5. @fdwl #BriForum @entisys
Identity and Account Management Basics
Identity Management (IdM) describes the
management of individual principals,
their authentication, authorization, and
privileges within enterprise
Integral components of identity and
access management:
Identification
Authentication
Authorization
7. @fdwl #BriForum @entisys
Entity vs Identity vs Credential vs Attribute
Entity
• Person
• Computer
Identity
• Active
Directory
Account
• Passport
Number
• Serial
Number
Credential
• Passport
• Credit Card
• Kerberos
token
Attribute
• Address
• Qualification
• Criminal
record
8. @fdwl #BriForum @entisys
Attribute Assertion
An attribute assertion is a claim made by someone (the asserter) that a particular person
possesses a particular attribute.
College can confirm that person is graduated.
Active Directory can confirm that password is correct
A digitally signed attribute assertion = authorization credential.
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
9. @fdwl #BriForum @entisys
Credential Types
Credentials Authenticity
Credentials Not been tampered
Received exactly as issued by the issuing
authority
Digitally signed to prove authenticity
Credentials Validity
Monopoly money is authentic if obtained
from the Monopoly game pack.
valid for buying stuff in the game
NOT valid in a grocery store
Credit card is an authentic credential.
Valid in Marks & Spencer
Not valid in a fisherman village in the
middle of nowhere during the night
Source: David W Chadwick Federated Identity Management http://kar.kent.ac.uk/30609/1/FederatedIdManChapter.pdf
10. @fdwl #BriForum @entisys
What is Federation?
A set of standards-based technology & IT processes
to facilitate distributed identification, authentication
& authorization across boundaries (security,
departmental, organizational or platform).
12. @fdwl #BriForum @entisys
Federation Example
Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
Digg maintain a user database and
authorization
13. @fdwl #BriForum @entisys
Why Do I Need Federation?
Provide access to your applications to suppliers or partners
Quickly onboard acquired organization
Provide access for temporary workers by using “bring your own identity” model
Service Providers
14. @fdwl #BriForum @entisys
Can’t I Just Create User Accounts?
More work for you
Less security for your network
No control over the user population
15. @fdwl #BriForum @entisys
Can’t I Just Use Forest Trusts?
Network connection between partners
User principal name (UPN) suffixes, service
principal name (SPN) suffixes, and security
ID (SID) namespaces are replicated
DNS configuration is required
16. @fdwl #BriForum @entisys
Benefits of Federation
Better Access Experience
Single sign-on across networks & organizational boundaries
Increased Security & Simpler Administration
Heightened identity assurance
No passwords involved
Account de-activation is handled by the account partner
Account partner can easily be disabled at the organizational level
Strong authentication such as user certificates or OTP tokens can be layered on top of federation
claim
18. @fdwl #BriForum @entisys
SAML
SAML – Security Assertions Markup Language
XML-based security specification for exchanging authentication and authorization information
Developed by the OASIS standards organisation
Use HTTP as a communication protocol
Designed to addresses the complexities of establishing Business-to-Business communication
between differing systems.
19. @fdwl #BriForum @entisys
SAML Assertion
A set of statements (claims) made by a SAML authority (Identity provider or IdP)
Authentication statement: subject was authenticated using a particular technique at a particular
time
Attribute statement: particular attribute values are associated with the subject
Optional authorization decision statement: subject is authorized to perform certain actions
19
21. @fdwl #BriForum @entisys
X.509 Certificates
Trust is managed through
certificates
Certificates for
HTTPS Communications
Security token signing and
encryption
Require PKI for A & B
certificates, C & D can be
self-signed
CommunicationA
Signing
Relying party Issuer
ST
Encyption ST
B
Public key of C C
Public key of DD
Root for ARoot for B
22. @fdwl #BriForum @entisys
Federation Metadata
During the establishment of the issuer / relying party trust, both parties will require
configuration which includes
End-points for communication
Claims offered by issuer
Claims accepted by replying party
Public keys for signing and encryption
This information can be manually configured or automatically via the exchange of
federation metadata
Federation metadata can be automatically updated
24. @fdwl #BriForum @entisys
Active Directory Federation Services
AD FS 1.0 - released with Windows Server 2003 R2 as part of the operating system
AD FS 1.1 - released with Windows Server 2008 and was carried into Windows Server 2008
R2
AD FS 2.0 was released after Windows Server 2008 R2. It was released to the web and is
free to download.
ADFS 2.1 was released to Windows Server 2012 as part of the operating system
25. @fdwl #BriForum @entisys
ADFS 1.x
AD FS 1.x is limited
WS-Federation Passive Requestor Profile (browser)
SAML 1.0 TOKENS
SAML 2.x is not backward compatible with SAML 1.x, so forget about ADFS 1.x
26. @fdwl #BriForum @entisys
ADFS 2.x
A SAML implementation (both IdP and SP) from Microsoft
An AD-based single sign-on system
SAMLv2 Authentication
Allows for Single Sign on support for Web based applications.
ADFS for Windows 2008 R2 has SAML 2.0 support.
27. @fdwl #BriForum @entisys
Can I Have it Out of the Box?
Not with StoreFront
Web Interface 5.4 supports ADFS out of the box!
ADFS version 1.1 only
Windows Server 2003 R2 only
32-bit edition of 2003 R2 only
Not supported with NetScaler, Secure Gateway only
Does not work with XenDesktop
28. @fdwl #BriForum @entisys
Authentication in XenApp/XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.
31. @fdwl #BriForum @entisys
NetScaler & SAML Authentication
NetScaler can act as a Service Provider (SP)
User can be authenticated on LB or CS
vserver
NetScaler Gateway 10.1 supports SAML 2.0
Configuring SAML Authentication on
NetScaler Gateway
http://support.citrix.com/proddocs/topic/nets
caler-gateway-101/ng-authen-saml-con.html
NetScaler practical / SAML AAA against
simplesamlphp IdP
http://blogs.citrix.com/2012/08/24/174193098/
How to Configure NetScaler SAML to Work
with Microsoft AD FS 2.0 IdP
https://support.citrix.com/article/CTX133919
Does not provide metadata
Use Metadata builder
http://samlmetajs.simplesamlphp.org/demo
32. @fdwl #BriForum @entisys
Authentication flow
IdPNetScaler (SP) Active Directory
Browse to NG
Not authenticated
Redirected to IdP
Authenticate
User
Query for user attributes
Return Security Token
Return page
and cookie
Send Token
ST
ST
SP trusts IdP
35. @fdwl #BriForum @entisys
Authentication in XenApp/XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.
36. @fdwl #BriForum @entisys
Federation Example
Facebook perform authentication and
generate a signed attributes assertion
with user name and unique user ID
Digg maintain a user database and
authorization
Shadow Accounts
37. @fdwl #BriForum @entisys
Shadow Accounts
Required to delegate access to non-
claim aware resources
Regular user account
Mapped to the attribute received from
IdP
Can be mapped to any attribute
38. @fdwl #BriForum @entisys
SAML for XenApp/XenDesktop Options
S4U (Service-for-User) Kerberos Extensions
Kerberos delegation and S4U on NetScaler – too complicated
S4U on WebInterface? No future!
S4U on StoreFront? You mean StoreFront code customization?
42. @fdwl #BriForum @entisys
Account Manager Service
Web Application
Create and shadow user accounts with
random password in AD
Store password securely
Respond on HTTP request with user
password
GET /GetPassword/gundarev@partner.com
Response:
0@J4y9jCv9CHzP2Q!rhMHY@7AOk7vfF2Rf1!
T!i29QG^se^RQZbhjt4fOOmn$CN4
46. @fdwl #BriForum @entisys
Communication flow
Active Directory
User
Browser
ADFS Active Directory
Account Manager
StoreFront
1. User Authenticates at SSO
portal
2. SSO Send SAML Response to
the user s browser
NetScaler
3. User s browser POST SAML
response to NetScaler
Gateway
4. Netscaler request shadow
user credentials from Account
Manager
5. Account Manager send
credentials back to NetScaler
6.Netscalersubmitshadowuser
credentialstoStoreFront
XenDesktop
Controller
7. StoreFront request
XenDesktop token from DDC
8. DDC send XenDesktop token
back to StoreFRont
9.StoreFront sends ICA file
10. Citrix receiver connects to
access gateway
11. NetScaler gateway connects
to the desktop
VDA
12Shadow
userloggedon