windows azure for identity management challenges
DESCRIPTION
TRANSCRIPT
![Page 1: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/1.jpg)
Using Windows Azure for Solving
Identity Management Challenges
Seattle Cloud Intelligence Conference
Tuesday, April 17th
![Page 2: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/2.jpg)
About Me
Michael S. Collier
National Architect,
Windows Azure
@MichaelCollier
www.MichaelSCollier.com
![Page 3: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/3.jpg)
Windows Azure Core Components
QUEUE SERVICE
BLOB SERVICE
TABLE SERVICE
DATABASE SERVICE
DATA SYNC SERVICE
IMPORT EXPORT SERVICE
REPORTING SERVICE
WORKER ROLE
WEB ROLE
VM
VM ROLE
DataMarket Service
Windows Azure Connect
Service Bus
Access Control Service
Cache Service
Windows Azure Traffic Manager
Windows Azure graphics courtesy of David Pallmann (http://azuredesignpatterns.com)
![Page 4: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/4.jpg)
Traditional Identity Management
• Windows Integrated
Authentication (Active
Directory)
• Membership Provider
• Proven Approach
• Leverage Windows
Identity Foundation
(WIF)
![Page 5: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/5.jpg)
Cloud Enabled Applications
Web Application
Membership Provider
AD
The User
Web Browser
Windows Live ID
Yahoo!
Open ID
Credentials
Identity Providers
![Page 6: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/6.jpg)
We Have a Problem
• No Active Directory
• Environment not
under our physical
control
• Disconnected from
the enterprise
(potentially)
![Page 7: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/7.jpg)
Options
• Social Networks
– They change . . . Often
– The right one?
– Another?
– More work!
• Membership Provider
– SQL Azure
– Table Storage
– Pros
• Mostly known entity
• Migrate existing data
– Cons
• User management
• Security leak
• New
Windows Live ID
![Page 8: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/8.jpg)
Windows Azure Connect
• Secure network connectivity between on-premises and cloud.
• Hybrid apps access to on-premises servers – App access to SQL
Server
– Role domain-joined to AD
• Setup & management Enterprise
Windows Azure
Databases
Dev machines
Relay
Role B Role A
Role C (multiple VM’s)
Image courtesy Windows Azure Platform Training Kit
![Page 9: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/9.jpg)
Windows Azure Access Control Service
• No need to build your own identity management solution.
• Authenticate (WIF – OAuth and WS-Federation)
• Claims-based authorization
• Multiple Identity Providers (ADFSv2, Google, Live ID,
etc.)
• Ability to bring your own via membership
• The one to rule them all!
• Easy for your users
![Page 10: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/10.jpg)
Key ACS Concepts
• Relying Party (RP): Web application that outsources
authentication. The RP trusts that authority. The RP is your
app.
• Identity Provider (IP): Authenticates users and issues tokens
• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your app).
• Claim: Attributes about the authenticated user (age, birthdate,
email address, name, etc.)
• Federation Provider: Intermediary between the RP and IP.
ACS is a Federation Provider.
• STS: Simple Token Service – issues tokens containing claims.
ACS is an STS
![Page 11: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/11.jpg)
Authentication Workflow
Browser Identity
Provider
Access
Control Application
3. Login
5. Redirect to AC service
10. Validate
Token
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate &
Issue Token
6. Send Token to ACS
7. Validate Token,
Run Rules Engine,
Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
![Page 12: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/12.jpg)
DEMO
Getting Started with ACS
![Page 13: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/13.jpg)
Claims Enrichment
• Identity Providers only provide a few claims
– Windows Live provides just one (Named Identifier)
– Google and Yahoo! provide three (email, name, named identifier)
– ADFSv2
• Add more claims that are known to your application
![Page 14: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/14.jpg)
DEMO
Claims Enrichment
![Page 15: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/15.jpg)
The Impact for Mobile Applications
• Social Networks – Important
– Users likely already have at least one
– Quick and easy signup
– Potential for rapid user base expansion
• NuGet package available for easy add to WP application
![Page 16: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/16.jpg)
DEMO
Enable ACS on Your Windows Phone Application
![Page 17: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/17.jpg)
Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
![Page 18: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/18.jpg)
Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
private static void UpdateWIFConfiguration() { try { using (var server = new ServerManager()) { // This value is defined as part of the ServiceConfiguration/ServiceDefintion file. const string siteNameFromServiceModel = "Web"; string siteName = string.Format("{0}_{1}", RoleEnvironment.CurrentRoleInstance.Id, siteNameFromServiceModel); string configFilePath = server.Sites[siteName].Applications[0].VirtualDirectories[0].PhysicalPath + "\\web.config"; XElement element = XElement.Load(configFilePath); string setting; if (!(String.IsNullOrEmpty(setting = RoleEnvironment.GetConfigurationSettingValue("ACS.AudienceUri")))) element.Element("microsoft.identityModel").Element("service").Element("audienceUris").Element("add").Attribute("value").Value = setting; // . .. . Do for each WIF configuration parameter (issuer, realm, thumbprint, etc.) element.Save(configFilePath); } } catch (Exception ex) { // Need a safe place to log this. Windows Event Log? } }
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
![Page 19: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/19.jpg)
Tips & Tricks
• Cookie Encryption
– DPAPI used to protect cookies sent to the client..
– DPAPI not supported in Windows Azure
– Use RsaEncryptionCookieTransform to encrypt with same cert
used for SSL.
![Page 20: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/20.jpg)
Tips & Tricks
![Page 21: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/21.jpg)
Tips & Tricks
• Development Certificate
• Customize the login experience
• User registration
• Require authentication for only part of the site
![Page 22: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/22.jpg)
Gotchas
• Single sign-out not currently supported
• Co-admin cannot administer an ACS namespace
• WIF not installed on Windows Azure roles
– Microsoft.IdentityModel CopyLocal = true
– Install WIF via a startup task
![Page 23: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/23.jpg)
Summary
• Identity in the cloud is hard – Many external islands of identity
– Current technology hard or not interoperable
• ACS provides standards-based approach – Integrates with Windows Identity Foundation
– Claims-based authorization
– Support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• OData API and portal for management
![Page 24: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/24.jpg)
Resources
• Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-
control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• “Claims-Base Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
![Page 25: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/25.jpg)
Get the Bits!
http://bit.ly/AzureSDKMC
http://bit.ly/AzureTrialMC
![Page 26: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/26.jpg)
Thank You
• Your feedback is important!
• Please fill out and return the survey – you’ll get a copy of
the today’s decks.
@MichaelCollier
www.MichaelSCollier.com
![Page 27: Windows azure for identity management challenges](https://reader034.vdocuments.site/reader034/viewer/2022042813/54b5b8654a7959ef6b8b4758/html5/thumbnails/27.jpg)