Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/45

Click to flip

45 Cards in this Set

  • Front
  • Back

allows indentification, authorization, and authentication to occur across organizational boundaries, user are able to use their local credentials to access resources in hosted in another organization or cloud

AD FS

What are the ADFS Components?

#1.Federation Server-has the ADFS role installed, manages request, involving identity claims. #2. Federation Server Proxy- server deployed on the perimeter network when we want to provide AD FS functionality to clients on untrusted networks such as the Internet. This server relays connections to the Federation Server on the internal network. *Can't be the same server as the Federation Server

AD FS provide______which works on the basis of a ______ about a user , such as "allow access to this web application if the user is a full-time employee of the partner organization"

Claims-based authentication, claims

When building tokes that contain claim data, what does ADFS use?

#1. Claim-descriptions about an object based on it's attributes. #2.Claim rules- determines how a federation server processes a claim; can a simple rule such as treating a user's email a valid claim, or a job title being translated into a security group membership. #3.Attribute Store- holds the values used in claims,

is a federation server that provides users with claims, these claims are stored with digitally encrypted and signed tokens

Claims Provider ; When a user needs a token, it contacts the AD deployment in its native forest to determine if the user has authenticated. It then builds a user claim using attributes located within AD and other attribute stores. *Attributes that are added to the claim are dependent on the attributes required by the partner.

is a member of AD forest that host the resources that the user in the partner organization wants to access

Relying Party ; it accepts and validates the claims contained in the token issued by the claims provider. It then issues a new token that is used by the resource to determine what access to grant the user from the partner organization.

Why do we configure the relying party trust on the AD FS server that functions as the claims provider server

Because a relying party trust means that a claims provider trusts a specific relying party. "Which resource server are we trusting" hence the key word "Relying Trust Party"

Why do we configure the claims provider trust on the Federation Server that functions as the "Relying Party"(Resource Server)

Because the claims provider trusts as a statement and means that a relying party trusts a specific claims provider. " Which account server are we trusting " hence the key word "Claims Provider"

How do we configure a certificate relationship?

#1.Using a 3rd party trusted CA, using an SSL Certificate #2.Configuring CA trusts between partners, we need to import the CA certificate of the partner organization's CA into the TRCA store directly of the AD FS Server, or through AutoEnrollment in Group Policy; and issue a certificate template from ADCS to secure the federation server endpoint

What certificates does AD FS use?

#1. Token-signing certificates-signs all tokens that it issues; the federation server that functions as the claims provider uses the token-signing certificate to verify its identity. The relying party uses the this ticket to verify it was issued by a trusted federation partner #2.Token-decrypting certificate- The public key from this certificate is used by the claims provider to encrypt the user token. When the relying party server receives the toke, it uses the private key to decrypt the user token.

Where can we configure the additional attribute stores besides ADDS, LDAP, or Custom?

#1.AD LDS #2.ADAM #3.SQL Server

Claims rules determine how AD FS servers consume claims and it supports two different types of claims rules, what are those?

#1.Relying Party Trust Claims Rules #2.Claims Provider Trust Claims Rules

Claims rules for a relying party trust determine how the claims about a user are forwarded to the relying party. What are the three types of relying party trust claim rules?

#1.Issuance Transformation Rules- determines how claims are sent to the relying party #2.Issuance Authorization Rules-determine which users have access to the relying party. #3.Delegation Authorization Rules- determines if users can act on behalf of other users when accessing the relying party

Claims provider trust claim rules are set up on the relying party, and determine?

how the relying party filters incoming claims

How does the AD FS proxy work?

They are deployed on the perimeter network as a way to increase security, clients communicate with the server, which then the ADFS Proxy Server communicates with the Internal Federation Server.

Give an example of the ADFS Proxy process?

The Proxy will forward authentication data from the client to the ADFS Claims Provider of the Federated Trust, and then the Claims Provider confirms the authentication and issues a token, which is relayed back through the proxy to the Relying Party AD FS Server, which also issues a new token that is sent back once more through the proxy to the original client. *The Proxy only forwards, and performs no authentication, and no generation of tokens.

Adds an attribute store to the Federation Service.

Add-AdfsAttributeStore

Adds a new certificate to AD FS for signing, decrypting, or securing communications.

Add-AdfsCertificate

Adds a claim description to the Federation Service.

Add-AdfsClaimDescription

Adds a new claims provider trust to the Federation Service.

Add-AdfsClaimsProviderTrust

Registers an OAuth 2.0 client with AD FS

Add-AdfsClient

Adds a custom UPN suffix.

Add-AdfsDeviceRegistrationUpnSuffix

Adds this computer to an existing federation server farm.

Add-AdfsFarmNode

Adds a relying party trust that represents a non-claims-aware web application or service to the Federation Service.

Add-AdfsNonClaimsAwareRelyingPartyTrust

Adds a new relying party trust to the Federation Service.

Add-AdfsRelyingPartyTrust

Adds a relying party trust for the Web Application Proxy.

Add-AdfsWebApplicationProxyRelyingPartyTrust

Marks the Device Registration Service as disabled on an AD FS server.

Disable-AdfsDeviceRegistration

Disables an endpoint of AD FS.

Disable-AdfsEndpoint

Exports the custom configuration of an external authentication provider to a file.

Export-AdfsAuthenticationProviderConfigurationData

Generates SQL scripts to create the AD FS database and to grant permissions.

Export-AdfsDeploymentSQLScript

Exports properties of all web content objects in a specific locale to a specified file.

Export-AdfsWebContent

cmdlet exports a web theme object to a folder. The cmdlet creates necessary folders that correspond to the web theme settings.

Export-AdfsWebTheme

cmdlet retrieves the global rules that govern all applications that trigger additional authentication providers to be invoked.

Get-AdfsAdditionalAuthenticationRule

cmdlet gets a list of all authentication providers currently registered in Active Directory Federation Services (AD FS).

Get-AdfsAuthenticationProvider

cmdlet retrieves web content objects for all authentication providers, or a specified authentication provider in a locale.

Get-AdfsAuthenticationProviderWebContent

cmdlet displays the global authentication policy, which includes the providers currently allowed as additional providers in the AdditionalAuthenticationProvider property.

Get-AdfsGlobalAuthenticationPolicy

cmdlet gets all global web content objects or the global web content object that corresponds to the locale that you specify.

Get-AdfsGlobalWebContent

cmdlet gets all the associated properties for the Active Directory Federation Services (AD FS) service.

Get-AdfsProperties

cmdlet gets web content objects for relying parties.

Get-AdfsRelyingPartyWebContent

cmdlet gets the host name, port, and certificate hash for all SSL bindings configured for Active Directory Federation Services (AD FS) and, if enabled, the device registration service.

Get-AdfsSslCertificate

cmdlet imports custom configuration for an authentication provider from a file.

Import-AdfsAuthenticationProviderConfigurationData

cmdlet creates a set of claim rules in Active Directory Federation Services

New-AdfsClaimRuleSet

cmdlet creates a contact person object in ADFS.

New-AdfsContactPerson

cmdlet creates a new information object for an organization in Active Directory Federation Services

New-AdfsOrganization

cmdlet creates a Security Assertion Markup Language (SAML) protocol endpoint object.

New-AdfsSamlEndpoint