Using Windows Azure for Solving Identity Management Challenges
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Using Windows Azure for Solving Identity Management Challenges

on

  • 3,940 views

 

Statistics

Views

Total Views
3,940
Views on SlideShare
2,376
Embed Views
1,564

Actions

Likes
2
Downloads
27
Comments
0

10 Embeds 1,564

http://michaelcollier.wordpress.com 1458
http://architects.dzone.com 69
http://cloud.feedly.com 14
https://michaelcollier.wordpress.com 12
http://www.365dailyjournal.com 3
http://www.g-singh.com 3
http://www.dzone.com 2
http://www.rx2.eu 1
http://prlog.ru 1
http://ixquick-proxy.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Title slide for anyone looking to use this years logo.
  • Principal Cloud ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  • Please take a brief opportunity and thank our platinum and gold sponsors. They have invested a lot of time and money into making That Conference the success it is.
  • Nearly every application asks at least one simple question – who are you?PersonalizationBusiness rules (access to specific areas / functionality)
  • MSFT Account – OAuth and integrated Windows Store app (SSO)
  • OAuthRenders the OAuth web interface for the selected provider.
  • Provide SSO for Windows 8 users
  • Mobile Services helps w/ mobile apps, but what about web apps. We can leverage ACS.Authorization – your responsibility; use provided claims and map to your business rules
  • With the somewhat more consumer offerings out of the way, let’s spend the rest of the time talking about enterprises.
  • Accessibility options
  • DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
  • Simple SSO for web appWeb API and Windows Store App - AAL
  • Integration Options
  • Show AD server and VM in cloudShow WAAD dir integrationChange user password . . . Wait for syncShow demo app
  • Phone 2FA – formerly known as ‘Active Authentication’
  • Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  • At the end of your presentation we would be grateful if you could help us announce next years date.

Using Windows Azure for Solving Identity Management Challenges Presentation Transcript

  • 1. Using Windows Azure for Solving Identity Management Challenges Michael S. Collier
  • 2. Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
  • 3. Platinum Sponsors Gold Sponsors
  • 4. What We’re Talking About • Identity - Current State and in The Cloud • Windows Azure solutions • Mobile Services • Access Control Service (ACS) • Windows Azure Active Directory 6
  • 5. Who Are You? • Personalization • Business Rules • Functionality / Features 7
  • 6. Traditional Identity Management • IT Pro – controls the known world • Developers – blissfully ignorant? 8 AD SQL My Enterprise LOB App
  • 7. Cloud . . . A New Challenge • Move the application & data • Islands of identity • Outside of “traditional” IT world • External users / partners • BYOD • Developers ignorant no more • Developers + IT Pros 9
  • 8. 10 Windows Azure Options Mobile Services Active Directory Access Control Service (ACS) Server Active Directory AD w/ DirSync
  • 9. Mobile Services • Goal – easily build cloud-powered mobile apps • Built-in support for multiple social identity providers 11 private async System.Threading.Tasks.Task Authenticate() { while (user == null) { string message; try { user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter); message = string.Format("You are now logged in - {0}", user.UserId); CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId; } catch (InvalidOperationException) { message = "You must log in. Login Required"; } var dialog = new MessageDialog(message); dialog.Commands.Add(new UICommand("OK")); await dialog.ShowAsync(); } } Facebook Google MicrosoftAccount Twitter
  • 10. Mobile Services 12
  • 11. Authentication • Microsoft Account, Facebook, Twitter, and Google • OAuth • Does not use Windows Azure ACS
  • 12. Authentication • Microsoft Account – Use the Live SDK • Tight integration with Windows Live services
  • 13. More Mobile Services? • Programming Windows Azure Mobile Services • Jason Farrell • Wednesday at 10:30am • Portia 15
  • 14. Access Control Service (ACS) • Federated identity/authentication service • Google, Microsoft Account, Yahoo!, ADFS v2 • Bring your own membership • Claims-based authorization • Browser based (302 redirect) • Focus on your app 16
  • 15. DEMO TIME!!! Access Control Service (ACS)
  • 16. ACS Tips • Enrich claims w/ a ClaimsAuthenticationManager • Update WIF settings in web.config in OnStart() • Web Farm Ready Cookies • Web Sites and Cloud Services • DPAPI not supported in Windows Azure • Provide sign-out link for identity providers • Azure co-admin can’t admin ACS namespace 31
  • 17. Windows Azure Active Directory • Internet scale, multi-tenant directory service • Directory store for Office 365 • Extend Windows Server AD to the cloud • Directory & identity services w/o need for Windows Server AD 32 Active Directory O365 Account Portal Intune Account Portal Windows Azure Mgmt Portal Azure AD PowerShell cmdlets
  • 18. Windows Azure Active Directory • Multi-tenant “directory-as-a-service” • NOT a cloud version of Windows Server AD 33 Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
  • 19. Windows Azure Active Directory 34 Windows Azure Management Portal REST API SAML-P O-Auth WS-Federation Integration / Management Endpoints Windows Azure Active Directory
  • 20. Windows Azure Active Directory 35 Integration / Management Endpoints
  • 21. Windows Azure Active Directory • What’s in the directory? • Everything is an object • Types: User, Group, Role, Application, Device, etc. 36
  • 22. WAAD Graph Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" /> 37
  • 23. WAAD Graph Response 38 <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec- 4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@collierdemo.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry> </feed> * Some elements removed for readability.
  • 24. Graph API Helpers • REST interface for WAAD • Graph Explorer: https://graphexplorer.cloudapp.net/ • AAD Helper: http://code.msdn.microsoft.com/Windows- Azure-AD-Graph-API-a8c72e18 • Active Directory Authentication Library (ADAL) • https://www.nuget.org/packages/System.IdentityModel.Client s.ActiveDirectory/ • http://www.cloudidentity.com/blog/2013/08/02/aal-becomes- adal-active-directory-authentication-library/ • Formerly Azure Authentication Library (AAL) 39
  • 25. WAAD Authentication • Authentication for cloud-based & native apps • Permissions • SSO, Read Data, Read & Write Data • Applies to the APPLICATION, not the user 40
  • 26. DEMO TIME!!! Windows Azure AD – Single Sign-On, Web API, and Windows Store
  • 27. WAAD and the Enterprise 59 AD SQL My Enterprise LOB App
  • 28. WAAD and the Enterprise 60 • Passwords sync every 2 minutes • Users sync every 3 hours My Enterprise DirSync LOB App SQL
  • 29. Where Does the Authentication Happen? 61 Portal PowerShell/ Directory GRAPH DirSync w/Cloud identities DirSync w/Password Sync DirSync w/SSO Target customer segment • Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large Scenario supported • Least • Least • Some limitation • Some limitations • Most Directory Source of Authority • Cloud • Cloud • On-premises • On-premises • On-premises Hardware requirements • No additional hardware required • No additional hardware required • Windows Server OS for DirSync appliance • Windows Server OS for DirSync appliance • DirSync appliance • ADFS (or other STS) deployment IDP • Cloud • Cloud • Cloud • Cloud • On-premises User login experience • Disjoint username and password • Enter credentials twice • Disjoint username and password • Enter credentials twice • Same username, disjoint password • Enter credentials twice • Same username and password for on-prem and cloud • Enter credentials twice • Same username and password for on-prem and cloud • Login once if on- premises Complexity • Low • Medium • Low • Low • High Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013
  • 30. DEMO TIME!!! Windows Azure Active Directory w/ DirSync
  • 31. Going Further with Windows Azure AD • Multitenant applications • Leverage identity from other WAAD tenants • http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA (Multi-Factor Authentication) • Additional administrative users • Username/pwd + text message code 63
  • 32. Summary • Developers, Architects, & IT Pros work together • Mobile Services • Quickly add Identity Providers via portal config and code • ACS • Federated identity authentication • Claims-based authorization • Windows Azure AD • “Extends” Windows Server AD to the cloud • Query via REST graph API 64
  • 33. Helpful Resources • Mobile Services • Handling Expired Tokens - http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx • Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/ • ACS • Cheat Sheet – http://bit.ly/ACSCheatSheet • How To’s – http://bit.ly/ACSHowTo • Tips – http://bit.ly/HYhxjY • Azure Active Directory • “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”, Ross Adams & Jono Luk – TechEd NA 2013 • “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More”, Edward Wu – TechEd NA 2013 • Securing a Windows Store App and REST API using Windows Azure AD - http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx • Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/ 65
  • 34. Ask your questions
  • 35. Thank You! • Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
  • 36. August 11th – 13th 2014 Same Place, Same Time