Using Windows Azure for Solving Identity Management Challenges


Published on

Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We’ll also demonstrate how to configure ACS for development, as well as production environments. We’ll wrap up by showing you how to bring you’re new found love of claims and ACS to your mobile applications as well.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  • Windows integrated authentication (Active Directory)Kerberos ticketsUser doesn't have to do a separate loginOption for credentials passed to SQL ServerMembership ProviderSQL ServerAny data storeWindows authentication & membership providers - proven approachDone this for yearsCode readily availableTooling to helpPossibly even used WIF
  • Let’s take a look at this scenarioChallengesWhich provider to choose?How to redirect to the right provider?How to validate and parse the tokens returned by each provider?How to add, remove, or change the claims returned?How much code do we have to right?
  • AD – sort of (more on that coming up)Lack of physical control – a different way of administering and configuring the environment.Running in someone else’s data center – potentially hundreds of miles away.Connectivity options may incur additional latency.
  • Options- AD On-Premises- AD in the Cloud (Replicated)- AD in the Cloud Only
  • Tap into Facebook, Google, LinkedIn, etc. They have problems tooThey change - you changeViscous cyclePick the right one?Add another? More code/logic.Membership ProviderSQL AzureWindows Azure Table StorageProsYou know this - may do it alreadyMigrate existing user dataConsManagementUser supportPasswords (security)Password resetsPotential for security leakHow secure are you?New providersWindows AzureNew - not well establishedProvided as a sample - ready for prime time?SQL AzureUses the same provider as SQL ServerWe need cloud-ready identity solutions . . . We need identity management built for the cloud! <click>
  • The one to rule them allYour app integrates with ACS, ACS deals with the Identity ProvidersNo more changing code as APIs changeConfiguration to add new IdPs
  • STS: ACS is an STS in that it issues tokens to relying parties that use ACS to perform authentication. The STS must trust the identity provider(s) it uses.
  • WIF relies on settings in the web.config – which we typically can’t change easily w/ Azure apps
  • Request validation for all requests in ASP.NET 4.; Security feature – cross-site scripting attacks
  • Development certificate – use IIS or makecert. Allow NETWORK_SERVICE access to cert (use certmgr).
  • Social importantMobile users likely already have itWindows Phone users already have Windows Live IDQuick and easy signupPotential for rapid user base expansionTap into a large and growing marketGlobal marketNuGet package to quickly add ACS to app<DEMO - USING NUGET IN WP7>
  • OData for rich controlPortal for simpler things
  • - - - -
  • Using Windows Azure for Solving Identity Management Challenges

    1. 1. Using Windows Azure for SolvingIdentity Management Challenges
    2. 2. About MeMichael S. CollierNational Architect,Windows
    3. 3. Traditional Identity Management• Windows Integrated Authentication (Active Directory)• Membership Provider• Proven Approach• Leverage Windows Identity Foundation (WIF)
    4. 4. We Have a Problem• No Active Directory• Environment not under our physical control• Disconnected from the enterprise (potentially)
    5. 5. Windows Azure Connect• Secure network connectivity between Windows Azure on-premises and Role A Role B cloud. Role C (multiple VM’s)• Hybrid apps access to Relay on-premises servers – App access to SQL Server – Role domain-joined to Dev machines AD Databases• Setup & management Enterprise Image courtesy Windows Azure Platform Training Kit
    6. 6. Windows Azure Virtual Network Windows Azure Site-to-Site VPN TunnelCurrently in Preview Image courtesy of the Windows Azure Training Kit
    7. 7. Options• Social Networks • Membership Provider – They change . . . Often – SQL Azure – The right one? – Table Storage – Another? – Pros – More work! • Mostly known entity • Migrate existing dataWindows Live ID – Cons • User management • Security leak • New
    8. 8. Windows Azure Access Control Service• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID, etc.)• Ability to bring your own via membership• One to rule them all!• Easy for your users
    9. 9. Key ACS Concepts• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.)• Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims. ACS is an STS
    10. 10. Authentication Workflow Identity AccessBrowser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
    11. 11. Getting Started with ACSDEMO
    12. 12. Claims Enrichment• Identity Providers only provide a few claims – Windows Live provides just one (Named Identifier) – Google and Yahoo! provide three (email, name, named identifier) – Facebook – ADFSv2• Add more claims that are known to your application – ClaimsAuthenticationManager
    13. 13. Claims EnrichmentDEMO
    14. 14. Tips & Tricks• WIF relies on the web.config file• URLs related to the site are set in the web.config . . . can’t change• Problematic for staging deployments – don’t know the URL until deployed• Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
    15. 15. Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startupSee Vittorio Bertocci’s blog post at
    16. 16. Tips & Tricks• Cookie Encryption – DPAPI used to protect cookies sent to the client.. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
    17. 17. Tips & Tricks
    18. 18. Tips & Tricks• Change request validation – Use ASP.NET 2 request validation – Custom validator
    19. 19. Tips & Tricks// Source:
    20. 20. Tips & Tricks• Development Certificate• Customize the login experience• User registration• Require authentication for only part of the site
    21. 21. Gotchas• Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider• Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc.• WIF not installed on Windows Azure roles – Microsoft.IdentityModel  CopyLocal = true – Install WIF via a startup task (recommended)
    22. 22. The Impact for Mobile Applications• Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion• NuGet package available for easy add to WP application – Install-Package Phone.Identity.AcessControl.BasePage
    23. 23. Enable ACS on Your Windows Phone ApplicationDEMO
    24. 24. Windows Azure Active Directory• Extends AD into the cloud• Primarily for cloud applications• Connect from any device and platform – RESTful access to the directory – XML or JSON• Social providers or organizations• Can sync or federated on-premises AD to cloud• Currently need Office 365 WAAD is in a Developer Preview mode – tread lightly. 
    25. 25. Summary• Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable• ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook• Enrich functionality using WIF• OData API and portal for management
    26. 26. Resources• Windows Azure ACS Guide – control/#config-trust• Programming Windows Identity Foundation, Vittorio Bertocci• “Claims-Based Authorization with WIF”, Michele Bustamante –• ACS Cheat Sheet -• ACS How To’s -• ACS Tips -• Publishing a ACS v2 Federated Identity Web Role -
    27. 27. How to Get – 90 daysfree! MSDN benefitsInstall SDK via Web PIWindows Azure Training Kit Windows Azure Developer Center
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.