Successfully reported this slideshow.

Developing and deploying Identity-enabled applications for the cloud



Upcoming SlideShare
IdP, SAML, OAuth
IdP, SAML, OAuth
Loading in …3
1 of 50
1 of 50

More Related Content

Similar to Developing and deploying Identity-enabled applications for the cloud

More from Maarten Balliauw

Related Books

Free with a 14 day trial from Scribd

See all

Developing and deploying Identity-enabled applications for the cloud

  1. 1. Developing and deploying Identity-enabled applications for the cloud<br />
  2. 2. This session<br />meets<br />Developing and deploying Identity-enabled applications for the cloud<br />
  3. 3. Winsec.bethanks his sponsors for their continued support<br />
  4. 4. Azugthanks his sponsors<br />
  5. 5. Thanksforbeinghereandenjoy the show!<br />Feedback to <br /><ul><li>
  6. 6.</li></li></ul><li>Developing and deploying Identity-enabled applications for the cloud<br />
  7. 7. Your Presenters for Today<br />Maarten<br />@maartenballiauw /<br />Co-founder of AZUG<br />MVP: Windows Azure<br />Blogs at<br />Paul<br />@ploonen /<br />Co-founder of<br />MVP: Microsoft Forefront Identity Manager<br />MCM Directory<br />Current hobby: Architect@Avanade<br />Blog @<br />
  8. 8. Agenda<br />Presenting the problem (a.k.a. “The Scenario”)<br />How federation saves the day<br />How ADFS solves federation<br />How to connect an app to ADFS<br />How Windows Azure adds extra sauce to federation<br />Q&A<br />
  9. 9. Introducing the Problem<br />
  10. 10. Introducing AD FS v2<br />
  11. 11. Some vocabulary<br />
  12. 12. Federation benefits<br />Benefits of SSO<br />reduce administrative overhead<br />reduce security vulnerabilities as a result of lost or stolen passwords<br />improve user productivity<br />Intra-Enterprise: <br />provide SSO for all your web sites and applications<br />Inter-Enterprise:<br />provide SSO experiences for your users to access apps in other organizations<br />provide SSO experience for users from external organizations to access your apps<br />Easily externalize authentication & authorization<br />Rich claims rules processing engine<br />Management & Configuration Tools<br />
  13. 13. What is AD FS 2.0?<br />Other Claims Providers<br />AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web<br />CA<br />IBM<br />SUN<br />AD FS 2.0 Major Components<br />Federation Server<br />Federation Server Proxy<br />WIF<br />Attribute Stores<br />Claims Engine<br />Website<br />Management Snap-in<br />Other STS<br />Web Service<br />Active Directory<br />Windows Server 2008 SP2, 2008 R2<br />MS SQL<br />Relying Parties<br />Browser Apps<br />WIF<br />Windows Internal DB<br />.NET 3.5 SP1<br />IIS 7<br />Smart Clients<br />Web Services<br />
  14. 14. Why consider AD FS 2.0?<br />Building a production-ready STS is hard.<br />The Visual Studio STS templates are just starters for trivial dev scenarios.<br />Lots of configuration to manage, UI's to present in real world STS!<br />
  15. 15. Typical Traffic Flow<br />Identity Provider<br />Relying Party<br />Federation<br />Trust<br />Active Directory<br />Account<br />Resource<br />Federation Server<br />Federation Server<br />Web Server<br />Internal Client<br />
  16. 16. Scenario 1 – Intra Organization<br />Claims-aware app<br />ADFS STS<br />Active Directory<br />User<br />App trusts STS<br />Browse app<br />Not authenticated<br />Redirected to STS <br />Authenticate<br />Return Security Token<br />Query for user attributes<br />Send Token<br />ST<br />ST<br />Return pageand cookie<br />
  17. 17. Scenario 2 – Inter Organization<br />ActiveDirectory<br />Your<br />ADFS STS<br />Partner<br />ADFS STS & IP<br />YourClaims-aware app<br />Partner user<br />Browse app<br />Not authenticated<br />Redirect to your STS<br />Home realm discovery<br />Redirected to partner STS requesting ST for partner user<br />Authenticate<br />Return ST for consumption by your STS <br />Redirected to your STS <br />ST<br />ST<br />ST<br />ST<br />Process token<br />Return new ST <br />Send Token<br />Return pageand cookie<br />
  18. 18. Installing AD FS v2<br />Requires Windows Server 2008 / 2008 R2<br />Requires IIS 7, .NET 3.5 SP1, WIF<br />See deployment guide for required hot fixes and updates<br />Issue and install server certificates for HTTPS<br />Think about implications for partner organisation<br />Cross certification when few partners, otherwise, buy required certs<br />Download and install ADFS 2.0<br />Simple Wizard<br />New / farm member / Proxy – SSL cert – Names <br />
  19. 19. AuthN, Attribute Stores<br />AD FS v2 can only use Active Directory as an identity store for authentication<br />ADFSv1 could also use AD LDS / ADAM<br />AD FS v2 can extract attributes from AD DS and from SQL Server<br />SQL and LDAP stores are directly supported<br />Additional stores can be added through custom extensions<br />IAttributeStore(see: <br />Register your custom store using Add-ADFSAttributeStore<br /><ul><li>issue(store = "FileAttributeStore", </li></ul>types = <br />( "", ""), <br />query = "Age=33;EmpName,Role");<br />Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:empata.txt"} -Name FileAttributeStore<br />
  20. 20. Setting up your STS<br />Demo<br />
  21. 21. Installation Sequence<br />
  22. 22. AD FS 2.0 deployment options<br />Single server configuration<br />AD FS 2.0 server farm and load-balancer<br />AD FS 2.0 proxy server (offsite users)<br />Active<br />Directory<br />AD FS 2.0 Server<br />Proxy<br />AD FS 2.0 Server<br />AD FS 2.0 Server<br />AD FS 2.0 Server<br />Proxy<br />External <br />user<br />Internal<br />user<br />DMZ<br />Enterprise<br />
  23. 23. Configuring your AD FS Server<br />Or: %ProgramFiles%ctive Directory Federation Services 2.0sConfigWizard.exe<br />Manually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]<br />
  24. 24. FSConfigWizard<br />
  25. 25. Implementing ADFS in your infra<br />
  26. 26. Configuring your federation server<br />Identity Provider<br />Relying Party<br />Claims<br />Demo<br />
  27. 27. Configuring the RP Trust<br />
  28. 28. Claim Rules<br />Rule templates simplify the creation of rules<br />Examples of rules are:<br />Permit / deny user based on incoming claim value<br />Transform the incoming claim value<br />Pass through / filter an incoming claim<br />Multiple claim rules can be specified and are processed in top to bottom order<br />Results from previously processed claims can be used as the input for subsequent rules <br />
  29. 29. Creating Rules<br />On IdP<br />On RP<br />On RP<br />
  30. 30. Creating Rules<br />Condition<br />Issuance Statement<br />A claim rule consists of two parts, condition and issuance statement<br />
  31. 31. Custom Claims<br />Capabilities of custom rules include<br />Sending claims from a SQL attribute store<br />Sending claims from an LDAP attribute store using a custom LDAP filter<br />Sending claims from a custom attribute store<br />Sending claims only when 2 or more incoming claims are met<br />Sending claims only when an incoming claim matches a complex value<br />Sending claims with complex changes to an incoming claim value<br />Creating claims for use in later rules<br />
  32. 32. Further Customizations<br />Custom Style Sheet<br />Home realm discovery<br />Logon Page<br />Authentication<br />…<br />
  33. 33. What Else?<br />Hardening<br />SCW profiles are on the box<br />Sizing<br />PowerShell<br />In Win8 becomes a server role again (v2.1)<br />
  34. 34. Windows Identity Foundation<br />
  35. 35. Windows Identity Foundation<br />Your one and only partner for .NET identity development<br />Adds claims-based authentication to your application in no time<br />My advise: forget custom user stores<br />And if you need them: WIF-ify (?) them<br />
  36. 36. Connecting an app to an STS<br />Demo<br />
  37. 37. Where things get cloudy...<br />Windows Azure AppFabricAccess Control Service<br />ACS<br />
  38. 38. Windows Azure AppFabric ACS<br />An STS in the cloud<br />Pluggable with identity providers<br />Windows Live ID<br />Facebook<br />Google<br />Yahoo!<br />Any ADFS<br /> or better: any WS-federation passive endpoint<br />Any OAuth2 provider<br />
  39. 39. Why ACS?<br />
  40. 40. Let’s step back...<br />No, we’re not the US<br />Federation across organizations does not happen often today<br />So why would I use ACS anyway?<br />Dev, test, accept, prod are different RP’s!<br />2 apps with all these environments is 8 RP’s!<br />Imagine 10 apps... Or a hundred...<br />
  41. 41. ACS advantages<br />A scalable STS<br />With one or more identity providers<br />With one or more relying parties<br />With one or more rule groups<br />Integrates with WIF<br />Integrates with ADFS<br />Instant win!<br />
  42. 42. ACS<br />Identity<br />Providers<br />Your Application<br />ACS<br />SAML<br />SWT<br />Browser-based<br />WS-Federation<br />ADFS2 . WS-Federation<br />Rich<br />Client<br />SAML<br />WS-Trust<br />ADFS2 . WS-Trust<br />Server 2 Server<br />SWT<br />OAuth WRAP/2.0<br />Service Identities<br />
  43. 43. Connecting an app to ACS<br />Demo<br />
  44. 44. Connecting ACS to ADFS<br />Demo<br />
  45. 45. Using ACS at its full extent<br />ACS as an identity service bus<br />Demo<br />
  46. 46. Conclusion<br />
  47. 47. Conclusion<br />It is possible to do SSO over security boundaries<br />It is possible to integrate multiple apps with multiple identity providers<br />ADFS and ACS form a nice couple<br />Standards based solution<br />
  48. 48. Some Resources<br />AD FS v2 on TechNet and MSDN<br />AD FS v2 content on TechNet Wiki<br />Claims-Based Identity Blog<br />Windows Azure AppFabric Access Control Service<br />WIF and ACS Content Map on Technet Wiki<br />Vittorio’s Blog<br /><br />
  49. 49. Q&A<br />
  50. 50. Winsec.bethanks his sponsors for their continued support<br />
  51. 51. Azugthanks his sponsors<br />

Editor's Notes

  • Real world STS&apos;s need to manage multiple relying parties, each with multiple claim issuance and authorization rules. Delegation authorization for users of the RP require even further configuration. Federated scenarios add requirement for trusting other STS&apos;s.Access to Identity Providers and Attribute Stores, rules for querying
  • Capacity planning:
  • FSConfig.exe CreateSQLFarm /ServiceAccount &lt;username&gt; [/ServiceAccountPassword &lt;password&gt;] /SQLConnectionString &lt;connection string&gt; [/CertThumbprint &lt;Cert Thumbprint&gt;] [/Port &lt;Port Number&gt;] [/FederationServiceName &lt;Federation Service Name&gt;] [/CleanConfig] /AutoCertRolloverEnabled [/SigningCertThumbprint &lt;Cert thumbprint&gt;] [/DecryptCertThumbprint &lt;Cert thumbprint&gt;]
  • Here there’s a list of cloud scenarios we consider of interest in term of how identity is handled.&lt;click&gt; our baseline is the classic on premises scenario.&lt;click&gt; you have a data center, &lt;click&gt; a population of internal users and &lt;click&gt; some authentication infrastructure, such as Active Directory, maintaining their accounts.&lt;click&gt; applications targeting such environment will follow the current intranet practices.&lt;click&gt; We will then introduce Windows Azure in the picture and observe how things change when the application moves to the cloud; we&apos;ll consider this both from the architecture and products usage perspectives.&lt;click&gt; Then we&apos;ll move to consider what happens when the application is exposed to multiple business partners, and the implications on authentication and relationships management.&lt;click&gt; However business partners represent an important but tiny fraction of all the possible population &lt;click&gt; you an cater to if you target the internet users.&lt;click&gt; live id, Google, Facebook and yahoo! have hundreds of millions of users; the authentication requirements in those conditions are completely different than the business case, although as we will see the solutions may end up being surprisingly similar.&lt;click&gt; Finally, the mobile scenario is of great importance and again apparently a completely different problem space. Using claims-based identity makes it very easy to progressively accommodate all those different scenarios.
  • The ACS would deserve multiple sessions on its own right to be properly covered, here I&apos;m just giving you a quick sampler.What we have seen so far is just a small part of its surface. The schema here shows the ws-federation subsystem, what is normally used for browser-based, session-oriented application types. We&apos;ve been playing only with ADFS IP types, but in fact &lt;click&gt; there are many out of the box popular IPs you can use right away with your application sticking to the same protocol &lt;click&gt; and a browser&lt;click&gt;.ACS can also do WS-Trust, a high-security protocol for SOAP web services, accepting identities from ADFS2 ws-trust endpoints or bare credentials registered in ACS for management purposes.&lt;click&gt; the same sources can be used within OAuth2.0 calls. OAuth is the current state of the art for securing REST calls: it is still in draft state, hence expect changes, but you can already experiment with it.&lt;click&gt; Both protocols can be used for rich client application types and in general &lt;click&gt; server 2 server interactions.Not shown here there are the management endpoints, the other portion of ACS&apos; development surface, which can be used instead or alongside the portal for managing the namespace.
  • ×