1. Active Directory Federation Services
Cross-Platform Interoperability
Windows Live@Edu – ADFS/Shibboleth

2. Agenda
Introduction

Project Background

Missouri, Oxford & Microsoft

Things we’ll cover:

Overview of Technologies

ADFS/Shibboleth Interoperability Demos


3. Project Background
Based on OCG White Paper:

Achieving interoperability between Active Directory Federation

Services (ADFS) and Shibboleth
Demonstrate interoperability between ADFS and

Shibboleth System 1.3c Release
Using ADFS plug-in for SAML 1.1 Identity and Service Providers

Support for WS-Federation Passive Requestor Interoperability Profile

Demonstrate interoperability with sample applications

- Microsoft Office SharePoint Server 2007 and Windows Live IDs

4. Technology Overview
Shibboleth

Standards-based, Open Source Middleware Software

Project of Internet2/MACE (Middleware Architecture Committee for

Education)
Internet2 – U.S. Advanced Networking Consortium led by the

education and research community
(universities, partners, laboratories, government agencies, etc.)
URL: http://shibboleth.internet2.edu/about.html

Implements the OASIS SAML v1.1 specification

December 2005 - Extension for ADFS support is developed

Implemented in Shibboleth versions 1.3.c and later

Platforms include: UNIX (Solaris, etc.), Linux

(Fedora, Ubuntu, etc.), Mac OS-X

5. Show of Hands
How many schools have a websso?

 How many use CAS?
 Pubcookie?
 Something else?
How many have a Shibboleth?

How many have ADFS?

How many run a websso & Shib or ADFS?

Does anyone run both ADFS & Shib?


6. Project Credits
Project Sponsors

Walter Harp, Microsoft Corporation

John DuBois, Microsoft Corporation

Credits and Contributions

Ryan Woodsmall, University of Missouri

Brian Dourty, University of Missouri

Edward D. McKinzie, University of Missouri

Bryan W. Roesslet, University of Missouri

Randy Wiemer, University of Missouri

Chris Calderon, Oxford Computer Group

Jim Muir, Oxford Computer Group


7. Technology Overview
Active Directory Federation Services (ADFS)

First introduced in Windows Server 2003 R2 to provide “Identity

Federation”
 Projecting user identity from a single logon…
 Providing single identity based entitlements…
 Connecting islands (across security, organizational or platform
boundaries)
 Result: Web single sign-on & simplified identity management
Web Services and WS-* Security Standards

Specifically implementing the WS-Federation and WS-Federation

Passive Requestor Profile specifications

8. Language Translation

9. Demonstration Overview
Establishing Federated Interoperability between ADFS
(Relying Party) and Shibboleth (Identity Provider)
Demonstration 2:
Shib.org User will access MOSS 2007
Extranet Portal.
Demonstration 1:
Shib.org User will access Sample Claims-
App that will display the set of claims,
associated with that user.

10. Configuration Details
ADFS Configuration Policy Requirements

Federation Service URI – This uniquely identifies a federated partner

Federation Service endpoint URL – The URL that partner organizations to send

requests and responses.
Token Signing Certificate – Relying Party requires a signing certificate that is used to

by the Identity Providers to digitally sign message exchanges.
ADFS Management Console - This is the primary management console for

administrative management of Account Partners (Identity Providers)

11. Configuration Details
Shibboleth Configuration Requirements

XML Metadata - Trust Policy Configuration
 idp.xml – (The main configuration file for the identity provider.)
Configures the Shibboleth ADFS extension

Provides key information for relying parties

Adds reference mapping support for identity claims (i.e. MS UPNs)

Adds the XML attribute namespace=http://schema.xmlsoap.org/claims to attribute definitions in

resolver.xml for any attributes that should be sent to ADFS providers.
resolver.xml – (Attribute extraction)

Defines the connection to attribute store

arp.site.xml– (Attribute release policy)

Defines which attributes are available to relying parties

Controls (Permits/Denies) attribute release rules


12. Demonstration Overview
Windows Live ID/Passport Interoperability
Demonstration 3:
Shib.org User access Windows Live@edu
by passing WLID through claims to generate
SLT. The Identity Provider (IdP) acts as the
Windows Live Account Store.

13. Configuration Details
Windows Live ID Interoperability

WLIDs (Short-live Tokens) – Can be used to further extending SSO into

Web Applications.
Benefits:

Windows Live ID users can access resources typically only available

only for AD accounts (SharePoint Sites, etc.)
Applications do not need to implement any Windows Live ID code

Single Account Management (instead of AD and Windows Live)


14. Summary
Successfully demonstrated the interoperability between

ADFS and Shibboleth:
Straight forward configurations

No special software or customization required by either party.

Language Translation (Understanding component relations of each

technology)
Lessons learned

Federating with Windows Live IDs

Microsoft Office SharePoint Server 2007 Compatibility
