How AD has been re-engineered to extend to the cloud

  • 1,141 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,141
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
17
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. How AD has been reengineered to extend to the Cloud Philippe Beraud, @philberd Architect | Office of CTO | Microsoft France
  • 2. A Brief History Over the years, there main models have emerged and coexist 1. Identity model of the "firewall age" • Concept of security and administrative domains/realms • Collection of resources tightly integrated under a single and closed administration • Age of organization’s directory services and NOS but also the beginning of metadirectories and other virtual directories to manage multiple identities silos 2. Identity model against the age of the Internet • Consideration of suppliers, customers, and partners as a different category of objects BUT still in the same "administrative domain" • Declaration of these objects in various repositories while having the need for a unified management
  • 3. A Brief History (cont’d) Over the years, there main model have emerged and coexist 3. First generation of the identity ecosystem model • Concept of the so-called extended enterprise for collaboration with suppliers and partners as well as the interaction with customers • Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
  • 4. About Windows Server Active Directory (AD) Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models • AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service • Active Directory Domain Services (AD DS) • Active Directory Lightweight Domain Services (AD LDS) • With complementary services • Active Directory Federation Services (AD FS) • Active Directory Certificate Services (AD CS) • Active Directory Rights Management Services (AD RMS) • Forefront Identity Management (FIM)
  • 5. Towards a New Identity Model Identity (and Access) Management as a Service (IdMaaS) • Commodities accessible to EVERYONE • "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device • Central "hub" to provision/de-provision/manage users and their common devices • Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc. • Seamless federation and synchronization with on-premises directory services • Multi-factor authentication • Replace the today complexity at the application level by an IdMaaS feature • Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost • Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
  • 6. Projecting Identities in the Cloud with Windows Azure Active Directory
  • 7. Windows Azure Active Directory (AAD) AAD is NOT on-premises Windows Server AD in the Cloud AAD is an enterprise-class IdMaaS cloud-based solution • AAD offers a large set of features at NO cost AAD is the Directory Service for Microsoft’s Online services • Office 365, Dynamics CRM Online, Windows Intune, and now the Windows Azure Portal Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
  • 8. AAD Design Principles (cont’d) Such a Cloud-based service requires specific capabilities • Optimization of availability, consistent performances, scalability, geo-redundancy, etc. but NOT only AAD is a multi-tenant environment • "Organization-owned“ tenant - The customer organization owns the data of their directory, NOT Microsoft AAD relies on a schema • For the semi-structured information on entities and their relationships AAD does not allow for custom schema AAD will however provide the ability for attribute extensions, links to (external) resources, etc. • As per Windows Azure Graph Store capabilities (Preview)
  • 9. AAD Design Principles (cont’d) AAD aims at maximizing the reach in terms of platforms and devices • AAD uses http/web/REST-based modern protocols for identity and access management AAD provides RESTful interface for CRUD operations • Directory Graph API provides a programmatic access to directory typed objects and their relationships • GET, POST, PATCH, DELETE are used to create, read, update, and delete • • Response supports JSON, XML, standard HTTP status codes Compatible with OASIS OData • Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization • Operations are scoped to individual tenant context
  • 10. Demo 1 Graph Explorer browser based query tool http://graphexplorer.cloudapp.net
  • 11. AAD Design Principles (cont’d) AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP: • LDAP – network communications protocol (389/636) • AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx • LDAP – object data model with inheritance • AAD supports the Graph Entity Data model with inheritance http://msdn.microsoft.com/en-us/library/ee382825.aspx • LDAP – layout (namespace) is hierarchical (i.e. ou=) • AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx • LDAP – distribution model aka replication • AAD is a manage service with geo-redundancy
  • 12. AAD Key Scenarios Many applications, one identity repository. Manage access to cloud applications. SaaS apps Monitor and protect access to enterprise applications. Personalized access to my applications.
  • 13. Many applications, one identity repository Connect and sync Windows Server Active Directory (or other (LDAP) identity infrastructure) with an AAD tenant. Preintegrated popular SaaS apps. Easily add custom cloud-based apps. Facilitate developers with identity management. Windows Server Active Directory (or other (LDAP) identity infrastructure) SaaS apps LOB & custom apps Identities and applications in one place. Consumer identity providers
  • 14. Demo 2 One identity repository for the best UX
  • 15. Deliver a seamless user authentication experience Multi-Factor Authentication can be configured through Windows Azure Windows Server Active Directory (or other (LDAP) identity infrastructure) Cloud Authentication Directory synchronization with password hash sync User attributes are synchronized including the password hash, authentication is completed against AAD Federated Authentication Windows Server Active Directory (or other (LDAP) identity infrastructure) Multi-Factor Authentication can be configured through the integration with Windows Azure or thanks to other capability Directory synchronizatio n On-premises Identity provider User attributes are synchronized, authentication is passed back through federation and completed against the on-premises identity federation infrastructure
  • 16. Synchronize the identities with LDAPbased directories The FIM 2010 R2 synchronization engine can be leveraged • AAD Connector available on Microsoft Connect https://connect.microsoft.com/site433/FIM%20Sync%20Connectors • Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect • Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS • LDAP referrals between servers (RFC 4511/4.1.10) are not supported https://connect.microsoft.com/site433/FIM%20Sync%20Connectors • OpenLDAP Extensible Management Agent (XMA) available on Source Forge http://openldap-xma.sourceforge.net/
  • 17. SaaS apps Manage access to many cloud applications Comprehensive identity and access management console. Centralized access administration for preintegrated SaaS apps and other Cloud-based apps. Secure business processes with advanced access management IT capabilities. professional SaaS apps Your cloud apps ready when you are.
  • 18. Demo 3 Windows Azure Management Portal
  • 19. Demo 4 Application Access Enhancements for Windows Azure Active Directory
  • 20. Demo 5 Granting Access for a SaaS multitenant apps
  • 21. Monitor and protect access to enterprise apps Built-in security features. Security reporting that tracks inconsistent access patterns. Step up to Multi-Factor authentication. X X X X X X X X X X X X X X X Ensure secure access and visibility on usage patterns for SaaS and cloud-hosted LOB applications.
  • 22. Demo 6 Windows Azure Multi-Factor Authentication
  • 23. Personalized access to my applications All assigned SaaS apps in one web page: The Access Panel. Single Sign On experience for all SaaS applications. Use Access Panel from all devices with your existing credentials. Users can easily access the SaaS apps they need, using their existing credentials.
  • 24. Demo 7 User Access Panel
  • 25. Identities everywhere, accessing everything Microsoft apps Windows Server Active Directory (or other (LDAP) identity infrastructure) Custom ISV/CSV LOB apps apps 3rd party clouds/hosting PCs and devices Consumer identity providers
  • 26. Manage access to cloud applications. Many applications, one identity repository. • • • IdMaaS directory on Windows Azure. Connect/ synchronize on-premises directories with Windows Azure. Provide IdM to new apps (ACS, Graph API, SDKs). • • Manage Users. Add Cloudbased applications for SSO. Monitor and protect access to enterprise applications. • • • SaaS apps • Build-in security. Secure tools for synchronizat ion (DirSync, AAD connector). Block user access. Personalized access to my applications.
  • 27. SaaS apps Manage access to cloud applications. Many applications, one identity repository. • IdMaaS directory on Windows Azure. • Connect/ synchronize on-premises directories with Windows Azure. • Provide IdM • Preintegrate to new apps d popular (ACS, Graph SaaS API, SDKs). application s (Preview). • • • • Manage Users. Add Cloudbased applications for SSO. Add preintegra ted SaaS apps from the gallery for SSO (Preview). Add/Remove users to top preintegra ted SaaS apps (Preview). Personalized access to my applications. Monitor and protect access to enterprise applications. • • • • • • Build-in security. Secure tools for synchronizat ion (DirSync, AAD connector, etc.). Block user Security access. reports Multi-factor (Preview). authentication. • • Single screen with assigned SaaS apps for every user: Access Panel (Preview). Single Sign on for SaaS apps from Access Panel (Preview).
  • 28. In GA since April, 2013 Sign-up for your free AAD tenant and trial Windows Azure account • https://account.windowsazure.com/organization
  • 29. To Go Beyond Places to start • http://www.windowsazure.com/en-us/solutions/identity/ • http://channel9.msdn.com/search?term=directory Microsoft T echNet Documentation • http://go.microsoft.com/fwlink/p/?linkid=290967 Microsoft MSDN Documentation • http://go.microsoft.com/fwlink/p/?linkid=290966 Microsoft Active Directory T eam Blog • http://blogs.msdn.com/b/active_directory_team_blog Windows Azure Active Directory Graph Team Blog • http://blogs.msdn.com/aadgraphteam
  • 30. Whitepapers and Step-by-step Guides Active Directory from the on-premises to the Cloud Office 365 Single Sign-On with AD FS 2.0 Office 365 Single Sign-On with Shibboleth 2.0 Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure Available on the Microsoft Download Center
  • 31. Additional Resources Windows Azure Trust Center • A single location where are aggregated information on security, privacy, and compliance http://www.windowsaz ure.com/enus/support/trustcenter/
  • 32. Additional Resources (cont’d) http://www.microsoft.com/op enness http://msopentech.com
  • 33. Thank you!