SlideShare a Scribd company logo
1 of 50
Developing and deploying Identity-enabled applications for the cloud
This session meets Developing and deploying Identity-enabled applications for the cloud
Winsec.bethanks his sponsors for their continued support
Azugthanks his sponsors
Thanksforbeinghereandenjoy the show! Feedback to  ,[object Object]
board@azug.be,[object Object]
Your Presenters for Today Maarten @maartenballiauw / about.me/maarten.balliauw Co-founder of AZUG MVP: Windows Azure Blogs at http://blog.maartenballiauw.be Paul @ploonen / paul@winsec.be Co-founder of winsec.be MVP: Microsoft Forefront Identity Manager MCM Directory Current hobby: Architect@Avanade Blog @ http://be-id.blogspot.com
Agenda Presenting the problem (a.k.a. “The Scenario”) How federation saves the day How ADFS solves federation How to connect an app to ADFS How Windows Azure adds extra sauce to federation Q&A
Introducing the Problem
Introducing AD FS v2
Some vocabulary
Federation benefits Benefits of SSO reduce administrative overhead reduce security vulnerabilities as a result of lost or stolen passwords improve user productivity Intra-Enterprise:  provide SSO for all your web sites and applications Inter-Enterprise: provide SSO experiences for your users to access apps in other organizations provide SSO experience for users from external organizations to access your apps Easily externalize authentication & authorization Rich claims rules processing engine Management & Configuration Tools
What is AD FS 2.0? Other Claims Providers AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web CA IBM SUN AD FS 2.0 Major Components Federation Server Federation Server Proxy WIF Attribute Stores Claims Engine Website Management Snap-in Other STS Web Service Active Directory Windows Server 2008 SP2, 2008 R2 MS SQL Relying Parties Browser Apps WIF Windows Internal DB .NET 3.5 SP1 IIS 7 Smart Clients Web Services
Why consider AD FS 2.0? Building a production-ready STS is hard. The Visual Studio STS templates are just starters for trivial dev scenarios. Lots of configuration to manage, UI's to present in real world STS!
Typical Traffic Flow Identity Provider Relying Party Federation Trust Active Directory Account Resource Federation Server Federation Server Web Server Internal Client
Scenario 1 – Intra Organization Claims-aware app ADFS STS Active Directory User App trusts STS Browse app Not authenticated Redirected to STS  Authenticate Return Security Token Query for user attributes Send Token ST ST Return pageand cookie
Scenario 2 – Inter Organization ActiveDirectory Your ADFS STS Partner ADFS STS & IP YourClaims-aware app Partner user Browse app Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS  Redirected to your STS  ST ST ST ST Process token Return new ST  Send Token Return pageand cookie
Installing AD FS v2 Requires Windows Server 2008 / 2008 R2 Requires IIS 7, .NET 3.5 SP1, WIF See deployment guide for required hot fixes and updates Issue and install server certificates for HTTPS Think about implications for partner organisation Cross certification when few partners, otherwise, buy required certs Download and install ADFS 2.0 Simple Wizard New / farm member / Proxy – SSL cert – Names
AuthN, Attribute Stores AD FS v2 can only use Active Directory as an identity store for authentication ADFSv1 could also use AD LDS / ADAM AD FS v2 can extract attributes from AD DS and from SQL Server SQL and LDAP stores are directly supported Additional stores can be added through custom extensions IAttributeStore(see: http://msdn.microsoft.com/en-us/library/ee895358.aspx)  Register your custom store using Add-ADFSAttributeStore ,[object Object],types =  ( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", 	"http://schemas.microsoft.com/ws/2008/06/identity/claims/role"),  query = "Age=33;EmpName,Role"); Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:empata.txt"} -Name FileAttributeStore
Setting up your STS Demo
Installation Sequence
AD FS 2.0 deployment options Single server configuration AD FS 2.0 server farm and load-balancer AD FS 2.0 proxy server (offsite users) Active Directory AD FS 2.0 Server Proxy AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy External  user Internal user DMZ Enterprise
Configuring your AD FS Server Or: %ProgramFiles%ctive Directory Federation Services 2.0sConfigWizard.exe Manually: 	FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]
FSConfigWizard
Implementing ADFS in your infra
Configuring your federation server Identity Provider Relying Party Claims Demo
Configuring the RP Trust
Claim Rules Rule templates simplify the creation of rules Examples of rules are: Permit / deny user based on incoming claim value Transform the incoming claim value Pass through / filter an incoming claim Multiple claim rules can be specified and are processed in top to bottom order Results from previously processed claims can be used as the input for subsequent rules
Creating Rules On IdP On RP On RP
Creating Rules Condition Issuance Statement A claim rule consists of two parts, condition and issuance statement
Custom Claims Capabilities of custom rules include Sending claims from a SQL attribute store Sending claims from an LDAP attribute store using a custom LDAP filter Sending claims from a custom attribute store Sending claims only when 2 or more incoming claims are met Sending claims only when an incoming claim matches a complex value Sending claims with complex changes to an incoming claim value Creating claims for use in later rules
Further Customizations Custom Style Sheet Home realm discovery Logon Page Authentication …
What Else? Hardening SCW profiles are on the box Sizing PowerShell In Win8 becomes a server role again (v2.1)
Windows Identity Foundation
Windows Identity Foundation Your one and only partner for .NET identity development Adds claims-based authentication to your application in no time My advise: forget custom user stores And if you need them: WIF-ify (?) them
Connecting an app to an STS Demo
Where things get cloudy... Windows Azure AppFabricAccess Control Service ACS
Windows Azure AppFabric ACS An STS in the cloud Pluggable with identity providers Windows Live ID Facebook Google Yahoo! Any ADFS 	or better: any WS-federation passive endpoint Any OAuth2 provider
Why ACS?
Let’s step back... No, we’re not the US Federation across organizations does not happen often today So why would I use ACS anyway? Dev, test, accept, prod are different RP’s! 2 apps with all these environments is 8 RP’s! Imagine 10 apps... Or a hundred...
ACS advantages A scalable STS With one or more identity providers With one or more relying parties With one or more rule groups Integrates with WIF Integrates with ADFS Instant win!
ACS Identity Providers Your Application ACS SAML SWT Browser-based WS-Federation ADFS2 . WS-Federation Rich Client SAML WS-Trust ADFS2 . WS-Trust Server 2 Server SWT OAuth WRAP/2.0 Service Identities
Connecting an app to ACS Demo
Connecting ACS to ADFS Demo
Using ACS at its full extent ACS as an identity service bus Demo
Conclusion
Conclusion It is possible to do SSO over security boundaries It is possible to integrate multiple apps with multiple identity providers ADFS and ACS form a nice couple Standards based solution
Some Resources AD FS v2 on TechNet and MSDN AD FS v2 content on TechNet Wiki Claims-Based Identity Blog Windows Azure AppFabric Access Control Service WIF and ACS Content Map on Technet Wiki Vittorio’s Blog http://identityserver.codeplex.com
Q&A
Winsec.bethanks his sponsors for their continued support

More Related Content

What's hot

Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
guestd9aa5
 

What's hot (20)

Azure: PaaS or IaaS
Azure: PaaS or IaaSAzure: PaaS or IaaS
Azure: PaaS or IaaS
 
Azure Active Directory - An Introduction
Azure Active Directory  - An IntroductionAzure Active Directory  - An Introduction
Azure Active Directory - An Introduction
 
Azure hands on lab
Azure hands on labAzure hands on lab
Azure hands on lab
 
70-534: ARCHITECTING MICROSOFT AZURE SOLUTIONS
70-534: ARCHITECTING MICROSOFT AZURE SOLUTIONS70-534: ARCHITECTING MICROSOFT AZURE SOLUTIONS
70-534: ARCHITECTING MICROSOFT AZURE SOLUTIONS
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
 
Zero credential development with managed identities
Zero credential development with managed identitiesZero credential development with managed identities
Zero credential development with managed identities
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
Develop enterprise-ready applications for Microsoft Teams
Develop enterprise-ready applications for Microsoft TeamsDevelop enterprise-ready applications for Microsoft Teams
Develop enterprise-ready applications for Microsoft Teams
 
Design and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web AppsDesign and Configure Azure App Service Web Apps
Design and Configure Azure App Service Web Apps
 
Everything you always wanted to know about API Management (but were afraid to...
Everything you always wanted to know about API Management (but were afraid to...Everything you always wanted to know about API Management (but were afraid to...
Everything you always wanted to know about API Management (but were afraid to...
 
Adfs Shib Interop Um Oxford
Adfs Shib Interop Um OxfordAdfs Shib Interop Um Oxford
Adfs Shib Interop Um Oxford
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
Windows azure active directory
Windows azure active directoryWindows azure active directory
Windows azure active directory
 
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
DEVNET-1120	Intercloud Fabric - AWS and Azure Account Setup and UtilizationDEVNET-1120	Intercloud Fabric - AWS and Azure Account Setup and Utilization
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
 
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
O365Con18 - Connect SharePoint Framework Solutions to API's secured with Azur...
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 
Como construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidoresComo construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidores
 
Azure web apps
Azure web appsAzure web apps
Azure web apps
 

Similar to Developing and deploying Identity-enabled applications for the cloud

CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
Spiffy
 

Similar to Developing and deploying Identity-enabled applications for the cloud (20)

CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Azure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for DevelopersAzure Active Directory - An Introduction for Developers
Azure Active Directory - An Introduction for Developers
 
Análisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la informaciónAnálisis de riesgos en Azure y protección de la información
Análisis de riesgos en Azure y protección de la información
 
Put Your Existing Application On Windows Azure
Put Your Existing Application On Windows AzurePut Your Existing Application On Windows Azure
Put Your Existing Application On Windows Azure
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
The Windows Azure Platform (MSDN Events Series)
The Windows Azure Platform (MSDN Events Series)The Windows Azure Platform (MSDN Events Series)
The Windows Azure Platform (MSDN Events Series)
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Windows Server 2008 Active Directory ADFS Claims-base Idm for Windows Part 2
Windows Server 2008 Active Directory ADFS Claims-base Idm for Windows Part 2Windows Server 2008 Active Directory ADFS Claims-base Idm for Windows Part 2
Windows Server 2008 Active Directory ADFS Claims-base Idm for Windows Part 2
 
Managing Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the CloudManaging Software from Development to Deployment in the Cloud
Managing Software from Development to Deployment in the Cloud
 
Ad fs
Ad fsAd fs
Ad fs
 
Ad cs-step-by-step-guide
Ad cs-step-by-step-guideAd cs-step-by-step-guide
Ad cs-step-by-step-guide
 
MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08MCSA 70-412 Chapter 08
MCSA 70-412 Chapter 08
 
Vdi in-a-box
Vdi in-a-boxVdi in-a-box
Vdi in-a-box
 
Azure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptxAzure Virtual Desktop Overview.pptx
Azure Virtual Desktop Overview.pptx
 
Build Message-Based Web Services for SOA
Build Message-Based Web Services for SOABuild Message-Based Web Services for SOA
Build Message-Based Web Services for SOA
 
Security as a Service - Tian Wang
Security as a Service - Tian WangSecurity as a Service - Tian Wang
Security as a Service - Tian Wang
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Transform into an Azure Managed Service Provider - WVD.pptx
Transform into an Azure Managed Service Provider - WVD.pptxTransform into an Azure Managed Service Provider - WVD.pptx
Transform into an Azure Managed Service Provider - WVD.pptx
 
VMworld 2013: Developer Services on vCloud Hybrid Services
VMworld 2013: Developer Services on vCloud Hybrid Services VMworld 2013: Developer Services on vCloud Hybrid Services
VMworld 2013: Developer Services on vCloud Hybrid Services
 

More from Maarten Balliauw

More from Maarten Balliauw (20)

Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
Nerd sniping myself into a rabbit hole... Streaming online audio to a Sonos s...
 
Building a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to SpaceBuilding a friendly .NET SDK to connect to Space
Building a friendly .NET SDK to connect to Space
 
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
Microservices for building an IDE - The innards of JetBrains Rider - NDC Oslo...
 
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
Indexing and searching NuGet.org with Azure Functions and Search - .NET fwday...
 
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
NDC Sydney 2019 - Microservices for building an IDE – The innards of JetBrain...
 
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
JetBrains Australia 2019 - Exploring .NET’s memory management – a trip down m...
 
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se....NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
.NET Conf 2019 - Indexing and searching NuGet.org with Azure Functions and Se...
 
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
CloudBurst 2019 - Indexing and searching NuGet.org with Azure Functions and S...
 
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and SearchNDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
NDC Oslo 2019 - Indexing and searching NuGet.org with Azure Functions and Search
 
Approaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days PolandApproaches for application request throttling - Cloud Developer Days Poland
Approaches for application request throttling - Cloud Developer Days Poland
 
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
Indexing and searching NuGet.org with Azure Functions and Search - Cloud Deve...
 
Approaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologneApproaches for application request throttling - dotNetCologne
Approaches for application request throttling - dotNetCologne
 
CodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory laneCodeStock - Exploring .NET memory management - a trip down memory lane
CodeStock - Exploring .NET memory management - a trip down memory lane
 
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
ConFoo Montreal - Microservices for building an IDE - The innards of JetBrain...
 
ConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttlingConFoo Montreal - Approaches for application request throttling
ConFoo Montreal - Approaches for application request throttling
 
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
Microservices for building an IDE – The innards of JetBrains Rider - TechDays...
 
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
JetBrains Day Seoul - Exploring .NET’s memory management – a trip down memory...
 
DotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NETDotNetFest - Let’s refresh our memory! Memory management in .NET
DotNetFest - Let’s refresh our memory! Memory management in .NET
 
VISUG - Approaches for application request throttling
VISUG - Approaches for application request throttlingVISUG - Approaches for application request throttling
VISUG - Approaches for application request throttling
 

Recently uploaded

Recently uploaded (20)

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Developing and deploying Identity-enabled applications for the cloud

  • 1. Developing and deploying Identity-enabled applications for the cloud
  • 2. This session meets Developing and deploying Identity-enabled applications for the cloud
  • 3. Winsec.bethanks his sponsors for their continued support
  • 5.
  • 6.
  • 7. Your Presenters for Today Maarten @maartenballiauw / about.me/maarten.balliauw Co-founder of AZUG MVP: Windows Azure Blogs at http://blog.maartenballiauw.be Paul @ploonen / paul@winsec.be Co-founder of winsec.be MVP: Microsoft Forefront Identity Manager MCM Directory Current hobby: Architect@Avanade Blog @ http://be-id.blogspot.com
  • 8. Agenda Presenting the problem (a.k.a. “The Scenario”) How federation saves the day How ADFS solves federation How to connect an app to ADFS How Windows Azure adds extra sauce to federation Q&A
  • 12. Federation benefits Benefits of SSO reduce administrative overhead reduce security vulnerabilities as a result of lost or stolen passwords improve user productivity Intra-Enterprise: provide SSO for all your web sites and applications Inter-Enterprise: provide SSO experiences for your users to access apps in other organizations provide SSO experience for users from external organizations to access your apps Easily externalize authentication & authorization Rich claims rules processing engine Management & Configuration Tools
  • 13. What is AD FS 2.0? Other Claims Providers AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web CA IBM SUN AD FS 2.0 Major Components Federation Server Federation Server Proxy WIF Attribute Stores Claims Engine Website Management Snap-in Other STS Web Service Active Directory Windows Server 2008 SP2, 2008 R2 MS SQL Relying Parties Browser Apps WIF Windows Internal DB .NET 3.5 SP1 IIS 7 Smart Clients Web Services
  • 14. Why consider AD FS 2.0? Building a production-ready STS is hard. The Visual Studio STS templates are just starters for trivial dev scenarios. Lots of configuration to manage, UI's to present in real world STS!
  • 15. Typical Traffic Flow Identity Provider Relying Party Federation Trust Active Directory Account Resource Federation Server Federation Server Web Server Internal Client
  • 16. Scenario 1 – Intra Organization Claims-aware app ADFS STS Active Directory User App trusts STS Browse app Not authenticated Redirected to STS Authenticate Return Security Token Query for user attributes Send Token ST ST Return pageand cookie
  • 17. Scenario 2 – Inter Organization ActiveDirectory Your ADFS STS Partner ADFS STS & IP YourClaims-aware app Partner user Browse app Not authenticated Redirect to your STS Home realm discovery Redirected to partner STS requesting ST for partner user Authenticate Return ST for consumption by your STS Redirected to your STS ST ST ST ST Process token Return new ST Send Token Return pageand cookie
  • 18. Installing AD FS v2 Requires Windows Server 2008 / 2008 R2 Requires IIS 7, .NET 3.5 SP1, WIF See deployment guide for required hot fixes and updates Issue and install server certificates for HTTPS Think about implications for partner organisation Cross certification when few partners, otherwise, buy required certs Download and install ADFS 2.0 Simple Wizard New / farm member / Proxy – SSL cert – Names
  • 19.
  • 20. Setting up your STS Demo
  • 22. AD FS 2.0 deployment options Single server configuration AD FS 2.0 server farm and load-balancer AD FS 2.0 proxy server (offsite users) Active Directory AD FS 2.0 Server Proxy AD FS 2.0 Server AD FS 2.0 Server AD FS 2.0 Server Proxy External user Internal user DMZ Enterprise
  • 23. Configuring your AD FS Server Or: %ProgramFiles%ctive Directory Federation Services 2.0sConfigWizard.exe Manually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]
  • 25. Implementing ADFS in your infra
  • 26. Configuring your federation server Identity Provider Relying Party Claims Demo
  • 28. Claim Rules Rule templates simplify the creation of rules Examples of rules are: Permit / deny user based on incoming claim value Transform the incoming claim value Pass through / filter an incoming claim Multiple claim rules can be specified and are processed in top to bottom order Results from previously processed claims can be used as the input for subsequent rules
  • 29. Creating Rules On IdP On RP On RP
  • 30. Creating Rules Condition Issuance Statement A claim rule consists of two parts, condition and issuance statement
  • 31. Custom Claims Capabilities of custom rules include Sending claims from a SQL attribute store Sending claims from an LDAP attribute store using a custom LDAP filter Sending claims from a custom attribute store Sending claims only when 2 or more incoming claims are met Sending claims only when an incoming claim matches a complex value Sending claims with complex changes to an incoming claim value Creating claims for use in later rules
  • 32. Further Customizations Custom Style Sheet Home realm discovery Logon Page Authentication …
  • 33. What Else? Hardening SCW profiles are on the box Sizing PowerShell In Win8 becomes a server role again (v2.1)
  • 35. Windows Identity Foundation Your one and only partner for .NET identity development Adds claims-based authentication to your application in no time My advise: forget custom user stores And if you need them: WIF-ify (?) them
  • 36. Connecting an app to an STS Demo
  • 37. Where things get cloudy... Windows Azure AppFabricAccess Control Service ACS
  • 38. Windows Azure AppFabric ACS An STS in the cloud Pluggable with identity providers Windows Live ID Facebook Google Yahoo! Any ADFS or better: any WS-federation passive endpoint Any OAuth2 provider
  • 40. Let’s step back... No, we’re not the US Federation across organizations does not happen often today So why would I use ACS anyway? Dev, test, accept, prod are different RP’s! 2 apps with all these environments is 8 RP’s! Imagine 10 apps... Or a hundred...
  • 41. ACS advantages A scalable STS With one or more identity providers With one or more relying parties With one or more rule groups Integrates with WIF Integrates with ADFS Instant win!
  • 42. ACS Identity Providers Your Application ACS SAML SWT Browser-based WS-Federation ADFS2 . WS-Federation Rich Client SAML WS-Trust ADFS2 . WS-Trust Server 2 Server SWT OAuth WRAP/2.0 Service Identities
  • 43. Connecting an app to ACS Demo
  • 44. Connecting ACS to ADFS Demo
  • 45. Using ACS at its full extent ACS as an identity service bus Demo
  • 47. Conclusion It is possible to do SSO over security boundaries It is possible to integrate multiple apps with multiple identity providers ADFS and ACS form a nice couple Standards based solution
  • 48. Some Resources AD FS v2 on TechNet and MSDN AD FS v2 content on TechNet Wiki Claims-Based Identity Blog Windows Azure AppFabric Access Control Service WIF and ACS Content Map on Technet Wiki Vittorio’s Blog http://identityserver.codeplex.com
  • 49. Q&A
  • 50. Winsec.bethanks his sponsors for their continued support

Editor's Notes

  1. Real world STS's need to manage multiple relying parties, each with multiple claim issuance and authorization rules. Delegation authorization for users of the RP require even further configuration. Federated scenarios add requirement for trusting other STS's.Access to Identity Providers and Attribute Stores, rules for querying
  2. Capacity planning: http://www.microsoft.com/download/en/details.aspx?id=2278
  3. FSConfig.exe CreateSQLFarm /ServiceAccount <username> [/ServiceAccountPassword <password>] /SQLConnectionString <connection string> [/CertThumbprint <Cert Thumbprint>] [/Port <Port Number>] [/FederationServiceName <Federation Service Name>] [/CleanConfig] /AutoCertRolloverEnabled [/SigningCertThumbprint <Cert thumbprint>] [/DecryptCertThumbprint <Cert thumbprint>]
  4. Here there’s a list of cloud scenarios we consider of interest in term of how identity is handled.<click> our baseline is the classic on premises scenario.<click> you have a data center, <click> a population of internal users and <click> some authentication infrastructure, such as Active Directory, maintaining their accounts.<click> applications targeting such environment will follow the current intranet practices.<click> We will then introduce Windows Azure in the picture and observe how things change when the application moves to the cloud; we'll consider this both from the architecture and products usage perspectives.<click> Then we'll move to consider what happens when the application is exposed to multiple business partners, and the implications on authentication and relationships management.<click> However business partners represent an important but tiny fraction of all the possible population <click> you an cater to if you target the internet users.<click> live id, Google, Facebook and yahoo! have hundreds of millions of users; the authentication requirements in those conditions are completely different than the business case, although as we will see the solutions may end up being surprisingly similar.<click> Finally, the mobile scenario is of great importance and again apparently a completely different problem space. Using claims-based identity makes it very easy to progressively accommodate all those different scenarios.
  5. The ACS would deserve multiple sessions on its own right to be properly covered, here I'm just giving you a quick sampler.What we have seen so far is just a small part of its surface. The schema here shows the ws-federation subsystem, what is normally used for browser-based, session-oriented application types. We've been playing only with ADFS IP types, but in fact <click> there are many out of the box popular IPs you can use right away with your application sticking to the same protocol <click> and a browser<click>.ACS can also do WS-Trust, a high-security protocol for SOAP web services, accepting identities from ADFS2 ws-trust endpoints or bare credentials registered in ACS for management purposes.<click> the same sources can be used within OAuth2.0 calls. OAuth is the current state of the art for securing REST calls: it is still in draft state, hence expect changes, but you can already experiment with it.<click> Both protocols can be used for rich client application types and in general <click> server 2 server interactions.Not shown here there are the management endpoints, the other portion of ACS' development surface, which can be used instead or alongside the portal for managing the namespace.