2

Identity & Cloud Services

Vittorio BertocciSr. Architect EvangelistMicrosoft Corporationhttp://www.cloudidentity.net/

Session Code: ARC302

3

Agenda

The CloudCloud & IdentityClaims based IdentityIdentity.Biztalk.Net

4

What is the Cloud?

5

Once Upon a Time…

…if you needed electricity, you had to produce it yourself.

6

Then a New Idea Came Out…

…generate A LOT of electricity centrally, and have everybody tap from it

7

What is Cloud Computing

Evolution of hosting

Source: Forrester Research, “Is Cloud Computing Ready For The Enterprise?”, March 2008

8

Why Cloud Computing

S+S: Outsource functions to external servicesThe Cloud is “Platform as a Service”

Host your own resources “in the cloud”Storage, Workflows, Services…

Expose your on-premise services “in the cloud” for others to consume

AdvantagesNo more IT headacheScaleReachPay as you use

9

Everything in the Cloud from now on?

“…larger companies…can be expected to pursue a hybrid approach for many years, supplying some hardware and software requirements themselves and purchasing others over the grid. One of the key challenges for corporate IT departments, in fact, lies in making the right decisions about what to hold on to and what to let go.”

Nicholas Carr“The Big Switch”

Microsoft Data Center in Chicago

Cost: $500 millionSize: 500,000 square foot facility (10 football fields)Container-based

FYI: Microsoft Averages the deployment of 10000 new servers

each month

11

Cloud & Identity

OnPremise Identity Management

Moving Assets to the Cloud

Identity & Cloud: Challenges & Opportunities

OpportunitiesOutsource aspects of identity managementManage relationshipsOffload credential managementAutomatic support for multiple technologies

ChallengesResources decentralizationInvestments in directory harder to ROIForces true service orientation

15

Claims Based Identity

Claims Based Identity ManagementIntroduction

TraditionallyWeb authentication uses “pure credentials”“Intranet” authentication relies on info from well known authoritiesDifferent authentication technologies are isolated silos

Claims based identity change all this byMerging credentials & subject information in a single artifactNegotiating authentication details on the fly via

Policies, open standards, trust relationship

When working with cloud resources we cannot afford any of these

Authentication in the Offline World

?!

??

Web ServerBrowser

AGE:36

Authority Web Service

Tools of the Trade

ClaimsStatements about an entity (subject) made by an entity (issuer)

TokensSigned XML fragments which transport credentials and claims about a subject

Security Token Service (STS)Web service that Issues security tokens

A Token

ClaimName1: Value1

ClaimNamen: Valuen

S…

Issuer’s signature[optional] key material

Claims collection

E

Encryption for the intended audience

20

SAML SAML

SAML

Subject

Relying Party (RP) Identity Provider (IP)

Policy

RST RSTR

The Canonical S-IP-RP Pattern

21

SAML

SAML

Subject

RP IP

SAML

SAML

SAML

Claims Transformer

RST

Trust Trust

SAML

The R-STS Pattern

22

Trust

Trust

Trust

IP

IP

Reso

urce

s

R-STS

R-STS

The R-STS as Point ofTrust & Access Management

23

The R-STS Pattern is Ideal for Cloud Providers

Natural point of trust brokering with customers & partnersNatural point of authorization evaluation & enforcementResources are decouples by the original credentialsUse of StandardsPolicy based dynamic negotiations

24

Example: Exposing a Service via an R-STS in the Cloud

25

Identity.Biztalk.Net

Biztalk ServicesWhat is it

“BizTalk Labs provides early access to experimental connectivity and business process technologies”

ConnectivityNaming, firewall traversal, Eventing

WorkflowHosted workflows

Identity

Identity.Biztalk.Net

The IBN is a rules-driven, federated, claims based access control system

In practiceEvery BTS.Net account gets a dedicated R-STS instanceThe claim transformation logic is driven by user defined rulesCertain claims are evaluated directly into authorization decisionsClaims, rules, recognized issuers & crypto can be managed both via web portal and via API

28

Trust

Federated Credentials

http://connect.biztalk.net/relay

SAML

Policy

ISVResource

Claims TransformationRules

U/P, LiveID, Personal Card, X509

Federated Credentials

Trust

Trust

Rules, Trust & Credentials

Rule Model

Identity.biztalk.netUsername

Value

Resource#Operation

Claim Types

IBN/{username}

Live

<custom…>

Issuers

Value

Username

Resource#Operation

input

output

Source Issuer

R-STS

Rules

…

Management & Delegated Access

Identity.biztalk.net

IBN/{username}

Issuers Rules Scopes/Admins

31

FederatedIdentity.net

Vote For Laptops

Rules

Example: voting application

Vote For Phones

If from FederatedIdentity.net&& “Group” is “domain users”Can call VoteForPhones

If from FederatedIdentity.net&& “Group” is “domain users”Can call VoteForLaptops

32

Identity.Biztalk.Net

demo

33

Summary

The shift toward the Cloud drives to an utility modelThe Cloud can simplify identity & access managementThe claims based approach supports onpremise, cloud and hybrid scenariosIdentity.Biztalk.Net provides a nice testbed for those ideas

34

Q & A

35

Call to Action

…

Familiarize with claims based identityExperiment with Lab.Biztalk.NetStay tuned for PDC!

36

Resources

www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs

http://microsoft.com/technet

Evaluation licenses, pre-released products, and MORE!

http://microsoft.com/msdn

Developer’s Kit, Licenses, and MORE!

Related Content

Breakout Sessions

•SOA308 “Zermatt” Developer Framework: Putting Authentication Code in its Place•SOA205 Extending the Application Platform with Cloud Services•ARC203 Understanding Software-Plus-Services: A Perspective

Related Content

Biztalk.NET:http://labs.biztalk.nethttp://blogs.msdn.com/justinjsmith/http://blogs.msdn.com/clemensv

Identitywww.identityblog.comhttp://blogs.msdn.com/vbertocci

Issue#16 of the Architecture Journal:http://msdn.microsoft.com/en-us/arcjournal/

39

Please complete anevaluation

40

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED

OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.