Developing and deploying Identity-enabled applications for the cloud

This session
meets

Winsec.bethanks his sponsors for their continued support

Azugthanks his sponsors

Thanksforbeinghereandenjoy the show!
Feedback to
winsec@winsec.be
board@azug.be

Your Presenters for Today
Maarten
@maartenballiauw / about.me/maarten.balliauw
Co-founder of AZUG
MVP: Windows Azure
Blogs at http://blog.maartenballiauw.be
Paul
@ploonen / paul@winsec.be
Co-founder of winsec.be
MVP: Microsoft Forefront Identity Manager
MCM Directory
Current hobby: Architect@Avanade
Blog @ http://be-id.blogspot.com

Agenda
Presenting the problem (a.k.a. “The Scenario”)
How federation saves the day
How ADFS solves federation
How to connect an app to ADFS
How Windows Azure adds extra sauce to federation
Q&A

Introducing the Problem

Introducing AD FS v2

Some vocabulary

Federation benefits
Benefits of SSO
reduce administrative overhead
reduce security vulnerabilities as a result of lost or stolen passwords
improve user productivity
Intra-Enterprise:
provide SSO for all your web sites and applications
Inter-Enterprise:
provide SSO experiences for your users to access apps in other organizations
provide SSO experience for users from external organizations to access your apps
Easily externalize authentication & authorization
Rich claims rules processing engine
Management & Configuration Tools

What is AD FS 2.0?
Other Claims Providers
AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web
CA
IBM
SUN
AD FS 2.0 Major Components
Federation Server
Federation Server Proxy
WIF
Attribute Stores
Claims Engine
Website
Management Snap-in
Other STS
Web Service
Active Directory
Windows Server 2008 SP2, 2008 R2
MS SQL
Relying Parties
Browser Apps
WIF
Windows Internal DB
.NET 3.5 SP1
IIS 7
Smart Clients
Web Services

Why consider AD FS 2.0?
Building a production-ready STS is hard.
The Visual Studio STS templates are just starters for trivial dev scenarios.
Lots of configuration to manage, UI's to present in real world STS!

Typical Traffic Flow
Identity Provider
Relying Party
Federation
Trust
Active Directory
Account
Resource
Federation Server
Federation Server
Web Server
Internal Client

Scenario 1 – Intra Organization
Claims-aware app
ADFS STS
Active Directory
User
App trusts STS
Browse app
Not authenticated
Redirected to STS
Authenticate
Return Security Token
Query for user attributes
Send Token
ST
ST
Return pageand cookie

Scenario 2 – Inter Organization
ActiveDirectory
Your
ADFS STS
Partner
ADFS STS & IP
YourClaims-aware app
Partner user
Browse app
Not authenticated
Redirect to your STS
Home realm discovery
Redirected to partner STS requesting ST for partner user
Authenticate
Return ST for consumption by your STS
Redirected to your STS
ST
ST
ST
ST
Process token
Return new ST
Send Token
Return pageand cookie

Installing AD FS v2
Requires Windows Server 2008 / 2008 R2
Requires IIS 7, .NET 3.5 SP1, WIF
See deployment guide for required hot fixes and updates
Issue and install server certificates for HTTPS
Think about implications for partner organisation
Cross certification when few partners, otherwise, buy required certs
Download and install ADFS 2.0
Simple Wizard
New / farm member / Proxy – SSL cert – Names

AuthN, Attribute Stores
AD FS v2 can only use Active Directory as an identity store for authentication
ADFSv1 could also use AD LDS / ADAM
AD FS v2 can extract attributes from AD DS and from SQL Server
SQL and LDAP stores are directly supported
Additional stores can be added through custom extensions
IAttributeStore(see: http://msdn.microsoft.com/en-us/library/ee895358.aspx)
Register your custom store using Add-ADFSAttributeStore
issue(store = "FileAttributeStore",
types =
( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
query = "Age=33;EmpName,Role");
Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:tempdata.txt"} -Name FileAttributeStore

Setting up your STS
Demo

Installation Sequence

AD FS 2.0 deployment options
Single server configuration
AD FS 2.0 server farm and load-balancer
AD FS 2.0 proxy server (offsite users)
Active
Directory
AD FS 2.0 Server
Proxy
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 Server
Proxy
External
user
Internal
user
DMZ
Enterprise

Configuring your AD FS Server
Or: %ProgramFiles%Active Directory Federation Services 2.0FsConfigWizard.exe
Manually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]

FSConfigWizard

Implementing ADFS in your infra

Configuring your federation server
Identity Provider
Relying Party
Claims
Demo

Configuring the RP Trust

Claim Rules
Rule templates simplify the creation of rules
Examples of rules are:
Permit / deny user based on incoming claim value
Transform the incoming claim value
Pass through / filter an incoming claim
Multiple claim rules can be specified and are processed in top to bottom order
Results from previously processed claims can be used as the input for subsequent rules

Creating Rules
On IdP
On RP
On RP

Creating Rules
Condition
Issuance Statement
A claim rule consists of two parts, condition and issuance statement

Custom Claims
Capabilities of custom rules include
Sending claims from a SQL attribute store
Sending claims from an LDAP attribute store using a custom LDAP filter
Sending claims from a custom attribute store
Sending claims only when 2 or more incoming claims are met
Sending claims only when an incoming claim matches a complex value
Sending claims with complex changes to an incoming claim value
Creating claims for use in later rules

Further Customizations
Custom Style Sheet
Home realm discovery
Logon Page
Authentication
…

What Else?
Hardening
SCW profiles are on the box
Sizing
PowerShell
In Win8 becomes a server role again (v2.1)

Windows Identity Foundation

Windows Identity Foundation
Your one and only partner for .NET identity development
Adds claims-based authentication to your application in no time
My advise: forget custom user stores
And if you need them: WIF-ify (?) them

Connecting an app to an STS
Demo

Where things get cloudy...
Windows Azure AppFabricAccess Control Service
ACS

Windows Azure AppFabric ACS
An STS in the cloud
Pluggable with identity providers
Windows Live ID
Facebook
Google
Yahoo!
Any ADFS
or better: any WS-federation passive endpoint
Any OAuth2 provider

Why ACS?

Let’s step back...
No, we’re not the US
Federation across organizations does not happen often today
So why would I use ACS anyway?
Dev, test, accept, prod are different RP’s!
2 apps with all these environments is 8 RP’s!
Imagine 10 apps... Or a hundred...

ACS advantages
A scalable STS
With one or more identity providers
With one or more relying parties
With one or more rule groups
Integrates with WIF
Integrates with ADFS
Instant win!

ACS
Identity
Providers
Your Application
ACS
SAML
SWT
Browser-based
WS-Federation
ADFS2 . WS-Federation
Rich
Client
SAML
WS-Trust
ADFS2 . WS-Trust
Server 2 Server
SWT
OAuth WRAP/2.0
Service Identities

Connecting an app to ACS
Demo

Connecting ACS to ADFS
Demo

Using ACS at its full extent
ACS as an identity service bus
Demo

Conclusion

Conclusion
It is possible to do SSO over security boundaries
It is possible to integrate multiple apps with multiple identity providers
ADFS and ACS form a nice couple
Standards based solution

Some Resources
AD FS v2 on TechNet and MSDN
AD FS v2 content on TechNet Wiki
Claims-Based Identity Blog
Windows Azure AppFabric Access Control Service
WIF and ACS Content Map on Technet Wiki
Vittorio’s Blog
http://identityserver.codeplex.com

Winsec.bethanks his sponsors for their continued support

Azugthanks his sponsors

Developing and deploying Identity-enabled applications for the cloud

by Maarten Balliauw on Sep 30, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Developing and deploying Identity-enabled applications for the cloud — Presentation Transcript