Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)


Published on

Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)

  1. 1. Using Windows Azure forSolving Identity Management Challenges Michael S. Collier National Architect, Cloud Level: Intermediate
  2. 2. About MeMichael S. CollierNational Architect,
  3. 3. Agenda• Identity Management Challenges• Access Control Services – Claims – Setup tips – Gotcha’s• Windows Azure Mobile Services – Quickly leverage social identities• Windows Azure Active Directory – What it is – Quick setup – Exploring the directory graph
  4. 4. Who Are You?• Personalization• Business Rules• Functionality / Features
  5. 5. Traditional Identity Management• Windows Integrated Authentication (Active Directory)• Membership Provider• Proven Approach• Leverage WIF? SQL AD My Enterprise
  6. 6. Cloud? We Have a Problem• Multiple islands of identity• Environment not under our physical control• Disconnected from the enterprise (potentially)
  7. 7. Options • Social Networks • Membership Provider – They change . . . Often – SQL Database – The right one? – Table Storage – Another? – Pros – More work! Mostly known entity Migrate existing data – ConsMicrosoft Account User management Security leak New
  8. 8. Windows Azure Access ControlService• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID, etc.)• Ability to bring your own via membership• One to rule them all!• Easy for your users Windows Azure icons courtesy of David Pallmann.
  9. 9. Key ACS Concepts• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.)• Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims. ACS is an STS
  10. 10. Authentication Workflow Identity AccessBrowser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
  11. 11. Claims Enrichment• Identity Providers only provide a few claims – Microsoft Account / Live ID provides just one (Name Identifier) – Facebook, Google and Yahoo! Provide at least three (email, name, named identifier) – ADFSv2 – us/library/windowsazure/gg185971.aspx• Add more claims that are known to your application – ClaimsAuthenticationManager
  12. 12. Getting Started with ACSDEMO
  13. 13. Recap1. Create a new ASP.NET 4.5 Web Site a) Capture User.Identity.Name2. Create a ACS namespace a) Portal b) Visual Studio tooling3. Configure site using ‘Identity and Access’ tool in Visual Studio a) Provide ACS namespace and management password b) Enable desired Identity Providers (i.e. Google) c) Configure realm, reply to address, etc.4. Optional: Add ClaimsAuthenticationManager5. Run it
  14. 14. Tips & Tricks• WIF relies on the web.config file• Problematic for staging deployments – don’t know the URL until deployed• Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
  15. 15. Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup See Vittorio Bertocci’s blog post at and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
  16. 16. Tips & Tricks• Cookie Encryption – DPAPI used to protect cookies sent to the client. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
  17. 17. Tips & Tricks
  18. 18. Tips & Tricks• Change request validation• Use ASP.NET 2 validation (<httpRuntime requestValidationMode=“2.0”/>• Custom validator
  19. 19. Tips & Tricks<httpRuntime requestValidationType=“AccessControlRequestValidator" />// Source:
  20. 20. Gotchas• Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider• Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc.• WIF not installed on Windows Azure roles (.NET 3.5) – Microsoft.IdentityModel CopyLocal = true – Install WIF via a startup task (recommended)
  21. 21. The Impact for Mobile Apps• Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion• Multiple identity provider choices via Windows Azure Mobile Services
  22. 22. Windows Azure Mobile ServicesDEMO
  23. 23. Recap• Windows Azure Mobile Services app• Developer accounts for social networks – Microsoft Account – Facebook – Twitter – Google• Add key/secret to WAMS app• Prompt for user authentication await App.MobileService.LoginAsync (MobileServiceAuthenticationProvider.Twitter);• Optional – Live SDK to use SSO in Windows Store apps
  24. 24. Windows Azure Active Directory• Extends AD into the cloud• Started as directory for Office365• Provides single sign-on for cloud applications• Query-able social graph (native apps too)• Connect from any device and platform – RESTful access to the directory – XML/JSON request/response• Can sync or federate on-premises AD to cloud WAAD is in a Developer Preview status. ☺
  25. 25. The Directory DirectReports MemberOf
  26. 26. The Directory Windows Azure Active Directory Multi-tenant directory
  27. 27. The Directory WAAD Tenant DirSync On-Premises Active Directory
  28. 28. Getting Started• Organization ID – Office365 – Dev/Test Tenant <tenant>• Windows Azure Subscription• Microsoft ASP.NET Tools for Windows Azure Active Directory – Visual Studio 2012 –• Office365 / Windows Azure Active Directory Management Cmdlets –
  29. 29. Windows Azure Active Directory – Setup and Connect toWAADDEMO
  30. 30. Recap1. Pre-reqs a) Windows Azure AD Powershell cmdlets b) Windows Azure AD tenant c) Visual Studio tools2. Create new ASP.NET 4.5 web site3. ‘Enable Windows Azure Authentication’ a) Under ‘Project’ menu in Visual Studio b) Authenticate with WAAD administrative account4. Run
  31. 31. Graph API• RESTful interface for Windows Azure AD – Compatible with OData V3 – Use latest WCF 5.3 update (API v0.9) – OAuth 2.0 for authentication• Programmatic access to the directory – DirectoryObject – User, Group, Role, Licenses, Tenant, etc. – Links – memberOf, directReports• Standard HTTP methods – GET, POST, PATCH, DELETE for directory objects – HTTP status codes
  32. 32. Directory Permissions• The application has rights to the directory, not the authenticated user• Your application == service principal• Application Roles – Partner Tier1 Support – Partner Tier2 Support – Company Administrator – Helpdesk Administrator – Directory Readers – Directory Writers – Billing Administrator – Service Support Administrator – User Account Administrator
  33. 33. RequestGET$/Microsoft.WindowsAzure.ActiveDirectory.User()? HTTP/1.1User-Agent: Microsoft ADO.NET Data ServicesDataServiceVersion: 3.0;NetFxMaxDataServiceVersion: 3.0;NetFxAccept: application/atom+xml,application/xmlAccept-Charset: UTF-8DataServiceUrlConventions: KeyAsSegmentAuthorization: BearereyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAvZ3JhcGgud2luZG93cy5uZXRAMTEyNzExNTktYWJjOC00ZTBlLWIzYzItYzJhMDg1OGEwMzZiIiwiaXNzIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWMwMDAtMDAwMDAw……Host:
  34. 34. Response<?xml version="1.0" encoding="utf-8"?><feed xml:base="" xmlns=""xmlns:d="" xmlns:m=""xmlns:georss="" xmlns:gml=""><id>$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id></id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="" type="application/atom+xml;type=entry" title="manager"href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="" type="application/atom+xml;type=feed"title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="" type="application/atom+xml;type=feed" title="members"href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="" type="application/atom+xml;type=feed"title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="" type="application/atom+xml;type=feed"title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions"/>
  35. 35. Response<link rel="" title="thumbnailPhoto"href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="$metadata#DirectoryDataService.assignLicense"title="assignLicense" target="" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element></d:element> </d:otherMails> <d:userPrincipalName></d:userPrincipalName> </m:properties> </content> </entry> * Some elements removed for readability.</feed>
  36. 36. Windows Azure AuthenticationLibrary (WAAL)• Simplifies authentication• Client-side only – Used to obtain an authentication token only; no token validation – Web apps/services or rich clients• Server-side token authentication – JSON Web Token Handler (JWT Handler) – Samples Search “aal” Filter – Technology = Windows Azure Visual Studio Version = VS2012 (AAL > Windows Azure > Visual Studio 2012)
  37. 37. Registering You App with WAAD• AppPrincipalId (ServicePrincipal) – identityConfiguration/audienceUris – /wsFederation• Read this blog post by Vittorio Bertocci – amp-role-claims-use-the-graph-api-to-get-back- isinrole-and-authorize-in-windows-azure-ad-apps/
  38. 38. Registering You App with WAADImport-Module MSOnlineExtended -force# Connect to the WAAD tenant. Use tenant admin credentials (same used in the MVC VS2012 tools).<user>@<tenant>.onmicrosoft.comConnect-MsolService# The AppPrincipalId from the web.config$AppPrincipalId = 9a90ed83-acff-44d7-813f-d7e724fef1aa# Get the Service Principal object$servicePrincipalId = (Get-MsolServicePrincipal -AppPrincipalId $AppPrincipalId)# Add the service principal to the appropriate role in WAAD.Add-MsolRoleMember -RoleMemberType "ServicePrincipal" -RoleName "User Account Administrator" -RoleMemberObjectId $servicePrincipalId.ObjectId# Dates for which the credential is valid (1 year)$timeNow = Get-Date$expiryTime = $timeNow.AddYears(1)#Generating the symmetric key$cryptoProvider = new-object System.Security.Cryptography.RNGCryptoServiceProvider$byteArr = new-object byte[] 32$cryptoProvider.GetBytes($byteArr)$signingKey = [Convert]::ToBase64String($byteArr)Write-Output $signingKey | Out-File signingKey.txt# Create a new service principal credential, with the created key, and assign to the service principal.New-MsolServicePrincipalCredential -AppPrincipalId $AppPrincipalId -Type symmetric -StartDate $timeNow-EndDate $expiryTime -Usage Verify -Value $signingKey
  39. 39. WAAD and Expense Application (Code Walkthrough)DEMO
  40. 40. Going Further• Multitenant applications – Leverage identity from other WAAD tenants – us/develop/net/tutorials/multitenant-apps-for-active- directory/• Phone 2FA – Additional administrative users – Username/pwd + text message code – ONLY for WAAD users and applications now• Configure as an Identity Provider in ACS
  41. 41. Windows Azure Virtual Network Windows Azure Site-to-Site VPN TunnelCurrently in Preview Image courtesy of the Windows Azure Training Kit
  42. 42. Summary• Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable• ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook• Enrich functionality using WIF• Leverage Windows Azure Mobile Services for mobile apps• Windows Azure Active Directory shows the future direction
  43. 43. Resources• Windows Azure ACS Guide – control/#config-trust• Programming Windows Identity Foundation, Vittorio Bertocci•, Vittorio Bertocci’s blog• “Claims-Based Authorization with WIF”, Michele Bustamante –• ACS Cheat Sheet -• ACS How To’s -• ACS Tips -• Publishing a ACS v2 Federated Identity Web Role -• MVC Sample App for Windows Azure Active Directory Graph –• Windows Azure Active Directory Graph Team –
  44. 44. Ask your questions
  45. 45. Thank You!!Michael S. CollierNational Architect, fill out your session evals!