Using Windows Azure for Solving Identity Management Challenges
-
Upload
michael-collier -
Category
Technology
-
view
2.871 -
download
0
description
Transcript of Using Windows Azure for Solving Identity Management Challenges
![Page 1: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/1.jpg)
Using Windows Azure for Solving Identity Management Challenges
![Page 2: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/2.jpg)
About Me
Michael S. Collier
National Architect,
Windows Azure
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
![Page 3: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/3.jpg)
Traditional Identity Management
• Windows Integrated Authentication (Active Directory)
• Membership Provider
• Proven Approach• Leverage Windows
Identity Foundation (WIF)
![Page 4: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/4.jpg)
We Have a Problem
• No Active Directory• Environment not
under our physical control
• Disconnected from the enterprise (potentially)
![Page 5: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/5.jpg)
Windows Azure Connect
• Secure network connectivity between on-premises and cloud.
• Hybrid apps access to on-premises servers– App access to SQL
Server– Role domain-joined to
AD
• Setup & management Enterprise
Windows Azure
Databases
Dev machines
Relay
Role BRole A
Role C(multiple VM’s)
Image courtesy Windows Azure Platform Training Kit
![Page 6: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/6.jpg)
Windows Azure Virtual Network
Corp Network
IIS Servers
AD / DNS
SQL Servers
S2S VPN Device
Image courtesy of the Windows Azure Training Kit
Windows Azure
IIS ServersSQL Servers
Site-to-Site VPN Tunnel
Currently in Preview
![Page 7: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/7.jpg)
Options
• Social Networks– They change . . . Often– The right one?– Another?– More work!
• Membership Provider– SQL Azure– Table Storage– Pros
• Mostly known entity• Migrate existing data
– Cons• User management• Security leak• New
Windows Live ID
Yahoo!
![Page 8: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/8.jpg)
Windows Azure Access Control Service
• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID,
etc.)• Ability to bring your own via membership• One to rule them all!• Easy for your users
![Page 9: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/9.jpg)
Key ACS Concepts
• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.
• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate,
email address, name, etc.)• Federation Provider: Intermediary between the RP and IP.
ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims.
ACS is an STS
![Page 10: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/10.jpg)
Authentication Workflow
BrowserIdentity Provider
Access Control
Application
3. Login
5. Redirect to AC service
10. Validate Token
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate & Issue Token
6. Send Token to ACS
7. Validate Token, Run Rules Engine, Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
![Page 11: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/11.jpg)
DEMOGetting Started with ACS
![Page 12: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/12.jpg)
Claims Enrichment
• Identity Providers only provide a few claims– Windows Live provides just one (Named Identifier)– Google and Yahoo! provide three (email, name, named
identifier)– Facebook– ADFSv2
• Add more claims that are known to your application– ClaimsAuthenticationManager
![Page 13: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/13.jpg)
DEMOClaims Enrichment
![Page 14: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/14.jpg)
• WIF relies on the web.config file• URLs related to the site are set in the web.config . . .
can’t change• Problematic for staging deployments – don’t know the
URL until deployed• Add logic to WebRole’s OnStart() to update the WIF
settings in web.config– Read in configuration settings from .cscfg– Update and save the web.config– Changing .cscfg settings can cause a role recycle . . . causing
web.confg to update
Tips & Tricks
![Page 15: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/15.jpg)
Tips & Tricks
• Staging vs. Production– WIF configuration in web.config– Staging URL unknown until deployment– Change WIF configuration in web.config during role startup
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
![Page 16: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/16.jpg)
Tips & Tricks
• Cookie Encryption– DPAPI used to protect cookies sent to the client..– DPAPI not supported in Windows Azure– Use RsaEncryptionCookieTransform to encrypt with same cert
used for SSL.
![Page 17: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/17.jpg)
Tips & Tricks
![Page 18: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/18.jpg)
• Change request validation
– Use ASP.NET 2 request validation– Custom validator
Tips & Tricks
![Page 19: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/19.jpg)
Tips & Tricks
// Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult-t-requestsecurityto.aspx
![Page 20: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/20.jpg)
Tips & Tricks
• Development Certificate
• Customize the login experience
• User registration
• Require authentication for only part of the site
![Page 21: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/21.jpg)
Gotchas
• Single sign-out not currently supported– Provide a sign-out link for the specific Identity Provider
• Windows Azure co-admin cannot administer an ACS namespace– Add Live ID, WAAD, Google, etc.
• WIF not installed on Windows Azure roles– Microsoft.IdentityModel CopyLocal = true– Install WIF via a startup task (recommended)
![Page 22: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/22.jpg)
The Impact for Mobile Applications
• Social Networks – Important– Users likely already have at least one– Quick and easy signup– Potential for rapid user base expansion
• NuGet package available for easy add to WP application– Install-Package Phone.Identity.AcessControl.BasePage
![Page 23: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/23.jpg)
DEMOEnable ACS on Your Windows Phone Application
![Page 24: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/24.jpg)
Windows Azure Active Directory
• Extends AD into the cloud• Primarily for cloud applications
• Connect from any device and platform– RESTful access to the directory– XML or JSON
• Social providers or organizations
• Can sync or federated on-premises AD to cloud
• Currently need Office 365 WAAD is in a Developer Preview mode – tread lightly.
![Page 25: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/25.jpg)
Summary
• Traditional identity management in the cloud is hard– Many external islands of identity– Current technology hard or not interoperable
• ACS provides standards-based approach– Integrates with Windows Identity Foundation– Claims-based authorization– Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• OData API and portal for management
![Page 26: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/26.jpg)
Resources
• Windows Azure ACS Guide– http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• “Claims-Based Authorization with WIF”, Michele Bustamante– http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
![Page 27: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/27.jpg)
WindowsAzure.com – 90 days free!
http://bit.ly/MikeAzureTrial
Activate MSDN benefits
Install SDK via Web PI
Windows Azure Training Kit
How to Get Started
Windows Azure Developer Center
![Page 28: Using Windows Azure for Solving Identity Management Challenges](https://reader034.fdocuments.net/reader034/viewer/2022042714/54b5b8634a79596e0a8b4693/html5/thumbnails/28.jpg)
Q &
A
Ask your questions