demystifying the modern identity stack
DESCRIPTION
mdc 2013. Demystifying the Modern Identity Stack. Mike Benkovich- @ mbenko Local Computer Guy www.Benkotips.com. Mike Benkovich [email protected]. - Former Microsoft developer evangelist - Twin Cities based - Technology Services - PowerPoint PPT PresentationTRANSCRIPT
Demystifying the Modern Identity Stack
Mike Benkovich- @mbenkoLocal Computer Guywww.Benkotips.com
mdc2013
Send me Feedback! http://bit.ly/bqtMDC13
Mike Benkovich [email protected] - Former Microsoft developer evangelist- Twin Cities based- Technology Services- Windows 8, phone, and Cloud consulting- www.benkoTIPS.com - @mbenko on Twitter- Send me Feedback! http://bit.ly/bqtMDC13
Send me Feedback! http://bit.ly/bqtMDC13
What is the Microsoft Identity Stack?How to use Application IdentityHow to use Public IdentityHow to use Corporate Identity
Tackle those, and you’ve got the Identity Stack!
Checklist
Send me Feedback! http://bit.ly/bqtMDC13
Application Identity
User accounts created for sole use by the appStorage and management of accounts?How do you securely store passwords?How do users reset or retrieve their passwords?
Send me Feedback! http://bit.ly/bqtMDC13
Some History…
2005 - Forms Based Authentication (provider model)
Send me Feedback! http://bit.ly/bqtMDC13
IIS Process Flow
AuthenticationBasic NTLM Anon
CGI
Static File
ISAPI
Send Response
CompressionLog
HTTP Request
Determine
Handler
aspnet_isapi.dll
Authentication
Windows
ASPX
Trace…
Forms
Map Handler
HTTP Response
Basic
Anon
Static File
ISAPI
Send Response
Compression
Log
HTTP Request
HTTP Response
Execute Handler
aspnet_isapi.dll
Authentication
Windows
ASPX
Trace…
Forms
Map Handler
Authorization
ResolveCache
UpdateCache
Authentication
Send me Feedback! http://bit.ly/bqtMDC13
IIS Configuration
Found in ApplicationHost.configCustomized per app in web.configChanges in config affect pipeline processingThis is how to configure IIS to run PHP
Send me Feedback! http://bit.ly/bqtMDC13
.NET Provider Model
Membership provider abstracts authentication patternRole provider handles authorizationPlug and play…custom providersImplemented thru IIS pipeline
<system.web> <authorization> <deny users="?" /> </authorization>
<authentication mode="Forms"> <forms loginUrl="myLogin.aspx"/> </authentication></system.web>
Send me Feedback! http://bit.ly/bqtMDC13
Public Identity
OAuth and standards basedToken servers that provide information about usersDon’t have to manage passwordsThink Google, Facebook, Twitter, Live ID, LinkedIn…
…but…Limited claim setHow much should you trust
it?
Send me Feedback! http://bit.ly/bqtMDC13
2010 ACS – Access Control Services
Acts as a “bouncer” to check id before granting accessHandles OAuth conversation with simple redirectionClaims based authenticationPart of Windows Azure servicesRequires namespaceHandles creation of access token
<system.webServer> <modules> <remove name="FormsAuthentication" /> <add name="WSFederationAuthenticationModule" … <add name="SessionAuthenticationModule" … </modules> </system.webServer>
Send me Feedback! http://bit.ly/bqtMDC13
Some History…
2005 - Forms Based Authentication (provider model)
2010 - Access Control Services (Windows Azure)
2012 - Simple Membership Provider
Send me Feedback! http://bit.ly/bqtMDC13
Some History…
2005 - Forms Based Authentication (provider model)
2010 - Access Control Services (Windows Azure)
2012 - Simple Membership Provider 2012 - Azure Mobile Services
Send me Feedback! http://bit.ly/bqtMDC13
Windows Azure Mobile Services
Cross device REST based interfaceProvides Data, Notification, Scheduling and Identity featuresConfigurable for identity providersSimple coding model
Send me Feedback! http://bit.ly/bqtMDC13
Some History…
2005 - Forms Based Authentication (provider model)
2010 - Access Control Services (Windows Azure)
2012 - Simple Membership Provider 2012 - Azure Mobile Services 2013 - Azure Active Directory
Send me Feedback! http://bit.ly/bqtMDC13
Corporate Identity
Managed by security teamProvision user accountsDeactivate accounts as neededTypically directory based…Active DirectoryIncludes more information than just credentials
Send me Feedback! http://bit.ly/bqtMDC13
Windows Azure Active Directory
Manage UsersApplications and accessClaims apiOAuth
Send me Feedback! http://bit.ly/bqtMDC13
Windows Azure Active Directory
Contoso’s On-Premises Directory
AM
Windows Azure Active Directory
Dir
Sync
Contoso’s tenant
SAML-P
WS-Federation
Metadata
OAuth2Management Portal
Graph API
Send me Feedback! http://bit.ly/bqtMDC13
Windows Azure Active Directory
Contoso’s On-Premises Directory
AM
Send me Feedback! http://bit.ly/bqtMDC13
Where’s your Identity?
Thick Client Web Devices
Application Identity
Custom FBA Custom
Corporate Identity
NTLMACS
ADFSAzAD
ADFS
Public Identity
WebAuthBroker
ACSSimple
ProviderMobile Svc
Mobile Svcs
Send me Feedback! http://bit.ly/bqtMDC13
More information
Download slides and demo code atwww.benkoTIPS.com
Follow Vittorio Bertocci – Identity Architect at Microsoft @vibronet and www.cloudidentity.com
Contact me at [email protected]
Send me Feedback! http://bit.ly/bqtMDC13
Windows Azure Active Directory
Contoso’s On-Premises Directory
AM
Send me Feedback! http://bit.ly/bqtMDC13
Registration• Today - via
Graph Explorer• Soon - via
Windows Azure Portal
Clients and Resources in Windows Azure AD
App Resource
App Resource
