Two Way Authentication with external IDP’s

More and more web applications like Twitter, Facebook and Outlook.com, using a two way authentication protocol too create a secure environment and make sure the owner has access to their content.

Also companies are building two way authentication systems so users can access from their home computers or for vendors an application such as SharePoint and work more together on documents.

To establish a secure environment some companies are using a third party IDP (Identity Provider) This has the advantage that the company does not need to create and manage an own IDP with a whole own new infrastructure to supply to the end users.

So how works an IDP, it’s quit simple to explain. An IDP is nothing more than a user DataBase. A user log in to a web application. The application does not recognise the user. And will redirect the user to the IDP. The user log in with his e-mail address and a own created password. father this the user will get an secondary password that will send to his mobile phone. when he fill in this password he will be able to enter the application.

Now your logged in but how do you application know you?
There are several solutions possible. Ill describe one of them here.

The user account is stored in an Active directory and disabled So what is happening?
When a User logon on a IDP the IDP creates a SAML token and redirect you to the web application . This token is checked against UAG to see if the user has the correct permissions and UAG give a OKAY and redirects you again to an ADFS server. This ADFS server is only federating with your web app. and in the web app the user will be recognised with his E-mail address and have access. To secure your session UAG will monitor your activity and mark your cookies as active. When there is inactivity the user will automatically log out and need to rerun the authentication process.

To make sure ADFS can sync the users against your web app you don’t want to add these users by hand in the Active Directory. You can use FIM (Forefront Identy Manager) from Microsoft to import the users from the IDP Pull request in to your AD.†IDP Flow Chart