Using Windows Azure for Solving
Identity Management Challenges
Michael S. Collier
Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCollier.com
Platinum Sponsors
Gold Sponsors
What We’re Talking About
• Identity - Current State and in The Cloud
• Windows Azure solutions
• Mobile Services
• Access ...
Who Are You?
• Personalization
• Business Rules
• Functionality / Features
7
Traditional Identity Management
• IT Pro – controls the known world
• Developers – blissfully ignorant?
8
AD
SQL
My Enterp...
Cloud . . . A New Challenge
• Move the application & data
• Islands of identity
• Outside of “traditional” IT world
• Exte...
10
Windows Azure Options
Mobile Services
Active Directory
Access Control Service
(ACS)
Server Active Directory
AD w/ DirSy...
Mobile Services
• Goal – easily build cloud-powered mobile apps
• Built-in support for multiple social identity providers
...
Mobile Services
12
Authentication
• Microsoft Account, Facebook, Twitter, and Google
• OAuth
• Does not use Windows Azure ACS
Authentication
• Microsoft Account – Use the Live SDK
• Tight integration with Windows Live services
More Mobile Services?
• Programming Windows Azure Mobile Services
• Jason Farrell
• Wednesday at 10:30am
• Portia
15
Access Control Service (ACS)
• Federated identity/authentication service
• Google, Microsoft Account, Yahoo!, ADFS v2
• Br...
DEMO TIME!!!
Access Control Service (ACS)
ACS Tips
• Enrich claims w/ a ClaimsAuthenticationManager
• Update WIF settings in web.config in OnStart()
• Web Farm Read...
Windows Azure Active Directory
• Internet scale, multi-tenant
directory service
• Directory store for Office 365
• Extend ...
Windows Azure Active Directory
• Multi-tenant “directory-as-a-service”
• NOT a cloud version of Windows Server AD
33
Image...
Windows Azure Active Directory
34
Windows Azure
Management Portal
REST API
SAML-P
O-Auth
WS-Federation
Integration / Manag...
Windows Azure Active Directory
35
Integration / Management Endpoints
Windows Azure Active Directory
• What’s in the directory?
• Everything is an object
• Types: User, Group, Role, Applicatio...
WAAD Graph Response
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://graph.windows.net/collierdemo.onmicroso...
WAAD Graph Response
38
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="...
Graph API Helpers
• REST interface for WAAD
• Graph Explorer: https://graphexplorer.cloudapp.net/
• AAD Helper: http://cod...
WAAD Authentication
• Authentication for cloud-based & native apps
• Permissions
• SSO, Read Data, Read & Write Data
• App...
DEMO TIME!!!
Windows Azure AD – Single Sign-On, Web API, and Windows Store
WAAD and the Enterprise
59
AD
SQL
My Enterprise
LOB App
WAAD and the Enterprise
60
• Passwords sync every 2 minutes
• Users sync every 3 hours
My Enterprise
DirSync
LOB App
SQL
Where Does the Authentication Happen?
61
Portal PowerShell/
Directory GRAPH
DirSync w/Cloud
identities
DirSync
w/Password ...
DEMO TIME!!!
Windows Azure Active Directory w/ DirSync
Going Further with Windows Azure AD
• Multitenant applications
• Leverage identity from other WAAD tenants
• http://www.wi...
Summary
• Developers, Architects, & IT Pros work together
• Mobile Services
• Quickly add Identity Providers via portal co...
Helpful Resources
• Mobile Services
• Handling Expired Tokens -
http://www.thejoyofcode.com/Handling_expired_tokens_in_you...
Ask your questions
Thank You!
• Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCo...
August 11th – 13th 2014
Same Place, Same Time
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
Upcoming SlideShare
Loading in...5
×

Using Windows Azure for Solving Identity Management Challenges

3,824

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,824
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
34
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Title slide for anyone looking to use this years logo.
  • Principal Cloud ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  • Please take a brief opportunity and thank our platinum and gold sponsors. They have invested a lot of time and money into making That Conference the success it is.
  • Nearly every application asks at least one simple question – who are you?PersonalizationBusiness rules (access to specific areas / functionality)
  • MSFT Account – OAuth and integrated Windows Store app (SSO)
  • OAuthRenders the OAuth web interface for the selected provider.
  • Provide SSO for Windows 8 users
  • Mobile Services helps w/ mobile apps, but what about web apps. We can leverage ACS.Authorization – your responsibility; use provided claims and map to your business rules
  • With the somewhat more consumer offerings out of the way, let’s spend the rest of the time talking about enterprises.
  • Accessibility options
  • DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
  • Simple SSO for web appWeb API and Windows Store App - AAL
  • Integration Options
  • Show AD server and VM in cloudShow WAAD dir integrationChange user password . . . Wait for syncShow demo app
  • Phone 2FA – formerly known as ‘Active Authentication’
  • Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  • At the end of your presentation we would be grateful if you could help us announce next years date.
  • Using Windows Azure for Solving Identity Management Challenges

    1. 1. Using Windows Azure for Solving Identity Management Challenges Michael S. Collier
    2. 2. Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
    3. 3. Platinum Sponsors Gold Sponsors
    4. 4. What We’re Talking About • Identity - Current State and in The Cloud • Windows Azure solutions • Mobile Services • Access Control Service (ACS) • Windows Azure Active Directory 6
    5. 5. Who Are You? • Personalization • Business Rules • Functionality / Features 7
    6. 6. Traditional Identity Management • IT Pro – controls the known world • Developers – blissfully ignorant? 8 AD SQL My Enterprise LOB App
    7. 7. Cloud . . . A New Challenge • Move the application & data • Islands of identity • Outside of “traditional” IT world • External users / partners • BYOD • Developers ignorant no more • Developers + IT Pros 9
    8. 8. 10 Windows Azure Options Mobile Services Active Directory Access Control Service (ACS) Server Active Directory AD w/ DirSync
    9. 9. Mobile Services • Goal – easily build cloud-powered mobile apps • Built-in support for multiple social identity providers 11 private async System.Threading.Tasks.Task Authenticate() { while (user == null) { string message; try { user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter); message = string.Format("You are now logged in - {0}", user.UserId); CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId; } catch (InvalidOperationException) { message = "You must log in. Login Required"; } var dialog = new MessageDialog(message); dialog.Commands.Add(new UICommand("OK")); await dialog.ShowAsync(); } } Facebook Google MicrosoftAccount Twitter
    10. 10. Mobile Services 12
    11. 11. Authentication • Microsoft Account, Facebook, Twitter, and Google • OAuth • Does not use Windows Azure ACS
    12. 12. Authentication • Microsoft Account – Use the Live SDK • Tight integration with Windows Live services
    13. 13. More Mobile Services? • Programming Windows Azure Mobile Services • Jason Farrell • Wednesday at 10:30am • Portia 15
    14. 14. Access Control Service (ACS) • Federated identity/authentication service • Google, Microsoft Account, Yahoo!, ADFS v2 • Bring your own membership • Claims-based authorization • Browser based (302 redirect) • Focus on your app 16
    15. 15. DEMO TIME!!! Access Control Service (ACS)
    16. 16. ACS Tips • Enrich claims w/ a ClaimsAuthenticationManager • Update WIF settings in web.config in OnStart() • Web Farm Ready Cookies • Web Sites and Cloud Services • DPAPI not supported in Windows Azure • Provide sign-out link for identity providers • Azure co-admin can’t admin ACS namespace 31
    17. 17. Windows Azure Active Directory • Internet scale, multi-tenant directory service • Directory store for Office 365 • Extend Windows Server AD to the cloud • Directory & identity services w/o need for Windows Server AD 32 Active Directory O365 Account Portal Intune Account Portal Windows Azure Mgmt Portal Azure AD PowerShell cmdlets
    18. 18. Windows Azure Active Directory • Multi-tenant “directory-as-a-service” • NOT a cloud version of Windows Server AD 33 Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
    19. 19. Windows Azure Active Directory 34 Windows Azure Management Portal REST API SAML-P O-Auth WS-Federation Integration / Management Endpoints Windows Azure Active Directory
    20. 20. Windows Azure Active Directory 35 Integration / Management Endpoints
    21. 21. Windows Azure Active Directory • What’s in the directory? • Everything is an object • Types: User, Group, Role, Application, Device, etc. 36
    22. 22. WAAD Graph Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" /> 37
    23. 23. WAAD Graph Response 38 <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec- 4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@collierdemo.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry> </feed> * Some elements removed for readability.
    24. 24. Graph API Helpers • REST interface for WAAD • Graph Explorer: https://graphexplorer.cloudapp.net/ • AAD Helper: http://code.msdn.microsoft.com/Windows- Azure-AD-Graph-API-a8c72e18 • Active Directory Authentication Library (ADAL) • https://www.nuget.org/packages/System.IdentityModel.Client s.ActiveDirectory/ • http://www.cloudidentity.com/blog/2013/08/02/aal-becomes- adal-active-directory-authentication-library/ • Formerly Azure Authentication Library (AAL) 39
    25. 25. WAAD Authentication • Authentication for cloud-based & native apps • Permissions • SSO, Read Data, Read & Write Data • Applies to the APPLICATION, not the user 40
    26. 26. DEMO TIME!!! Windows Azure AD – Single Sign-On, Web API, and Windows Store
    27. 27. WAAD and the Enterprise 59 AD SQL My Enterprise LOB App
    28. 28. WAAD and the Enterprise 60 • Passwords sync every 2 minutes • Users sync every 3 hours My Enterprise DirSync LOB App SQL
    29. 29. Where Does the Authentication Happen? 61 Portal PowerShell/ Directory GRAPH DirSync w/Cloud identities DirSync w/Password Sync DirSync w/SSO Target customer segment • Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large Scenario supported • Least • Least • Some limitation • Some limitations • Most Directory Source of Authority • Cloud • Cloud • On-premises • On-premises • On-premises Hardware requirements • No additional hardware required • No additional hardware required • Windows Server OS for DirSync appliance • Windows Server OS for DirSync appliance • DirSync appliance • ADFS (or other STS) deployment IDP • Cloud • Cloud • Cloud • Cloud • On-premises User login experience • Disjoint username and password • Enter credentials twice • Disjoint username and password • Enter credentials twice • Same username, disjoint password • Enter credentials twice • Same username and password for on-prem and cloud • Enter credentials twice • Same username and password for on-prem and cloud • Login once if on- premises Complexity • Low • Medium • Low • Low • High Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013
    30. 30. DEMO TIME!!! Windows Azure Active Directory w/ DirSync
    31. 31. Going Further with Windows Azure AD • Multitenant applications • Leverage identity from other WAAD tenants • http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA (Multi-Factor Authentication) • Additional administrative users • Username/pwd + text message code 63
    32. 32. Summary • Developers, Architects, & IT Pros work together • Mobile Services • Quickly add Identity Providers via portal config and code • ACS • Federated identity authentication • Claims-based authorization • Windows Azure AD • “Extends” Windows Server AD to the cloud • Query via REST graph API 64
    33. 33. Helpful Resources • Mobile Services • Handling Expired Tokens - http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx • Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/ • ACS • Cheat Sheet – http://bit.ly/ACSCheatSheet • How To’s – http://bit.ly/ACSHowTo • Tips – http://bit.ly/HYhxjY • Azure Active Directory • “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”, Ross Adams & Jono Luk – TechEd NA 2013 • “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More”, Edward Wu – TechEd NA 2013 • Securing a Windows Store App and REST API using Windows Azure AD - http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx • Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/ 65
    34. 34. Ask your questions
    35. 35. Thank You! • Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
    36. 36. August 11th – 13th 2014 Same Place, Same Time
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×