audit Collector Server, I will cover how we achieved noise filtering on our platform on other post, for now, I want to share a couple of easy steps to centrally enable audits on your Geneve Servers,

1)  In Geneva Server MMC for each Geneva Server on the farm

  1. Root node
  2. Edit Service Properties
  3. Check “Success” and “Failure” Events

2) In Active Directory

  1. Create a GPO and link to the Geneva Servers OU
  2. Enable Audits
    1. Navigate to Security Settings->Local Policies->Audit Policy.
    2. Click on the  “Audit object access” Security Setting on the list view at the right side pane.
    3. On the “Local Security Setting” tab, click the “[ ] Success” and/or “[ ] Failure” check boxes according to your needs.
  3. Give Permissions to the account
    1. Click Security Settings -> Local Policies -> User Rights Assignment.
    2. Double click “Generate Security Audits” and add the account of your service to Local Security Settings (you can verify service account by opening “services.msc”, and checking the “Microsoft “Geneva” Server” log on account)

Happy auditing!

Posted by aortega Filed in Audit Collection, Identity Management, System Center Operations Manager
No Comments »

Microsoft Identity Management Portfolio - Overview

June 12th, 2008

I want to share the status of the Identity and Access Management (Id&AM) Portfolio offered by Microsoft with you. First begin with “What is Id&AM for the enterprise?” The following approach is the one that Oracle proposes:

clip_image002[4]

My first thoughts about this scope proposed by Oracle is that they do not consider a long term Strong User Authentication strategy moving from Password Auth to SmartCard Auth.

Which is the value proposition from Microsoft? The identity portfolio has grown significantly since FY06 (when only AD and MIIS where MS players) that now we have a value proposition based on 5 Identity Management Pillars which (besides they are are product-centric) covers many of the aspects that the industry considers in the scope of Id&AM:

clip_image002

1) Lifecycle management: Password Sync + Certificate Mgmt + Identity provisioning

clip_image004

2) Information Protection: Message Encrypting + Rights Management

clip_image006

3) Federated Identity: Web single-sign-on. Federated Identity.

clip_image008

4) Strong Auth: SmartCard based auth built upon a PKI Infrastructure.

clip_image010

5) Directory services: Central identity repository. Authentication and role-based authorization.

clip_image012

As a context, Microsoft is beginning to build his identity portfolio (More focused since FY06) and now is beginning to be considered a challenger in the identity industry.

Below the Gartner magic quadrants for Web Access Management and User Provisioning.

clip_image014

clip_image016

Today Microsoft Identity Portfolio has many flaws, which you need to cover with partners solutions to gain full coverage of the Identity management needs on the Enterprise. The main flaws are regarding reporting and having a true single-sign-on framework which (again) you can only gain taking profit of partners solutions (like Quest for example)

Source:

See you soon!

 

Posted by aortega Filed in Identity Management, Microsoft
No Comments »