Windows azure for identity management challenges
Upcoming SlideShare
Loading in...5
×
 

Windows azure for identity management challenges

on

  • 923 views

 

Statistics

Views

Total Views
923
Views on SlideShare
888
Embed Views
35

Actions

Likes
1
Downloads
7
Comments
0

1 Embed 35

http://knowledge.quickstart.com 35

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Windows azure for identity management challenges Windows azure for identity management challenges Presentation Transcript

  • Using Windows Azure for SolvingIdentity Management Challenges Seattle Cloud Intelligence Conference Tuesday, April 17th
  • About MeMichael S. CollierNational Architect,Windows Azuremichael.collier@neudesic.com@MichaelCollierwww.MichaelSCollier.com
  • Windows Azure Core Components VM DataMarket Service WEB Service Bus Cache Service WORKER VM ROLE ROLE ROLE Access Control Service DATABASE DATA SYNC IMPORT REPORTING BLOB QUEUE TABLE SERVICE SERVICE EXPORT SERVICE SERVICE SERVICE SERVICE SERVICE Windows Azure Connect Windows Azure Traffic ManagerWindows Azure graphics courtesy of David Pallmann (http://azuredesignpatterns.com)
  • Traditional Identity Management• Windows Integrated Authentication (Active Directory)• Membership Provider• Proven Approach• Leverage Windows Identity Foundation (WIF)
  • Cloud Enabled Applications The User Identity Providers Windows Live ID Credentials Web Browser Yahoo! Facebook GoogleWeb Application Open ID Membership Provider AD
  • We Have a Problem• No Active Directory• Environment not under our physical control• Disconnected from the enterprise (potentially)
  • Options• Social Networks • Membership Provider – They change . . . Often – SQL Azure – The right one? – Table Storage – Another? – Pros – More work! • Mostly known entity • Migrate existing dataWindows Live ID – Cons • User management • Security leak • New
  • Windows Azure Connect• Secure network connectivity between Windows Azure on-premises and Role A Role B cloud. Role C (multiple VM’s)• Hybrid apps access to Relay on-premises servers – App access to SQL Server – Role domain-joined to Dev machines AD Databases• Setup & management Enterprise Image courtesy Windows Azure Platform Training Kit
  • Windows Azure Access Control Service• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID, etc.)• Ability to bring your own via membership• The one to rule them all!• Easy for your users
  • Key ACS Concepts• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.)• Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims. ACS is an STS
  • Authentication Workflow Identity AccessBrowser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
  • Getting Started with ACSDEMO
  • Claims Enrichment• Identity Providers only provide a few claims – Windows Live provides just one (Named Identifier) – Google and Yahoo! provide three (email, name, named identifier) – Facebook – ADFSv2• Add more claims that are known to your application
  • Claims EnrichmentDEMO
  • The Impact for Mobile Applications• Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion• NuGet package available for easy add to WP application
  • Enable ACS on Your Windows Phone ApplicationDEMO
  • Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup
  • Tips & Tricks• Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startupSee Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
  • Tips & Tricks• Cookie Encryption – DPAPI used to protect cookies sent to the client.. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
  • Tips & Tricks
  • Tips & Tricks• Development Certificate• Customize the login experience• User registration• Require authentication for only part of the site
  • Gotchas• Single sign-out not currently supported• Co-admin cannot administer an ACS namespace• WIF not installed on Windows Azure roles – Microsoft.IdentityModel  CopyLocal = true – Install WIF via a startup task
  • Summary• Identity in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable• ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Support for ADFSv2, Google, Live ID, Yahoo!, & Facebook• Enrich functionality using WIF• OData API and portal for management
  • Resources• Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access- control/#config-trust• Programming Windows Identity Foundation, Vittorio Bertocci• “Claims-Base Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet• ACS How To’s - http://bit.ly/ACSHowTo• ACS Tips - http://bit.ly/HYhxjY• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
  • Get the Bits!http://bit.ly/AzureTrialMC http://bit.ly/AzureSDKMC
  • Thank You• Your feedback is important!• Please fill out and return the survey – you’ll get a copy of the today’s decks. michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com