Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Developing and deploying Identity-enabled applications for the cloud<br />
This session<br />meets<br />Developing and deploying Identity-enabled applications for the cloud<br />
Winsec.bethanks his sponsors for their continued support<br />
Azugthanks his sponsors<br />
Thanksforbeinghereandenjoy the show!<br />Feedback to <br /><ul><li>winsec@winsec.be
board@azug.be</li></li></ul><li>Developing and deploying Identity-enabled applications for the cloud<br />
Your Presenters for Today<br />Maarten<br />@maartenballiauw / about.me/maarten.balliauw<br />Co-founder of AZUG<br />MVP:...
Agenda<br />Presenting the problem (a.k.a. “The Scenario”)<br />How federation saves the day<br />How ADFS solves federati...
Introducing the Problem<br />
Introducing AD FS v2<br />
Some vocabulary<br />
Federation benefits<br />Benefits of SSO<br />reduce administrative overhead<br />reduce security vulnerabilities as a res...
What is AD FS 2.0?<br />Other Claims Providers<br />AD FS 2.0 provides access and single sign-on for on-premises and cloud...
Why consider AD FS 2.0?<br />Building a production-ready STS is hard.<br />The Visual Studio STS templates are just starte...
Typical Traffic Flow<br />Identity Provider<br />Relying Party<br />Federation<br />Trust<br />Active Directory<br />Accou...
Scenario 1 – Intra Organization<br />Claims-aware app<br />ADFS STS<br />Active Directory<br />User<br />App trusts STS<br...
Scenario 2 – Inter Organization<br />ActiveDirectory<br />Your<br />ADFS STS<br />Partner<br />ADFS STS & IP<br />YourClai...
Installing AD FS v2<br />Requires Windows Server 2008 / 2008 R2<br />Requires IIS 7, .NET 3.5 SP1, WIF<br />See deployment...
AuthN, Attribute Stores<br />AD FS v2 can only use Active Directory as an identity store for authentication<br />ADFSv1 co...
Setting up your STS<br />Demo<br />
Installation Sequence<br />
AD FS 2.0 deployment options<br />Single server configuration<br />AD FS 2.0 server farm and load-balancer<br />AD FS 2.0 ...
Configuring your AD FS Server<br />Or: %ProgramFiles%Active Directory Federation Services 2.0FsConfigWizard.exe<br />Manua...
FSConfigWizard<br />
Implementing ADFS in your infra<br />
Configuring your federation server<br />Identity Provider<br />Relying Party<br />Claims<br />Demo<br />
Configuring the RP Trust<br />
Claim Rules<br />Rule templates simplify the creation of rules<br />Examples of rules are:<br />Permit / deny user based o...
Creating Rules<br />On IdP<br />On RP<br />On RP<br />
Creating Rules<br />Condition<br />Issuance Statement<br />A claim rule consists of two parts, condition and issuance stat...
Custom Claims<br />Capabilities of custom rules include<br />Sending claims from a SQL attribute store<br />Sending claims...
Further Customizations<br />Custom Style Sheet<br />Home realm discovery<br />Logon Page<br />Authentication<br />…<br />
What Else?<br />Hardening<br />SCW profiles are on the box<br />Sizing<br />PowerShell<br />In Win8 becomes a server role ...
Windows Identity Foundation<br />
Windows Identity Foundation<br />Your one and only partner for .NET identity development<br />Adds claims-based authentica...
Connecting an app to an STS<br />Demo<br />
Where things get cloudy...<br />Windows Azure AppFabricAccess Control Service<br />ACS<br />
Windows Azure AppFabric ACS<br />An STS in the cloud<br />Pluggable with identity providers<br />Windows Live ID<br />Face...
Why ACS?<br />
Let’s step back...<br />No, we’re not the US<br />Federation across organizations does not happen often today<br />So why ...
ACS advantages<br />A scalable STS<br />With one or more identity providers<br />With one or more relying parties<br />Wit...
ACS<br />Identity<br />Providers<br />Your Application<br />ACS<br />SAML<br />SWT<br />Browser-based<br />WS-Federation<b...
Connecting an app to ACS<br />Demo<br />
Connecting ACS to ADFS<br />Demo<br />
Using ACS at its full extent<br />ACS as an identity service bus<br />Demo<br />
Conclusion<br />
Conclusion<br />It is possible to do SSO over security boundaries<br />It is possible to integrate multiple apps with mult...
Some Resources<br />AD FS v2 on TechNet and MSDN<br />AD FS v2 content on TechNet Wiki<br />Claims-Based Identity Blog<br ...
Q&A<br />
Winsec.bethanks his sponsors for their continued support<br />
Upcoming SlideShare
Loading in …5
×

Developing and deploying Identity-enabled applications for the cloud

2,179 views

Published on

Joint session by WInsec.be and Azug.be on ADFS, federation and claims based authentication in the cloud.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Developing and deploying Identity-enabled applications for the cloud

  1. 1. Developing and deploying Identity-enabled applications for the cloud<br />
  2. 2. This session<br />meets<br />Developing and deploying Identity-enabled applications for the cloud<br />
  3. 3. Winsec.bethanks his sponsors for their continued support<br />
  4. 4. Azugthanks his sponsors<br />
  5. 5. Thanksforbeinghereandenjoy the show!<br />Feedback to <br /><ul><li>winsec@winsec.be
  6. 6. board@azug.be</li></li></ul><li>Developing and deploying Identity-enabled applications for the cloud<br />
  7. 7. Your Presenters for Today<br />Maarten<br />@maartenballiauw / about.me/maarten.balliauw<br />Co-founder of AZUG<br />MVP: Windows Azure<br />Blogs at http://blog.maartenballiauw.be<br />Paul<br />@ploonen / paul@winsec.be<br />Co-founder of winsec.be<br />MVP: Microsoft Forefront Identity Manager<br />MCM Directory<br />Current hobby: Architect@Avanade<br />Blog @ http://be-id.blogspot.com<br />
  8. 8. Agenda<br />Presenting the problem (a.k.a. “The Scenario”)<br />How federation saves the day<br />How ADFS solves federation<br />How to connect an app to ADFS<br />How Windows Azure adds extra sauce to federation<br />Q&A<br />
  9. 9. Introducing the Problem<br />
  10. 10. Introducing AD FS v2<br />
  11. 11. Some vocabulary<br />
  12. 12. Federation benefits<br />Benefits of SSO<br />reduce administrative overhead<br />reduce security vulnerabilities as a result of lost or stolen passwords<br />improve user productivity<br />Intra-Enterprise: <br />provide SSO for all your web sites and applications<br />Inter-Enterprise:<br />provide SSO experiences for your users to access apps in other organizations<br />provide SSO experience for users from external organizations to access your apps<br />Easily externalize authentication & authorization<br />Rich claims rules processing engine<br />Management & Configuration Tools<br />
  13. 13. What is AD FS 2.0?<br />Other Claims Providers<br />AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web<br />CA<br />IBM<br />SUN<br />AD FS 2.0 Major Components<br />Federation Server<br />Federation Server Proxy<br />WIF<br />Attribute Stores<br />Claims Engine<br />Website<br />Management Snap-in<br />Other STS<br />Web Service<br />Active Directory<br />Windows Server 2008 SP2, 2008 R2<br />MS SQL<br />Relying Parties<br />Browser Apps<br />WIF<br />Windows Internal DB<br />.NET 3.5 SP1<br />IIS 7<br />Smart Clients<br />Web Services<br />
  14. 14. Why consider AD FS 2.0?<br />Building a production-ready STS is hard.<br />The Visual Studio STS templates are just starters for trivial dev scenarios.<br />Lots of configuration to manage, UI's to present in real world STS!<br />
  15. 15. Typical Traffic Flow<br />Identity Provider<br />Relying Party<br />Federation<br />Trust<br />Active Directory<br />Account<br />Resource<br />Federation Server<br />Federation Server<br />Web Server<br />Internal Client<br />
  16. 16. Scenario 1 – Intra Organization<br />Claims-aware app<br />ADFS STS<br />Active Directory<br />User<br />App trusts STS<br />Browse app<br />Not authenticated<br />Redirected to STS <br />Authenticate<br />Return Security Token<br />Query for user attributes<br />Send Token<br />ST<br />ST<br />Return pageand cookie<br />
  17. 17. Scenario 2 – Inter Organization<br />ActiveDirectory<br />Your<br />ADFS STS<br />Partner<br />ADFS STS & IP<br />YourClaims-aware app<br />Partner user<br />Browse app<br />Not authenticated<br />Redirect to your STS<br />Home realm discovery<br />Redirected to partner STS requesting ST for partner user<br />Authenticate<br />Return ST for consumption by your STS <br />Redirected to your STS <br />ST<br />ST<br />ST<br />ST<br />Process token<br />Return new ST <br />Send Token<br />Return pageand cookie<br />
  18. 18. Installing AD FS v2<br />Requires Windows Server 2008 / 2008 R2<br />Requires IIS 7, .NET 3.5 SP1, WIF<br />See deployment guide for required hot fixes and updates<br />Issue and install server certificates for HTTPS<br />Think about implications for partner organisation<br />Cross certification when few partners, otherwise, buy required certs<br />Download and install ADFS 2.0<br />Simple Wizard<br />New / farm member / Proxy – SSL cert – Names <br />
  19. 19. AuthN, Attribute Stores<br />AD FS v2 can only use Active Directory as an identity store for authentication<br />ADFSv1 could also use AD LDS / ADAM<br />AD FS v2 can extract attributes from AD DS and from SQL Server<br />SQL and LDAP stores are directly supported<br />Additional stores can be added through custom extensions<br />IAttributeStore(see: http://msdn.microsoft.com/en-us/library/ee895358.aspx) <br />Register your custom store using Add-ADFSAttributeStore<br /><ul><li>issue(store = "FileAttributeStore", </li></ul>types = <br />( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), <br />query = "Age=33;EmpName,Role");<br />Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:tempdata.txt"} -Name FileAttributeStore<br />
  20. 20. Setting up your STS<br />Demo<br />
  21. 21. Installation Sequence<br />
  22. 22. AD FS 2.0 deployment options<br />Single server configuration<br />AD FS 2.0 server farm and load-balancer<br />AD FS 2.0 proxy server (offsite users)<br />Active<br />Directory<br />AD FS 2.0 Server<br />Proxy<br />AD FS 2.0 Server<br />AD FS 2.0 Server<br />AD FS 2.0 Server<br />Proxy<br />External <br />user<br />Internal<br />user<br />DMZ<br />Enterprise<br />
  23. 23. Configuring your AD FS Server<br />Or: %ProgramFiles%Active Directory Federation Services 2.0FsConfigWizard.exe<br />Manually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]<br />
  24. 24. FSConfigWizard<br />
  25. 25. Implementing ADFS in your infra<br />
  26. 26. Configuring your federation server<br />Identity Provider<br />Relying Party<br />Claims<br />Demo<br />
  27. 27. Configuring the RP Trust<br />
  28. 28. Claim Rules<br />Rule templates simplify the creation of rules<br />Examples of rules are:<br />Permit / deny user based on incoming claim value<br />Transform the incoming claim value<br />Pass through / filter an incoming claim<br />Multiple claim rules can be specified and are processed in top to bottom order<br />Results from previously processed claims can be used as the input for subsequent rules <br />
  29. 29. Creating Rules<br />On IdP<br />On RP<br />On RP<br />
  30. 30. Creating Rules<br />Condition<br />Issuance Statement<br />A claim rule consists of two parts, condition and issuance statement<br />
  31. 31. Custom Claims<br />Capabilities of custom rules include<br />Sending claims from a SQL attribute store<br />Sending claims from an LDAP attribute store using a custom LDAP filter<br />Sending claims from a custom attribute store<br />Sending claims only when 2 or more incoming claims are met<br />Sending claims only when an incoming claim matches a complex value<br />Sending claims with complex changes to an incoming claim value<br />Creating claims for use in later rules<br />
  32. 32. Further Customizations<br />Custom Style Sheet<br />Home realm discovery<br />Logon Page<br />Authentication<br />…<br />
  33. 33. What Else?<br />Hardening<br />SCW profiles are on the box<br />Sizing<br />PowerShell<br />In Win8 becomes a server role again (v2.1)<br />
  34. 34. Windows Identity Foundation<br />
  35. 35. Windows Identity Foundation<br />Your one and only partner for .NET identity development<br />Adds claims-based authentication to your application in no time<br />My advise: forget custom user stores<br />And if you need them: WIF-ify (?) them<br />
  36. 36. Connecting an app to an STS<br />Demo<br />
  37. 37. Where things get cloudy...<br />Windows Azure AppFabricAccess Control Service<br />ACS<br />
  38. 38. Windows Azure AppFabric ACS<br />An STS in the cloud<br />Pluggable with identity providers<br />Windows Live ID<br />Facebook<br />Google<br />Yahoo!<br />Any ADFS<br /> or better: any WS-federation passive endpoint<br />Any OAuth2 provider<br />
  39. 39. Why ACS?<br />
  40. 40. Let’s step back...<br />No, we’re not the US<br />Federation across organizations does not happen often today<br />So why would I use ACS anyway?<br />Dev, test, accept, prod are different RP’s!<br />2 apps with all these environments is 8 RP’s!<br />Imagine 10 apps... Or a hundred...<br />
  41. 41. ACS advantages<br />A scalable STS<br />With one or more identity providers<br />With one or more relying parties<br />With one or more rule groups<br />Integrates with WIF<br />Integrates with ADFS<br />Instant win!<br />
  42. 42. ACS<br />Identity<br />Providers<br />Your Application<br />ACS<br />SAML<br />SWT<br />Browser-based<br />WS-Federation<br />ADFS2 . WS-Federation<br />Rich<br />Client<br />SAML<br />WS-Trust<br />ADFS2 . WS-Trust<br />Server 2 Server<br />SWT<br />OAuth WRAP/2.0<br />Service Identities<br />
  43. 43. Connecting an app to ACS<br />Demo<br />
  44. 44. Connecting ACS to ADFS<br />Demo<br />
  45. 45. Using ACS at its full extent<br />ACS as an identity service bus<br />Demo<br />
  46. 46. Conclusion<br />
  47. 47. Conclusion<br />It is possible to do SSO over security boundaries<br />It is possible to integrate multiple apps with multiple identity providers<br />ADFS and ACS form a nice couple<br />Standards based solution<br />
  48. 48. Some Resources<br />AD FS v2 on TechNet and MSDN<br />AD FS v2 content on TechNet Wiki<br />Claims-Based Identity Blog<br />Windows Azure AppFabric Access Control Service<br />WIF and ACS Content Map on Technet Wiki<br />Vittorio’s Blog<br />http://identityserver.codeplex.com<br />
  49. 49. Q&A<br />
  50. 50. Winsec.bethanks his sponsors for their continued support<br />
  51. 51. Azugthanks his sponsors<br />

×