Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
45 Cards in this Set
- Front
- Back
allows indentification, authorization, and authentication to occur across organizational boundaries, user are able to use their local credentials to access resources in hosted in another organization or cloud |
AD FS |
|
What are the ADFS Components? |
#1.Federation Server-has the ADFS role installed, manages request, involving identity claims. #2. Federation Server Proxy- server deployed on the perimeter network when we want to provide AD FS functionality to clients on untrusted networks such as the Internet. This server relays connections to the Federation Server on the internal network. *Can't be the same server as the Federation Server |
|
AD FS provide______which works on the basis of a ______ about a user , such as "allow access to this web application if the user is a full-time employee of the partner organization" |
Claims-based authentication, claims |
|
When building tokes that contain claim data, what does ADFS use? |
#1. Claim-descriptions about an object based on it's attributes. #2.Claim rules- determines how a federation server processes a claim; can a simple rule such as treating a user's email a valid claim, or a job title being translated into a security group membership. #3.Attribute Store- holds the values used in claims, |
|
is a federation server that provides users with claims, these claims are stored with digitally encrypted and signed tokens |
Claims Provider ; When a user needs a token, it contacts the AD deployment in its native forest to determine if the user has authenticated. It then builds a user claim using attributes located within AD and other attribute stores. *Attributes that are added to the claim are dependent on the attributes required by the partner. |
|
is a member of AD forest that host the resources that the user in the partner organization wants to access |
Relying Party ; it accepts and validates the claims contained in the token issued by the claims provider. It then issues a new token that is used by the resource to determine what access to grant the user from the partner organization. |
|
Why do we configure the relying party trust on the AD FS server that functions as the claims provider server |
Because a relying party trust means that a claims provider trusts a specific relying party. "Which resource server are we trusting" hence the key word "Relying Trust Party" |
|
Why do we configure the claims provider trust on the Federation Server that functions as the "Relying Party"(Resource Server) |
Because the claims provider trusts as a statement and means that a relying party trusts a specific claims provider. " Which account server are we trusting " hence the key word "Claims Provider" |
|
How do we configure a certificate relationship? |
#1.Using a 3rd party trusted CA, using an SSL Certificate #2.Configuring CA trusts between partners, we need to import the CA certificate of the partner organization's CA into the TRCA store directly of the AD FS Server, or through AutoEnrollment in Group Policy; and issue a certificate template from ADCS to secure the federation server endpoint |
|
What certificates does AD FS use? |
#1. Token-signing certificates-signs all tokens that it issues; the federation server that functions as the claims provider uses the token-signing certificate to verify its identity. The relying party uses the this ticket to verify it was issued by a trusted federation partner #2.Token-decrypting certificate- The public key from this certificate is used by the claims provider to encrypt the user token. When the relying party server receives the toke, it uses the private key to decrypt the user token. |
|
Where can we configure the additional attribute stores besides ADDS, LDAP, or Custom? |
#1.AD LDS #2.ADAM #3.SQL Server |
|
Claims rules determine how AD FS servers consume claims and it supports two different types of claims rules, what are those? |
#1.Relying Party Trust Claims Rules #2.Claims Provider Trust Claims Rules |
|
Claims rules for a relying party trust determine how the claims about a user are forwarded to the relying party. What are the three types of relying party trust claim rules? |
#1.Issuance Transformation Rules- determines how claims are sent to the relying party #2.Issuance Authorization Rules-determine which users have access to the relying party. #3.Delegation Authorization Rules- determines if users can act on behalf of other users when accessing the relying party |
|
Claims provider trust claim rules are set up on the relying party, and determine? |
how the relying party filters incoming claims |
|
How does the AD FS proxy work? |
They are deployed on the perimeter network as a way to increase security, clients communicate with the server, which then the ADFS Proxy Server communicates with the Internal Federation Server. |
|
Give an example of the ADFS Proxy process? |
The Proxy will forward authentication data from the client to the ADFS Claims Provider of the Federated Trust, and then the Claims Provider confirms the authentication and issues a token, which is relayed back through the proxy to the Relying Party AD FS Server, which also issues a new token that is sent back once more through the proxy to the original client. *The Proxy only forwards, and performs no authentication, and no generation of tokens. |
|
Adds an attribute store to the Federation Service. |
Add-AdfsAttributeStore |
|
Adds a new certificate to AD FS for signing, decrypting, or securing communications. |
Add-AdfsCertificate |
|
Adds a claim description to the Federation Service. |
Add-AdfsClaimDescription |
|
Adds a new claims provider trust to the Federation Service. |
Add-AdfsClaimsProviderTrust |
|
Registers an OAuth 2.0 client with AD FS |
Add-AdfsClient |
|
Adds a custom UPN suffix. |
Add-AdfsDeviceRegistrationUpnSuffix |
|
Adds this computer to an existing federation server farm. |
Add-AdfsFarmNode |
|
Adds a relying party trust that represents a non-claims-aware web application or service to the Federation Service. |
Add-AdfsNonClaimsAwareRelyingPartyTrust |
|
Adds a new relying party trust to the Federation Service. |
Add-AdfsRelyingPartyTrust |
|
Adds a relying party trust for the Web Application Proxy. |
Add-AdfsWebApplicationProxyRelyingPartyTrust |
|
Marks the Device Registration Service as disabled on an AD FS server. |
Disable-AdfsDeviceRegistration |
|
Disables an endpoint of AD FS. |
Disable-AdfsEndpoint |
|
Exports the custom configuration of an external authentication provider to a file. |
Export-AdfsAuthenticationProviderConfigurationData |
|
Generates SQL scripts to create the AD FS database and to grant permissions. |
Export-AdfsDeploymentSQLScript |
|
Exports properties of all web content objects in a specific locale to a specified file. |
Export-AdfsWebContent |
|
cmdlet exports a web theme object to a folder. The cmdlet creates necessary folders that correspond to the web theme settings. |
Export-AdfsWebTheme |
|
cmdlet retrieves the global rules that govern all applications that trigger additional authentication providers to be invoked. |
Get-AdfsAdditionalAuthenticationRule |
|
cmdlet gets a list of all authentication providers currently registered in Active Directory Federation Services (AD FS). |
Get-AdfsAuthenticationProvider |
|
cmdlet retrieves web content objects for all authentication providers, or a specified authentication provider in a locale. |
Get-AdfsAuthenticationProviderWebContent |
|
cmdlet displays the global authentication policy, which includes the providers currently allowed as additional providers in the AdditionalAuthenticationProvider property. |
Get-AdfsGlobalAuthenticationPolicy |
|
cmdlet gets all global web content objects or the global web content object that corresponds to the locale that you specify. |
Get-AdfsGlobalWebContent |
|
cmdlet gets all the associated properties for the Active Directory Federation Services (AD FS) service. |
Get-AdfsProperties |
|
cmdlet gets web content objects for relying parties. |
Get-AdfsRelyingPartyWebContent |
|
cmdlet gets the host name, port, and certificate hash for all SSL bindings configured for Active Directory Federation Services (AD FS) and, if enabled, the device registration service. |
Get-AdfsSslCertificate |
|
cmdlet imports custom configuration for an authentication provider from a file. |
Import-AdfsAuthenticationProviderConfigurationData |
|
cmdlet creates a set of claim rules in Active Directory Federation Services |
New-AdfsClaimRuleSet |
|
cmdlet creates a contact person object in ADFS. |
New-AdfsContactPerson |
|
cmdlet creates a new information object for an organization in Active Directory Federation Services |
New-AdfsOrganization |
|
cmdlet creates a Security Assertion Markup Language (SAML) protocol endpoint object. |
New-AdfsSamlEndpoint |