The Federation Server As a Claims Provider
May 16, 2013 Leave a comment
To summarise this particular post;
- The Claims Provider presents a web service that can issue security tokens containing claims in a standardized format (SAML – Security Assertion Mark-up Language)
- The Claims Provider allows administrators to publish policy data about the claims provider, which a relying party federation server can retrieve and use as part of the federation relationship.
The federation server is a computer that runs a security conscious service that issues security tokens.
When the federation server is given the role of a Claims Provider (CP) it allows authentication capabilities; whereas in the Relaying Party (RP) role it acts as a passage that allows identities to travel between different security boundaries.
In the case of Office 365 – Active Directory Federation Services (AD FS 2.0) is the Windows Server role that provides this federation server functionality. In this implementation, ADFS can fulfil either of the above functions – Claims Provider or Relaying Party.
As a Claims Provider;
- Processes requests from incoming users to provide signed tokens containing claims that represent the user’s digital identity.
- Claim information can consist of – user’s name, role or group membership etc.
- ADFS issues tokens in a SAML format.
- ADFS can protect the contents of security tokens in transit by signing and encrypting them.
Side note – ADFS 2.0 allows you to encrypt tokens, previous versions were only digitally signed.
As a Relaying Party;
- Receives tokens from a trusted Identity Provider.
- Will issue new security tokens that a local application can consume to make authorisation and personalisation decisions.
- By using a relaying party, organisations such as Microsoft are able to provide ‘Single Sign-On‘ (SSO) for Office 365, crossing the boundaries between ‘signing on locally’ and authorising use within the ‘cloud’.
The two above terms can be further defined as follows;
Claims Provider – An organisation that is responsible for the user identities in a federated relationship. (In our examples this will be the organisation with the Active Directory infrastructure (onsite))
Relaying Party – The organisation that is responsible for administering and protecting the web-based resources and other claims-based applications. (In our example this would be the cloud- Office 365)
In a Federation Trust Relationship, the Relaying Party is the partner that trusts (or relies on) a Claims Provider to authenticate users, this takes the process of user authentication from the applications and web services that are managed by the RP. The RP consumes the claims from the CP, which it verifies through, typically, a PKI certificate.