Using Windows Azure for Solving Identity Management Challenges
Download as PPTX, PDF4 likes5,496 views
Using Windows Azure for Solving Identity Management Challenges discusses various Windows Azure identity management solutions including Mobile Services, Access Control Service (ACS), and Windows Azure Active Directory. Mobile Services allows adding identity providers via portal configuration and code. ACS provides federated identity authentication and claims-based authorization. Windows Azure Active Directory extends an on-premises Active Directory to the cloud and allows querying user objects via a REST API.
Using Windows Azure for Solving Identity Management Challenges
- 1. Using Windows Azure for Solving Identity Management Challenges Michael S. Collier
- 2. Michael S. Collier • Principal Cloud Architect, Aditi • [email protected] • @MichaelCollier • www.MichaelSCollier.com
- 5. What We’re Talking About • Identity - Current State and in The Cloud • Windows Azure solutions • Mobile Services • Access Control Service (ACS) • Windows Azure Active Directory 6
- 6. Who Are You? • Personalization • Business Rules • Functionality / Features 7
- 7. Traditional Identity Management • IT Pro – controls the known world • Developers – blissfully ignorant? 8 AD SQL My Enterprise LOB App
- 8. Cloud . . . A New Challenge • Move the application & data • Islands of identity • Outside of “traditional” IT world • External users / partners • BYOD • Developers ignorant no more • Developers + IT Pros 9
- 9. 10 Windows Azure Options Mobile Services Active Directory Access Control Service (ACS) Server Active Directory AD w/ DirSync
- 10. Mobile Services • Goal – easily build cloud-powered mobile apps • Built-in support for multiple social identity providers 11 private async System.Threading.Tasks.Task Authenticate() { while (user == null) { string message; try { user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter); message = string.Format("You are now logged in - {0}", user.UserId); CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId; } catch (InvalidOperationException) { message = "You must log in. Login Required"; } var dialog = new MessageDialog(message); dialog.Commands.Add(new UICommand("OK")); await dialog.ShowAsync(); } } Facebook Google MicrosoftAccount Twitter
- 12. Authentication • Microsoft Account, Facebook, Twitter, and Google • OAuth • Does not use Windows Azure ACS
- 13. Authentication • Microsoft Account – Use the Live SDK • Tight integration with Windows Live services
- 14. More Mobile Services? • Programming Windows Azure Mobile Services • Jason Farrell • Wednesday at 10:30am • Portia 15
- 15. Access Control Service (ACS) • Federated identity/authentication service • Google, Microsoft Account, Yahoo!, ADFS v2 • Bring your own membership • Claims-based authorization • Browser based (302 redirect) • Focus on your app 16
- 16. DEMO TIME!!! Access Control Service (ACS)
- 17. ACS Tips • Enrich claims w/ a ClaimsAuthenticationManager • Update WIF settings in web.config in OnStart() • Web Farm Ready Cookies • Web Sites and Cloud Services • DPAPI not supported in Windows Azure • Provide sign-out link for identity providers • Azure co-admin can’t admin ACS namespace 31
- 18. Windows Azure Active Directory • Internet scale, multi-tenant directory service • Directory store for Office 365 • Extend Windows Server AD to the cloud • Directory & identity services w/o need for Windows Server AD 32 Active Directory O365 Account Portal Intune Account Portal Windows Azure Mgmt Portal Azure AD PowerShell cmdlets
- 19. Windows Azure Active Directory • Multi-tenant “directory-as-a-service” • NOT a cloud version of Windows Server AD 33 Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
- 20. Windows Azure Active Directory 34 Windows Azure Management Portal REST API SAML-P O-Auth WS-Federation Integration / Management Endpoints Windows Azure Active Directory
- 21. Windows Azure Active Directory 35 Integration / Management Endpoints
- 22. Windows Azure Active Directory • What’s in the directory? • Everything is an object • Types: User, Group, Role, Application, Device, etc. 36
- 23. WAAD Graph Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" /> 37
- 24. WAAD Graph Response 38 <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec- 4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>[email protected]</d:element> </d:otherMails> <d:userPrincipalName>[email protected]</d:userPrincipalName> </m:properties> </content> </entry> </feed> * Some elements removed for readability.
- 25. Graph API Helpers • REST interface for WAAD • Graph Explorer: https://graphexplorer.cloudapp.net/ • AAD Helper: http://code.msdn.microsoft.com/Windows- Azure-AD-Graph-API-a8c72e18 • Active Directory Authentication Library (ADAL) • https://www.nuget.org/packages/System.IdentityModel.Client s.ActiveDirectory/ • http://www.cloudidentity.com/blog/2013/08/02/aal-becomes- adal-active-directory-authentication-library/ • Formerly Azure Authentication Library (AAL) 39
- 26. WAAD Authentication • Authentication for cloud-based & native apps • Permissions • SSO, Read Data, Read & Write Data • Applies to the APPLICATION, not the user 40
- 27. DEMO TIME!!! Windows Azure AD – Single Sign-On, Web API, and Windows Store
- 28. WAAD and the Enterprise 59 AD SQL My Enterprise LOB App
- 29. WAAD and the Enterprise 60 • Passwords sync every 2 minutes • Users sync every 3 hours My Enterprise DirSync LOB App SQL
- 30. Where Does the Authentication Happen? 61 Portal PowerShell/ Directory GRAPH DirSync w/Cloud identities DirSync w/Password Sync DirSync w/SSO Target customer segment • Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large Scenario supported • Least • Least • Some limitation • Some limitations • Most Directory Source of Authority • Cloud • Cloud • On-premises • On-premises • On-premises Hardware requirements • No additional hardware required • No additional hardware required • Windows Server OS for DirSync appliance • Windows Server OS for DirSync appliance • DirSync appliance • ADFS (or other STS) deployment IDP • Cloud • Cloud • Cloud • Cloud • On-premises User login experience • Disjoint username and password • Enter credentials twice • Disjoint username and password • Enter credentials twice • Same username, disjoint password • Enter credentials twice • Same username and password for on-prem and cloud • Enter credentials twice • Same username and password for on-prem and cloud • Login once if on- premises Complexity • Low • Medium • Low • Low • High Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013
- 31. DEMO TIME!!! Windows Azure Active Directory w/ DirSync
- 32. Going Further with Windows Azure AD • Multitenant applications • Leverage identity from other WAAD tenants • http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA (Multi-Factor Authentication) • Additional administrative users • Username/pwd + text message code 63
- 33. Summary • Developers, Architects, & IT Pros work together • Mobile Services • Quickly add Identity Providers via portal config and code • ACS • Federated identity authentication • Claims-based authorization • Windows Azure AD • “Extends” Windows Server AD to the cloud • Query via REST graph API 64
- 34. Helpful Resources • Mobile Services • Handling Expired Tokens - http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx • Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/ • ACS • Cheat Sheet – http://bit.ly/ACSCheatSheet • How To’s – http://bit.ly/ACSHowTo • Tips – http://bit.ly/HYhxjY • Azure Active Directory • “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”, Ross Adams & Jono Luk – TechEd NA 2013 • “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More”, Edward Wu – TechEd NA 2013 • Securing a Windows Store App and REST API using Windows Azure AD - http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx • Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/ 65
- 36. Thank You! • Michael S. Collier • Principal Cloud Architect, Aditi • [email protected] • @MichaelCollier • www.MichaelSCollier.com
- 38. August 11th – 13th 2014 Same Place, Same Time
Editor's Notes
- #3: Title slide for anyone looking to use this years logo.
- #4: Principal Cloud ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
- #5: Please take a brief opportunity and thank our platinum and gold sponsors. They have invested a lot of time and money into making That Conference the success it is.
- #8: Nearly every application asks at least one simple question – who are you?PersonalizationBusiness rules (access to specific areas / functionality)
- #12: MSFT Account – OAuth and integrated Windows Store app (SSO)
- #14: OAuthRenders the OAuth web interface for the selected provider.
- #15: Provide SSO for Windows 8 users
- #17: Mobile Services helps w/ mobile apps, but what about web apps. We can leverage ACS.Authorization – your responsibility; use provided claims and map to your business rules
- #33: With the somewhat more consumer offerings out of the way, let’s spend the rest of the time talking about enterprises.
- #35: Accessibility options
- #37: DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
- #42: Simple SSO for web appWeb API and Windows Store App - AAL
- #62: Integration Options
- #63: Show AD server and VM in cloudShow WAAD dir integrationChange user password . . . Wait for syncShow demo app
- #64: Phone 2FA – formerly known as ‘Active Authentication’
- #68: Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
- #70: At the end of your presentation we would be grateful if you could help us announce next years date.