9. Agenda Windows Azure Platform In One Slide What is Windows Azure AppFabric? Identity and Access Control Service Bus Caching
10. Motivating Challenges How do you expose your software to users outside of your organization? Can they use their existing identities? Social identities? How do you integrate with components outside your corporate network? What about smaller, non-enterprise customers? How do you reduce latency and increase performance? Access Control Service Bus Caching
11. What is Windows Azure AppFabric? Comprehensive building block services / middleware for developing, deploying, and managing app Goals Extend .NET technologies to the cloud Increase developer productivity Bridge existing applications to the cloud Open and accessible service API REST, SOAP, RSS, AtomPub, … Class libraries for .NET, Java, PHP, Ruby,
12. Agenda Windows Azure Platform In One Slide What is Windows Azure AppFabric? Identity and Access Control Service Bus Caching
13. Identity – Stuff to think about Login / Federated Login Authentication Authorization Username & Password Membership Database Identity Providers Single Sign On Tokens & Its Format Security & Certificate And the list goes on…
14. Single Identity Approach The site is the Identity Provider I have 100s of these identities “island of identity” It’s annoying
15. Using a 3rd party Pick a 3rd party, rely on it Somewhat limiting, but a step in the right direction Typically “claim-based”
16. Claim-based Identity Term Definitions Relying Party Your application that rely on IdP for authentication and authorization Identity Provider (IdP) Third party service that will authenticate your users Ex: GoogleID, WindowsLiveID, Yahoo!, or even your app Claims A statement that one subject makes about itself or another subject. E.g. : name, email, groups, privilege, etc… Security Token A piece of token representation of claims that is cryptographically signed by the issuer Security Token Service (STS) A service that issues claims and packages them in encrypted security tokens
17. Typical Claims-based App Sequence Browser Identity Provider / STS Application (Relying Party) 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & Issue Token 3. Login 5. Redirect to Relying Party 7. Validate Token 6. Send Token to Relying Party 8. Return resource representation
18. But… I want more IdP… I want my user, can log-in with Challenges: Deal directly with different IdP Deal directly with different Security Token Format? Deal directly with different Protocol Deal directly with different … Enterprise Active Directory
19. Access Control Service Integration SSO and centralized auth into your web Hides one layer of abstraction Just to deal with ACS, not with many IdP Access Control Service Your App …. ADFS 2.0
20. Access Control Website Sequence Browser Identity Provider / STS Access Control Application (Relying Party) 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & Issue Token 3. Login 5. Redirect to AC service 7. Validate Token, Run Rules Engine, Issue Token 6. Send Token to ACS 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation
21. Access Control Features Integrates with Windows Identity Foundation and tooling Claims-based access control Support for OAuth WRAP, WS-Trust, and WS-Federation protocols Support for the SAML 1.1, SAML 2.0, and Simple Web Token token formats Integrated and customizable Home Realm Discovery OData-based Management Service to ACS configuration
22. demo Access Control Service- Preparing simple app- Setting up ACS account- Add STS Ref- Security Token Visualizer- Simple Authorization
23. Agenda Windows Azure Platform In One Slide What is Windows Azure AppFabric? Identity and Access Control Service Bus Caching
24. Service Bus Provides secure messaging and connectivity across different network topologies Enables hybrid applications that span on-premises and the cloud Enables various communication protocols and patterns for developers to engage in reliable messaging
25. … and here’s why this is interesting … Existing code, not designed for the cloud Things you can’t run in the cloud Things you might not want to run in the cloud
30. Relay Relay Connections http://{account}.servicebus.windows.net/a/b Outbound SSL TCP connection to relay rendezvous endpoint Receiver can also listen over HTTP to overcome port restrictionson the receiving side (“Web sockets”) One-Way Messagesthrough TCP Tunnel Sender Receiver
31. Relay Direct Connections http://{account}.servicebus.windows.net/a/b - Outbound SSL TCP connection to relay - Out-of-band protocol to negotiate Direct Connection Sender Receiver Upgrade to direct connection when possible
33. Have a Service Listen on the SB Listen on SB address Enable ACS Auth behavior Use a ‘relay’ binding
34. Connect to a Service as a Client Again, just use a SB address and binding Use a behavior to handle ACS authorization
35. demo Service Bus- Local Svc Hosted on IIS- Exposing WCF to Service Bus- Establishing Direct Connection- Eventing
36. Agenda Windows Azure Platform In One Slide What is Windows Azure AppFabric? Identity and Access Control Service Bus Caching
37. Latency Pyramid Memory Windows Azure AppFabric Caching (local cache) Lowest latency Network Windows Azure AppFabric Caching (distributed cache) Lower latency Disk Highest latency Storage
38. What is the Caching service? A distributed, in-memory cache for applications running in Windows Azure: In-memory cache located near your Windows Azure applications Simple administration Based on Windows Server AppFabricCaching Benefits: Highly scalable 64-bit caching solution with low latency and high throughput Can dynamically increase and decrease as needed, without redeploying or modifying your application Doesn’t have to bother with configuration, deployment, or management of their cache infrastructure
39. Windows Azure AppFabric Caching Differentiators Built-in ASP.NET providers for session state & page output Extreme low latency with the local cache Caches any managed object (CLR objects, rows, XML, Binary Data…) Only requirement is that the object should be serializable Easily integrates into existing applications Secured by the Access Control Service
40. Anatomy of A Distributed Cache Cache footprint or bandwidth requirement may grow beyond a single VM Distributed caches scale out Multiple role instances may be cache clients Clients access the cache as if it was a single large namespace Unified Cache View Cache layer distributes data across the various cache instances
41. Caching Features ASP.NET providers for session state and page output caching Cache any managed object No object size limits No serialization costs for local caching Easily integrates into existing applications Secured by Access Control
42. Windows Azure Session State Windows Azure Load Balancer uses round-robin allocation. Session state must persist to client or storage on every request session[“foo”] = 1; session[“foo”] = 2; LB What is the value of session[“foo”]?
43. AppFabric Caching Session State Session state stored using Windows Azure AppFabric Caching and an out-of-the-box session state provider session[“foo”] = 1; session[“foo”] = 2; LB What is the value of session[“foo”]? AppFabric Caching
44. demo Caching- Standard data cache API- Measuring data throughput- “built-in” Session Cache Provider
Editor's Notes
There’s a number of things that I’d like to point out to you before we break into a demo.First, the caching service comes with out-of-the-box ASP.NET providers for both session state and page output caching. This makes it extremely easy to quickly speed up your existing applications by leveraging these providers and updating your web.config files. You can also leverage the local cache, which stores data on the client to speed up access to data retrieved from the Caching service.You can cache any managed object, with no object size limits. Also, when you leverage the local caching option, you won’t pay any serialization costs, as the data will stay on the client. This can make for some extremely fast solutions.You will leverage the exact same APIs you have used with Windows Server AppFabric Caching, which are .NET assemblies. This makes it very easy to get going.The Caching service is secured by the Access Control Service. Through config or at runtime, you simply specific an ACS token that is used for authentication.Finally, as we move towards commercial launch, we’ll add many of the features that make Windows Server AppFabric Caching extremely popular, such as High Availability, which minimizes data loss by persisting the cache, regions for partitioning and co-locating data, the ability to emit notifications to clients when then need to refresh their local cache, and more.
Slide ObjectiveExplains the operation of Session state in Windows Azure multi instance rolesSpeaking NotesMust move session state off the Web Role instances In this animationFirst request hits one instanceSubsequent request hits another instanceAt the end of the animation the value of Foo is hard to determine.Is it 1, 2 or null?Will depend on which server the LB routes our request toNotes