Your SlideShare is downloading. ×
Windows azure for identity management challenges
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows azure for identity management challenges


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Using Windows Azure for SolvingIdentity Management Challenges Seattle Cloud Intelligence Conference Tuesday, April 17th
  • 2. About MeMichael S. CollierNational Architect,Windows
  • 3. Windows Azure Core Components VM DataMarket Service WEB Service Bus Cache Service WORKER VM ROLE ROLE ROLE Access Control Service DATABASE DATA SYNC IMPORT REPORTING BLOB QUEUE TABLE SERVICE SERVICE EXPORT SERVICE SERVICE SERVICE SERVICE SERVICE Windows Azure Connect Windows Azure Traffic ManagerWindows Azure graphics courtesy of David Pallmann (
  • 4. Traditional Identity Management• Windows Integrated Authentication (Active Directory)• Membership Provider• Proven Approach• Leverage Windows Identity Foundation (WIF)
  • 5. Cloud Enabled Applications The User Identity Providers Windows Live ID Credentials Web Browser Yahoo! Facebook GoogleWeb Application Open ID Membership Provider AD
  • 6. We Have a Problem• No Active Directory• Environment not under our physical control• Disconnected from the enterprise (potentially)
  • 7. Options• Social Networks • Membership Provider – They change . . . Often – SQL Azure – The right one? – Table Storage – Another? – Pros – More work! • Mostly known entity • Migrate existing dataWindows Live ID – Cons • User management • Security leak • New
  • 8. Windows Azure Connect• Secure network connectivity between Windows Azure on-premises and Role A Role B cloud. Role C (multiple VM’s)• Hybrid apps access to Relay on-premises servers – App access to SQL Server – Role domain-joined to Dev machines AD Databases• Setup & management Enterprise Image courtesy Windows Azure Platform Training Kit
  • 9. Windows Azure Access Control Service• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID, etc.)• Ability to bring your own via membership• The one to rule them all!• Easy for your users
  • 10. Key ACS Concepts• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.)• Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims. ACS is an STS
  • 11. Authentication Workflow Identity AccessBrowser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
  • 12. Getting Started with ACSDEMO
  • 13. Claims Enrichment• Identity Providers only provide a few claims – Windows Live provides just one (Named Identifier) – Google and Yahoo! provide three (email, name, named identifier) – Facebook – ADFSv2• Add more claims that are known to your application
  • 14. Claims EnrichmentDEMO
  • 15. The Impact for Mobile Applications• Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion• NuGet package available for easy add to WP application
  • 16. Enable ACS on Your Windows Phone ApplicationDEMO
  • 17. Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup
  • 18. Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startupSee Vittorio Bertocci’s blog post at
  • 19. Tips & Tricks• Cookie Encryption – DPAPI used to protect cookies sent to the client.. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
  • 20. Tips & Tricks
  • 21. Tips & Tricks• Development Certificate• Customize the login experience• User registration• Require authentication for only part of the site
  • 22. Gotchas• Single sign-out not currently supported• Co-admin cannot administer an ACS namespace• WIF not installed on Windows Azure roles – Microsoft.IdentityModel  CopyLocal = true – Install WIF via a startup task
  • 23. Summary• Identity in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable• ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Support for ADFSv2, Google, Live ID, Yahoo!, & Facebook• Enrich functionality using WIF• OData API and portal for management
  • 24. Resources• Windows Azure ACS Guide – control/#config-trust• Programming Windows Identity Foundation, Vittorio Bertocci• “Claims-Base Authorization with WIF”, Michele Bustamante –• ACS Cheat Sheet -• ACS How To’s -• ACS Tips -• Publishing a ACS v2 Federated Identity Web Role -
  • 25. Get the Bits!
  • 26. Thank You• Your feedback is important!• Please fill out and return the survey – you’ll get a copy of the today’s decks. @MichaelCollier