Study: Active Directory Federation Services

Someday I want to take the Desktop Virtualization course at TrainSignal. Then I want to take the SQL Server 2008 Administration course and associated exam.

AD FS is essentially an enhanced one-way AD Trust with selective authentication all wrapped up in SSL for transport over the Internet. Side note: Server 2012 doesn't include a “System Restore” feature like desktops do.

To summarize what I’ve learned about AD FS – you have two Active Directory domains (or it could be another identity source) that trust each other. The side which provides the initial validation of a user’s identity (e.g. Cash Cow Capital Group) is the “claims provider” or “security token service” (STS); the side which provides a program or service is the “relying party” (e.g. Globomantics’ secure web server). The application must be “claims aware” – i.e. designed specifically to be aware of claims – or at least built with .Net, such as OWA, so the “Claims to Windows Token service” can assist it. All the examples that I’ve seen are web services, but I think that Office 365 offers AD Federation for your Outlook…but that makes sense because nowadays Outlook does all its “talking” over an HTTPS connection to the server so it can work from anywhere.

Back to the topic…so on the claims provider (aka STS), you configure the “Relying Party Trust” where you can configure three types of rules: you must have an “Issuance Authorization Rule” which defines who is allowed; an optional “Issuance Transform Rule” which customizes the claim data (i.e. user attributes) that you’ll send back to the relying party; and a “Delgation Authorization Rule”…which remains a mystery to me.

On the relying party (which serves up data to users authenticated by the STS) you configure a “Claims Provider Trust” where you state that you accept them as a trusted STS, then create an “Acceptance Transform Rule” which takes the claim(s) handed over by the STS and (optionally) converts it into different values before handing it up to the application.

I’m not at all sure that I understand the difference between Issuance Authorization & Issuance Transform rules, but for the 70-412 exam I don’t think it’s a big deal. Found a write-up by Join.Me/LogMeIn on how to do AD FS with them. The Transcender practice test has a question about AD FS endpoints which was discouraging to me because the TrainSignal training didn’t even touch on that and I certainly haven’t investigated their specific purposes.