ad-assurance - [AD-Assurance] Kantara & Microsoft
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] Kantara & Microsoft
- Date: Fri, 3 May 2013 21:58:28 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport02.merit.edu; dkim=neutral (message not signed) header.i=none
|
1.
Microsoft was among several vendors who passed the “Liberty Alliance” SAML 2.0 testing in 2009. They passed “IDP Lite” level. 2.
Liberty Alliance is now the Kantara Initiative. 3.
Kantara has links to documents that show ADFS is Microsoft’s product to use. 4.
Microsoft has a configuration guide and “Authentication Mechanism Assurance for AD DS in Windows Server R2 Step-by-step” guide. 5.
Microsoft has a few requirements for using the “Authentication Mechanism.” 6.
Microsoft AD FS also received Common Criteria EAL4 certification, but the evaluation excluded AD DS from the scope. Requirements for authentication mechanism assurance To complete all the steps in this guide, you must first complete all the steps in the AD FS in Windows Server 2008 R2 Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=133009). However,
it should be possible to complete the first three steps in this guide using a different, but compatible, configuration that meets the following minimum requirements:
Microsoft –
Microsoft Active Directory Federation Services (AD FS) 2.0 enables Active Directory to be an identity provider in the claims based access platform. AD FS provides end
users with a single sign-on experience across applications, platforms and organizations and simplifies identity management for IT Pros. AD FS 2.0 is part of the Windows Server platform, and supports both on-premises and cloud solutions. Note from Common Criteria EAL4 evaluation on AD FS 2.0: http://www.commoncriteriaportal.org/files/epfiles/ADFS_ST.pdf AD FS does not authenticate the user, all authentication activities are passed on to the attribute store (AD DS in most cases) to be authenticated prior to generating claims and providing authorized access to
protected resources. AD FS is tightly integrated with AD DS. AD FS retrieves user attributes and authenticates users against AD DS. AD FS also uses Windows Integrated Authentication and security tokens that AD DS creates.
The NIAP validation report on Server 2008 R2 includes AD Domain Services as one of several “server roles”. http://www.niap-ccevs.org/st/st_vid10390-vr.pdf 3.2 Software Capabilities
Starting with Windows Server 2008, the server operating system was split into multiple server roles, with each server role providing different services and
capabilities. This componentization simplifies administration and also reduces the attack surface of Windows Server by enabling the administrator to install only the specific binaries needed onto a machine to fulfill its role. SEE PAGE 15 FOR DESCRIPTION OF CLAIMS REGARDING FIPS 140-2 COMPLIANCE: 1.4 ST Overview and Organization
The Windows 7 and Windows Server 2008 R2 TOE is a general-purpose, distributed, network OS that provides controlled access between subjects and user data objects. The Windows 7 and Windows
Server 2008 R2 TOE has a broad set of security capabilities including
·
single network logon (using password or smart card)
·
access control and data encryption
·
extensive security audit collection
·
host-based firewall and IPSec to control information flow
·
public key certificate service
·
built-in standard-based security protocols such as
o
Kerberos
o
Transport Layer Security (TLS)/Secure Sockets Layer (SSL)
o
Digest
o
Internet Key Exchange (IKE)/IPSec
·
Light-weight Directory Access Protocol (LDAP) Directory-based resource management
·
FIPS-140 validated cryptography
Jeff Capehart, CISA |
- [AD-Assurance] Kantara & Microsoft, Capehart,Jeffrey D, 05/03/2013
Archive powered by MHonArc 2.6.16.