Developing and deploying Identity-enabled applications for the cloud
Upcoming SlideShare
Loading in...5
×
 

Developing and deploying Identity-enabled applications for the cloud

on

  • 2,061 views

Joint session by WInsec.be and Azug.be on ADFS, federation and claims based authentication in the cloud.

Joint session by WInsec.be and Azug.be on ADFS, federation and claims based authentication in the cloud.

Statistics

Views

Total Views
2,061
Views on SlideShare
2,061
Embed Views
0

Actions

Likes
0
Downloads
23
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Real world STS's need to manage multiple relying parties, each with multiple claim issuance and authorization rules. Delegation authorization for users of the RP require even further configuration. Federated scenarios add requirement for trusting other STS's.Access to Identity Providers and Attribute Stores, rules for querying
  • Capacity planning: http://www.microsoft.com/download/en/details.aspx?id=2278
  • FSConfig.exe CreateSQLFarm /ServiceAccount [/ServiceAccountPassword ] /SQLConnectionString [/CertThumbprint ] [/Port ] [/FederationServiceName ] [/CleanConfig] /AutoCertRolloverEnabled [/SigningCertThumbprint ] [/DecryptCertThumbprint ]
  • Here there’s a list of cloud scenarios we consider of interest in term of how identity is handled. our baseline is the classic on premises scenario. you have a data center, a population of internal users and some authentication infrastructure, such as Active Directory, maintaining their accounts. applications targeting such environment will follow the current intranet practices. We will then introduce Windows Azure in the picture and observe how things change when the application moves to the cloud; we'll consider this both from the architecture and products usage perspectives. Then we'll move to consider what happens when the application is exposed to multiple business partners, and the implications on authentication and relationships management. However business partners represent an important but tiny fraction of all the possible population you an cater to if you target the internet users. live id, Google, Facebook and yahoo! have hundreds of millions of users; the authentication requirements in those conditions are completely different than the business case, although as we will see the solutions may end up being surprisingly similar. Finally, the mobile scenario is of great importance and again apparently a completely different problem space. Using claims-based identity makes it very easy to progressively accommodate all those different scenarios.
  • The ACS would deserve multiple sessions on its own right to be properly covered, here I'm just giving you a quick sampler.What we have seen so far is just a small part of its surface. The schema here shows the ws-federation subsystem, what is normally used for browser-based, session-oriented application types. We've been playing only with ADFS IP types, but in fact there are many out of the box popular IPs you can use right away with your application sticking to the same protocol and a browser.ACS can also do WS-Trust, a high-security protocol for SOAP web services, accepting identities from ADFS2 ws-trust endpoints or bare credentials registered in ACS for management purposes. the same sources can be used within OAuth2.0 calls. OAuth is the current state of the art for securing REST calls: it is still in draft state, hence expect changes, but you can already experiment with it. Both protocols can be used for rich client application types and in general server 2 server interactions.Not shown here there are the management endpoints, the other portion of ACS' development surface, which can be used instead or alongside the portal for managing the namespace.

Developing and deploying Identity-enabled applications for the cloud Developing and deploying Identity-enabled applications for the cloud Presentation Transcript

  • Developing and deploying Identity-enabled applications for the cloud
  • This session
    meets
    Developing and deploying Identity-enabled applications for the cloud
  • Winsec.bethanks his sponsors for their continued support
    View slide
  • Azugthanks his sponsors
    View slide
  • Thanksforbeinghereandenjoy the show!
    Feedback to
    • winsec@winsec.be
    • board@azug.be
  • Developing and deploying Identity-enabled applications for the cloud
  • Your Presenters for Today
    Maarten
    @maartenballiauw / about.me/maarten.balliauw
    Co-founder of AZUG
    MVP: Windows Azure
    Blogs at http://blog.maartenballiauw.be
    Paul
    @ploonen / paul@winsec.be
    Co-founder of winsec.be
    MVP: Microsoft Forefront Identity Manager
    MCM Directory
    Current hobby: Architect@Avanade
    Blog @ http://be-id.blogspot.com
  • Agenda
    Presenting the problem (a.k.a. “The Scenario”)
    How federation saves the day
    How ADFS solves federation
    How to connect an app to ADFS
    How Windows Azure adds extra sauce to federation
    Q&A
  • Introducing the Problem
  • Introducing AD FS v2
  • Some vocabulary
  • Federation benefits
    Benefits of SSO
    reduce administrative overhead
    reduce security vulnerabilities as a result of lost or stolen passwords
    improve user productivity
    Intra-Enterprise:
    provide SSO for all your web sites and applications
    Inter-Enterprise:
    provide SSO experiences for your users to access apps in other organizations
    provide SSO experience for users from external organizations to access your apps
    Easily externalize authentication & authorization
    Rich claims rules processing engine
    Management & Configuration Tools
  • What is AD FS 2.0?
    Other Claims Providers
    AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web
    CA
    IBM
    SUN
    AD FS 2.0 Major Components
    Federation Server
    Federation Server Proxy
    WIF
    Attribute Stores
    Claims Engine
    Website
    Management Snap-in
    Other STS
    Web Service
    Active Directory
    Windows Server 2008 SP2, 2008 R2
    MS SQL
    Relying Parties
    Browser Apps
    WIF
    Windows Internal DB
    .NET 3.5 SP1
    IIS 7
    Smart Clients
    Web Services
  • Why consider AD FS 2.0?
    Building a production-ready STS is hard.
    The Visual Studio STS templates are just starters for trivial dev scenarios.
    Lots of configuration to manage, UI's to present in real world STS!
  • Typical Traffic Flow
    Identity Provider
    Relying Party
    Federation
    Trust
    Active Directory
    Account
    Resource
    Federation Server
    Federation Server
    Web Server
    Internal Client
  • Scenario 1 – Intra Organization
    Claims-aware app
    ADFS STS
    Active Directory
    User
    App trusts STS
    Browse app
    Not authenticated
    Redirected to STS
    Authenticate
    Return Security Token
    Query for user attributes
    Send Token
    ST
    ST
    Return pageand cookie
  • Scenario 2 – Inter Organization
    ActiveDirectory
    Your
    ADFS STS
    Partner
    ADFS STS & IP
    YourClaims-aware app
    Partner user
    Browse app
    Not authenticated
    Redirect to your STS
    Home realm discovery
    Redirected to partner STS requesting ST for partner user
    Authenticate
    Return ST for consumption by your STS
    Redirected to your STS
    ST
    ST
    ST
    ST
    Process token
    Return new ST
    Send Token
    Return pageand cookie
  • Installing AD FS v2
    Requires Windows Server 2008 / 2008 R2
    Requires IIS 7, .NET 3.5 SP1, WIF
    See deployment guide for required hot fixes and updates
    Issue and install server certificates for HTTPS
    Think about implications for partner organisation
    Cross certification when few partners, otherwise, buy required certs
    Download and install ADFS 2.0
    Simple Wizard
    New / farm member / Proxy – SSL cert – Names
  • AuthN, Attribute Stores
    AD FS v2 can only use Active Directory as an identity store for authentication
    ADFSv1 could also use AD LDS / ADAM
    AD FS v2 can extract attributes from AD DS and from SQL Server
    SQL and LDAP stores are directly supported
    Additional stores can be added through custom extensions
    IAttributeStore(see: http://msdn.microsoft.com/en-us/library/ee895358.aspx)
    Register your custom store using Add-ADFSAttributeStore
    • issue(store = "FileAttributeStore",
    types =
    ( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),
    query = "Age=33;EmpName,Role");
    Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:tempdata.txt"} -Name FileAttributeStore
  • Setting up your STS
    Demo
  • Installation Sequence
  • AD FS 2.0 deployment options
    Single server configuration
    AD FS 2.0 server farm and load-balancer
    AD FS 2.0 proxy server (offsite users)
    Active
    Directory
    AD FS 2.0 Server
    Proxy
    AD FS 2.0 Server
    AD FS 2.0 Server
    AD FS 2.0 Server
    Proxy
    External
    user
    Internal
    user
    DMZ
    Enterprise
  • Configuring your AD FS Server
    Or: %ProgramFiles%Active Directory Federation Services 2.0FsConfigWizard.exe
    Manually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]
  • FSConfigWizard
  • Implementing ADFS in your infra
  • Configuring your federation server
    Identity Provider
    Relying Party
    Claims
    Demo
  • Configuring the RP Trust
  • Claim Rules
    Rule templates simplify the creation of rules
    Examples of rules are:
    Permit / deny user based on incoming claim value
    Transform the incoming claim value
    Pass through / filter an incoming claim
    Multiple claim rules can be specified and are processed in top to bottom order
    Results from previously processed claims can be used as the input for subsequent rules
  • Creating Rules
    On IdP
    On RP
    On RP
  • Creating Rules
    Condition
    Issuance Statement
    A claim rule consists of two parts, condition and issuance statement
  • Custom Claims
    Capabilities of custom rules include
    Sending claims from a SQL attribute store
    Sending claims from an LDAP attribute store using a custom LDAP filter
    Sending claims from a custom attribute store
    Sending claims only when 2 or more incoming claims are met
    Sending claims only when an incoming claim matches a complex value
    Sending claims with complex changes to an incoming claim value
    Creating claims for use in later rules
  • Further Customizations
    Custom Style Sheet
    Home realm discovery
    Logon Page
    Authentication

  • What Else?
    Hardening
    SCW profiles are on the box
    Sizing
    PowerShell
    In Win8 becomes a server role again (v2.1)
  • Windows Identity Foundation
  • Windows Identity Foundation
    Your one and only partner for .NET identity development
    Adds claims-based authentication to your application in no time
    My advise: forget custom user stores
    And if you need them: WIF-ify (?) them
  • Connecting an app to an STS
    Demo
  • Where things get cloudy...
    Windows Azure AppFabricAccess Control Service
    ACS
  • Windows Azure AppFabric ACS
    An STS in the cloud
    Pluggable with identity providers
    Windows Live ID
    Facebook
    Google
    Yahoo!
    Any ADFS
    or better: any WS-federation passive endpoint
    Any OAuth2 provider
  • Why ACS?
  • Let’s step back...
    No, we’re not the US
    Federation across organizations does not happen often today
    So why would I use ACS anyway?
    Dev, test, accept, prod are different RP’s!
    2 apps with all these environments is 8 RP’s!
    Imagine 10 apps... Or a hundred...
  • ACS advantages
    A scalable STS
    With one or more identity providers
    With one or more relying parties
    With one or more rule groups
    Integrates with WIF
    Integrates with ADFS
    Instant win!
  • ACS
    Identity
    Providers
    Your Application
    ACS
    SAML
    SWT
    Browser-based
    WS-Federation
    ADFS2 . WS-Federation
    Rich
    Client
    SAML
    WS-Trust
    ADFS2 . WS-Trust
    Server 2 Server
    SWT
    OAuth WRAP/2.0
    Service Identities
  • Connecting an app to ACS
    Demo
  • Connecting ACS to ADFS
    Demo
  • Using ACS at its full extent
    ACS as an identity service bus
    Demo
  • Conclusion
  • Conclusion
    It is possible to do SSO over security boundaries
    It is possible to integrate multiple apps with multiple identity providers
    ADFS and ACS form a nice couple
    Standards based solution
  • Some Resources
    AD FS v2 on TechNet and MSDN
    AD FS v2 content on TechNet Wiki
    Claims-Based Identity Blog
    Windows Azure AppFabric Access Control Service
    WIF and ACS Content Map on Technet Wiki
    Vittorio’s Blog
    http://identityserver.codeplex.com
  • Q&A
  • Winsec.bethanks his sponsors for their continued support
  • Azugthanks his sponsors