Providing Web SSO and Identity Federation Solutions Using Active Directory Federation Services

(This was talk SVR322)

Allowing external employees (of business partners, vendors, or other suppliers) to access resources within your realm of control-or at least doing so securely-is a task of significant managerial expense. The cost of provisioning accounts, managing access, decommissioning inactive resources, and thoroughly and regularly examining the integrity of such access can be reduced by using Active Directory Federation Services (ADFS), a web single sign-on and identity management solution. ADFS works by creating trusts between federation servers that take "claims" about a user’s identity and exchange trusted security tokens. Thus, when an employee of Company A tries to access a site on Company B’s network, he is directed to his own internal server, which can provide him with the necessary tokens and claims to satisfy the authentication requirements of Company B’s servers. The federated process requires minimal additional configuration on the live machines; most of the magic happens on the backend. While the initial configuration requirements on the federated system servers requires some work, it decreases proportionally as more and more business partners are added to the federated system.

Security Policies? Ugh, Just Give Me a Firewall

(This was talk SEC325) Most organizations assume that having and acting on a security policy is axiomatic, and such companies never ask themselves, "Why have a policy?" In this talk, Steve Riley, one of Microsoft’s infamous security experts, explained that policies that don’t consider their effects on users are doomed to fail; one must offer a satisfying explanation to placate those who will come up against a security barrier so that they won’t see protective measures as needless and stupid. A successful, well-written, accessible, and thorough security policy both identifies and makes an official statement about the value of the information contained within the company’s network.