Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Using Windows Azure for Solving
Identity Management Challenges
Michael S. Collier
Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCollier.com
Platinum Sponsors
Gold Sponsors
What We’re Talking About
• Identity - Current State and in The Cloud
• Windows Azure solutions
• Mobile Services
• Access ...
Who Are You?
• Personalization
• Business Rules
• Functionality / Features
7
Traditional Identity Management
• IT Pro – controls the known world
• Developers – blissfully ignorant?
8
AD
SQL
My Enterp...
Cloud . . . A New Challenge
• Move the application & data
• Islands of identity
• Outside of “traditional” IT world
• Exte...
10
Windows Azure Options
Mobile Services
Active Directory
Access Control Service
(ACS)
Server Active Directory
AD w/ DirSy...
Mobile Services
• Goal – easily build cloud-powered mobile apps
• Built-in support for multiple social identity providers
...
Mobile Services
12
Authentication
• Microsoft Account, Facebook, Twitter, and Google
• OAuth
• Does not use Windows Azure ACS
Authentication
• Microsoft Account – Use the Live SDK
• Tight integration with Windows Live services
More Mobile Services?
• Programming Windows Azure Mobile Services
• Jason Farrell
• Wednesday at 10:30am
• Portia
15
Access Control Service (ACS)
• Federated identity/authentication service
• Google, Microsoft Account, Yahoo!, ADFS v2
• Br...
DEMO TIME!!!
Access Control Service (ACS)
ACS Tips
• Enrich claims w/ a ClaimsAuthenticationManager
• Update WIF settings in web.config in OnStart()
• Web Farm Read...
Windows Azure Active Directory
• Internet scale, multi-tenant
directory service
• Directory store for Office 365
• Extend ...
Windows Azure Active Directory
• Multi-tenant “directory-as-a-service”
• NOT a cloud version of Windows Server AD
33
Image...
Windows Azure Active Directory
34
Windows Azure
Management Portal
REST API
SAML-P
O-Auth
WS-Federation
Integration / Manag...
Windows Azure Active Directory
35
Integration / Management Endpoints
Windows Azure Active Directory
• What’s in the directory?
• Everything is an object
• Types: User, Group, Role, Applicatio...
WAAD Graph Response
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://graph.windows.net/collierdemo.onmicroso...
WAAD Graph Response
38
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="...
Graph API Helpers
• REST interface for WAAD
• Graph Explorer: https://graphexplorer.cloudapp.net/
• AAD Helper: http://cod...
WAAD Authentication
• Authentication for cloud-based & native apps
• Permissions
• SSO, Read Data, Read & Write Data
• App...
DEMO TIME!!!
Windows Azure AD – Single Sign-On, Web API, and Windows Store
WAAD and the Enterprise
59
AD
SQL
My Enterprise
LOB App
WAAD and the Enterprise
60
• Passwords sync every 2 minutes
• Users sync every 3 hours
My Enterprise
DirSync
LOB App
SQL
Where Does the Authentication Happen?
61
Portal PowerShell/
Directory GRAPH
DirSync w/Cloud
identities
DirSync
w/Password ...
DEMO TIME!!!
Windows Azure Active Directory w/ DirSync
Going Further with Windows Azure AD
• Multitenant applications
• Leverage identity from other WAAD tenants
• http://www.wi...
Summary
• Developers, Architects, & IT Pros work together
• Mobile Services
• Quickly add Identity Providers via portal co...
Helpful Resources
• Mobile Services
• Handling Expired Tokens -
http://www.thejoyofcode.com/Handling_expired_tokens_in_you...
Ask your questions
Thank You!
• Michael S. Collier
• Principal Cloud Architect, Aditi
• michaelc@aditi.com
• @MichaelCollier
• www.MichaelSCo...
August 11th – 13th 2014
Same Place, Same Time
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
Upcoming SlideShare
Loading in …5
×

Using Windows Azure for Solving Identity Management Challenges

5,022 views

Published on

Published in: Technology
  • Be the first to comment

Using Windows Azure for Solving Identity Management Challenges

  1. 1. Using Windows Azure for Solving Identity Management Challenges Michael S. Collier
  2. 2. Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
  3. 3. Platinum Sponsors Gold Sponsors
  4. 4. What We’re Talking About • Identity - Current State and in The Cloud • Windows Azure solutions • Mobile Services • Access Control Service (ACS) • Windows Azure Active Directory 6
  5. 5. Who Are You? • Personalization • Business Rules • Functionality / Features 7
  6. 6. Traditional Identity Management • IT Pro – controls the known world • Developers – blissfully ignorant? 8 AD SQL My Enterprise LOB App
  7. 7. Cloud . . . A New Challenge • Move the application & data • Islands of identity • Outside of “traditional” IT world • External users / partners • BYOD • Developers ignorant no more • Developers + IT Pros 9
  8. 8. 10 Windows Azure Options Mobile Services Active Directory Access Control Service (ACS) Server Active Directory AD w/ DirSync
  9. 9. Mobile Services • Goal – easily build cloud-powered mobile apps • Built-in support for multiple social identity providers 11 private async System.Threading.Tasks.Task Authenticate() { while (user == null) { string message; try { user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter); message = string.Format("You are now logged in - {0}", user.UserId); CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId; } catch (InvalidOperationException) { message = "You must log in. Login Required"; } var dialog = new MessageDialog(message); dialog.Commands.Add(new UICommand("OK")); await dialog.ShowAsync(); } } Facebook Google MicrosoftAccount Twitter
  10. 10. Mobile Services 12
  11. 11. Authentication • Microsoft Account, Facebook, Twitter, and Google • OAuth • Does not use Windows Azure ACS
  12. 12. Authentication • Microsoft Account – Use the Live SDK • Tight integration with Windows Live services
  13. 13. More Mobile Services? • Programming Windows Azure Mobile Services • Jason Farrell • Wednesday at 10:30am • Portia 15
  14. 14. Access Control Service (ACS) • Federated identity/authentication service • Google, Microsoft Account, Yahoo!, ADFS v2 • Bring your own membership • Claims-based authorization • Browser based (302 redirect) • Focus on your app 16
  15. 15. DEMO TIME!!! Access Control Service (ACS)
  16. 16. ACS Tips • Enrich claims w/ a ClaimsAuthenticationManager • Update WIF settings in web.config in OnStart() • Web Farm Ready Cookies • Web Sites and Cloud Services • DPAPI not supported in Windows Azure • Provide sign-out link for identity providers • Azure co-admin can’t admin ACS namespace 31
  17. 17. Windows Azure Active Directory • Internet scale, multi-tenant directory service • Directory store for Office 365 • Extend Windows Server AD to the cloud • Directory & identity services w/o need for Windows Server AD 32 Active Directory O365 Account Portal Intune Account Portal Windows Azure Mgmt Portal Azure AD PowerShell cmdlets
  18. 18. Windows Azure Active Directory • Multi-tenant “directory-as-a-service” • NOT a cloud version of Windows Server AD 33 Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
  19. 19. Windows Azure Active Directory 34 Windows Azure Management Portal REST API SAML-P O-Auth WS-Federation Integration / Management Endpoints Windows Azure Active Directory
  20. 20. Windows Azure Active Directory 35 Integration / Management Endpoints
  21. 21. Windows Azure Active Directory • What’s in the directory? • Everything is an object • Types: User, Group, Role, Application, Device, etc. 36
  22. 22. WAAD Graph Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" /> 37
  23. 23. WAAD Graph Response 38 <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec- 4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@collierdemo.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry> </feed> * Some elements removed for readability.
  24. 24. Graph API Helpers • REST interface for WAAD • Graph Explorer: https://graphexplorer.cloudapp.net/ • AAD Helper: http://code.msdn.microsoft.com/Windows- Azure-AD-Graph-API-a8c72e18 • Active Directory Authentication Library (ADAL) • https://www.nuget.org/packages/System.IdentityModel.Client s.ActiveDirectory/ • http://www.cloudidentity.com/blog/2013/08/02/aal-becomes- adal-active-directory-authentication-library/ • Formerly Azure Authentication Library (AAL) 39
  25. 25. WAAD Authentication • Authentication for cloud-based & native apps • Permissions • SSO, Read Data, Read & Write Data • Applies to the APPLICATION, not the user 40
  26. 26. DEMO TIME!!! Windows Azure AD – Single Sign-On, Web API, and Windows Store
  27. 27. WAAD and the Enterprise 59 AD SQL My Enterprise LOB App
  28. 28. WAAD and the Enterprise 60 • Passwords sync every 2 minutes • Users sync every 3 hours My Enterprise DirSync LOB App SQL
  29. 29. Where Does the Authentication Happen? 61 Portal PowerShell/ Directory GRAPH DirSync w/Cloud identities DirSync w/Password Sync DirSync w/SSO Target customer segment • Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large Scenario supported • Least • Least • Some limitation • Some limitations • Most Directory Source of Authority • Cloud • Cloud • On-premises • On-premises • On-premises Hardware requirements • No additional hardware required • No additional hardware required • Windows Server OS for DirSync appliance • Windows Server OS for DirSync appliance • DirSync appliance • ADFS (or other STS) deployment IDP • Cloud • Cloud • Cloud • Cloud • On-premises User login experience • Disjoint username and password • Enter credentials twice • Disjoint username and password • Enter credentials twice • Same username, disjoint password • Enter credentials twice • Same username and password for on-prem and cloud • Enter credentials twice • Same username and password for on-prem and cloud • Login once if on- premises Complexity • Low • Medium • Low • Low • High Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013
  30. 30. DEMO TIME!!! Windows Azure Active Directory w/ DirSync
  31. 31. Going Further with Windows Azure AD • Multitenant applications • Leverage identity from other WAAD tenants • http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA (Multi-Factor Authentication) • Additional administrative users • Username/pwd + text message code 63
  32. 32. Summary • Developers, Architects, & IT Pros work together • Mobile Services • Quickly add Identity Providers via portal config and code • ACS • Federated identity authentication • Claims-based authorization • Windows Azure AD • “Extends” Windows Server AD to the cloud • Query via REST graph API 64
  33. 33. Helpful Resources • Mobile Services • Handling Expired Tokens - http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx • Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/ • ACS • Cheat Sheet – http://bit.ly/ACSCheatSheet • How To’s – http://bit.ly/ACSHowTo • Tips – http://bit.ly/HYhxjY • Azure Active Directory • “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”, Ross Adams & Jono Luk – TechEd NA 2013 • “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query, and More”, Edward Wu – TechEd NA 2013 • Securing a Windows Store App and REST API using Windows Azure AD - http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx • Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/ 65
  34. 34. Ask your questions
  35. 35. Thank You! • Michael S. Collier • Principal Cloud Architect, Aditi • michaelc@aditi.com • @MichaelCollier • www.MichaelSCollier.com
  36. 36. August 11th – 13th 2014 Same Place, Same Time

×