SlideShare ist ein Scribd-Unternehmen logo

Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)

Michael Collier
Michael Collier

Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.

Technologie
1 von 45
Downloaden Sie, um offline zu lesen
Using Windows Azure for Solving Identity Management Challenges Michael S. Collier National Architect, Cloud Level: Intermediate
About Me Michael S. Collier National Architect, Cloud michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01
Agenda • Identity Management Challenges • Access Control Services – Claims – Setup tips – Gotcha’s • Windows Azure Mobile Services – Quickly leverage social identities • Windows Azure Active Directory – What it is – Quick setup – Exploring the directory graph
Who Are You? • Personalization • Business Rules • Functionality / Features
Traditional Identity Management • Windows Integrated Authentication (Active Directory) • Membership Provider • Proven Approach • Leverage WIF? SQL AD My Enterprise
Cloud? We Have a Problem • Multiple islands of identity • Environment not under our physical control • Disconnected from the enterprise (potentially)
Options • Social Networks • Membership Provider – They change . . . Often – SQL Database – The right one? – Table Storage – Another? – Pros – More work! Mostly known entity Migrate existing data – Cons Microsoft Account User management Security leak New
Windows Azure Access Control Service • No need to build your own identity management solution. • Authenticate (WIF – OAuth and WS-Federation) • Claims-based authorization • Multiple Identity Providers (ADFSv2, Google, Live ID, etc.) • Ability to bring your own via membership • One to rule them all! • Easy for your users Windows Azure icons courtesy of David Pallmann.
Key ACS Concepts • Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app. • Identity Provider (IP): Authenticates users and issues tokens • Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app). • Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.) • Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider. • STS: Simple Token Service – issues tokens containing claims. ACS is an STS
Authentication Workflow Identity Access Browser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
Claims Enrichment • Identity Providers only provide a few claims – Microsoft Account / Live ID provides just one (Name Identifier) – Facebook, Google and Yahoo! Provide at least three (email, name, named identifier) – ADFSv2 – http://msdn.microsoft.com/en- us/library/windowsazure/gg185971.aspx • Add more claims that are known to your application – ClaimsAuthenticationManager
Getting Started with ACS DEMO
Recap 1. Create a new ASP.NET 4.5 Web Site a) Capture User.Identity.Name 2. Create a ACS namespace a) Portal b) Visual Studio tooling 3. Configure site using ‘Identity and Access’ tool in Visual Studio a) Provide ACS namespace and management password b) Enable desired Identity Providers (i.e. Google) c) Configure realm, reply to address, etc. 4. Optional: Add ClaimsAuthenticationManager 5. Run it
Tips & Tricks • WIF relies on the web.config file • Problematic for staging deployments – don’t know the URL until deployed • Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
Tips & Tricks • Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit- and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
Tips & Tricks • Cookie Encryption – DPAPI used to protect cookies sent to the client. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
Tips & Tricks
Tips & Tricks • Change request validation • Use ASP.NET 2 validation (<httpRuntime requestValidationMode=“2.0”/> • Custom validator
Tips & Tricks <httpRuntime requestValidationType=“AccessControlRequestValidator" /> // Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form- value-was-detected-from-the-client-wresult-t-requestsecurityto.aspx
Gotchas • Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider • Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc. • WIF not installed on Windows Azure roles (.NET 3.5) – Microsoft.IdentityModel CopyLocal = true – Install WIF via a startup task (recommended)
The Impact for Mobile Apps • Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion • Multiple identity provider choices via Windows Azure Mobile Services
Windows Azure Mobile Services DEMO
Recap • Windows Azure Mobile Services app • Developer accounts for social networks – Microsoft Account – Facebook – Twitter – Google • Add key/secret to WAMS app • Prompt for user authentication await App.MobileService.LoginAsync (MobileServiceAuthenticationProvider.Twitter); • Optional – Live SDK to use SSO in Windows Store apps
Windows Azure Active Directory • Extends AD into the cloud • Started as directory for Office365 • Provides single sign-on for cloud applications • Query-able social graph (native apps too) • Connect from any device and platform – RESTful access to the directory – XML/JSON request/response • Can sync or federate on-premises AD to cloud WAAD is in a Developer Preview status. ☺
The Directory DirectReports MemberOf
The Directory Windows Azure Active Directory Multi-tenant directory
The Directory WAAD Tenant DirSync On-Premises Active Directory
Getting Started • Organization ID – Office365 – Dev/Test Tenant http://aka.ms/WAADSignup <tenant>.onmicrosoft.com • Windows Azure Subscription • Microsoft ASP.NET Tools for Windows Azure Active Directory – Visual Studio 2012 – http://go.microsoft.com/fwlink/?LinkID=282306 • Office365 / Windows Azure Active Directory Management Cmdlets – http://aka.ms/aadposh
Windows Azure Active Directory – Setup and Connect to WAAD DEMO
Recap 1. Pre-reqs a) Windows Azure AD Powershell cmdlets b) Windows Azure AD tenant c) Visual Studio tools 2. Create new ASP.NET 4.5 web site 3. ‘Enable Windows Azure Authentication’ a) Under ‘Project’ menu in Visual Studio b) Authenticate with WAAD administrative account 4. Run
Graph API • RESTful interface for Windows Azure AD – Compatible with OData V3 – Use latest WCF 5.3 update (API v0.9) – OAuth 2.0 for authentication • Programmatic access to the directory – DirectoryObject – User, Group, Role, Licenses, Tenant, etc. – Links – memberOf, directReports • Standard HTTP methods – GET, POST, PATCH, DELETE for directory objects – HTTP status codes
Directory Permissions • The application has rights to the directory, not the authenticated user • Your application == service principal • Application Roles – Partner Tier1 Support – Partner Tier2 Support – Company Administrator – Helpdesk Administrator – Directory Readers – Directory Writers – Billing Administrator – Service Support Administrator – User Account Administrator
Request GET https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Micro soft.WindowsAzure.ActiveDirectory.User()?%24filter=userPrincipalName+eq+%27mi chael%40michaelcollier.onmicrosoft.com%27&%24top=2&api-version=0.9 HTTP/1.1 User-Agent: Microsoft ADO.NET Data Services DataServiceVersion: 3.0;NetFx MaxDataServiceVersion: 3.0;NetFx Accept: application/atom+xml,application/xml Accept-Charset: UTF-8 DataServiceUrlConventions: KeyAsSegment Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHd BSk9NOW4tQSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMD AwMDAwMDAwMDAvZ3JhcGgud2luZG93cy5uZXRAMTEyNzExNTktYWJjOC00ZTBl LWIzYzItYzJhMDg1OGEwMzZiIiwiaXNzIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWM wMDAtMDAwMDAw…… Host: graph.windows.net
Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/michaelcollier.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" />
Response <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@michaelcollier.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry> * Some elements removed for readability. </feed>
Windows Azure Authentication Library (WAAL) • Simplifies authentication • Client-side only – Used to obtain an authentication token only; no token validation – Web apps/services or rich clients • Server-side token authentication – JSON Web Token Handler (JWT Handler) – Samples http://code.msdn.com Search “aal” Filter – Technology = Windows Azure Visual Studio Version = VS2012 (AAL > Windows Azure > Visual Studio 2012)
Registering You App with WAAD • AppPrincipalId (ServicePrincipal) – identityConfiguration/audienceUris – system.identityModel.services/federationConfiguration /wsFederation • Read this blog post by Vittorio Bertocci – http://www.cloudidentity.com/blog/2013/01/22/group- amp-role-claims-use-the-graph-api-to-get-back- isinrole-and-authorize-in-windows-azure-ad-apps/
Registering You App with WAAD Import-Module MSOnlineExtended -force # Connect to the WAAD tenant. Use tenant admin credentials (same used in the MVC VS2012 tools). <user>@<tenant>.onmicrosoft.com Connect-MsolService # The AppPrincipalId from the web.config $AppPrincipalId = '9a90ed83-acff-44d7-813f-d7e724fef1aa' # Get the Service Principal object $servicePrincipalId = (Get-MsolServicePrincipal -AppPrincipalId $AppPrincipalId) # Add the service principal to the appropriate role in WAAD. Add-MsolRoleMember -RoleMemberType "ServicePrincipal" -RoleName "User Account Administrator" - RoleMemberObjectId $servicePrincipalId.ObjectId # Dates for which the credential is valid (1 year) $timeNow = Get-Date $expiryTime = $timeNow.AddYears(1) #Generating the symmetric key $cryptoProvider = new-object System.Security.Cryptography.RNGCryptoServiceProvider $byteArr = new-object byte[] 32 $cryptoProvider.GetBytes($byteArr) $signingKey = [Convert]::ToBase64String($byteArr) Write-Output $signingKey | Out-File signingKey.txt # Create a new service principal credential, with the created key, and assign to the service principal. New-MsolServicePrincipalCredential -AppPrincipalId $AppPrincipalId -Type symmetric -StartDate $timeNow -EndDate $expiryTime -Usage Verify -Value $signingKey
WAAD and Expense Application (Code Walkthrough) DEMO
Going Further • Multitenant applications – Leverage identity from other WAAD tenants – http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA – Additional administrative users – Username/pwd + text message code – ONLY for WAAD users and applications now • Configure as an Identity Provider in ACS
Windows Azure Virtual Network Windows Azure Site-to-Site VPN Tunnel Currently in Preview Image courtesy of the Windows Azure Training Kit
Summary • Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable • ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook • Enrich functionality using WIF • Leverage Windows Azure Mobile Services for mobile apps • Windows Azure Active Directory shows the future direction
Resources • Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access- control/#config-trust • Programming Windows Identity Foundation, Vittorio Bertocci • CloudIdentity.com, Vittorio Bertocci’s blog • “Claims-Based Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx • ACS Cheat Sheet - http://bit.ly/ACSCheatSheet • ACS How To’s - http://bit.ly/ACSHowTo • ACS Tips - http://bit.ly/HYhxjY • Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk • MVC Sample App for Windows Azure Active Directory Graph – http://code.msdn.microsoft.com/Write-Sample-App-for-79e55502 • Windows Azure Active Directory Graph Team – http://blogs.msdn.com/b/aadgraphteam/
Ask your questions
Thank You!! Michael S. Collier National Architect, Cloud michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01 Please fill out your session evals!

Empfohlen

Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)
Michael Collier
 
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
Michael Collier
 
What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)
Michael Collier
 
Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)
Michael Collier
 
Automating Your Azure Environment
Automating Your Azure EnvironmentAutomating Your Azure Environment
Automating Your Azure Environment
Michael Collier
 
More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)
Michael Collier
 
Windows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementWindows Azure for Developers - Service Management
Windows Azure for Developers - Service Management
Michael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
Michael Collier
 

Empfohlen

Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)
Michael Collier
 
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
Michael Collier
 
What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)
Michael Collier
 
Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)
Michael Collier
 
Automating Your Azure Environment
Automating Your Azure EnvironmentAutomating Your Azure Environment
Automating Your Azure Environment
Michael Collier
 
More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)
Michael Collier
 
Windows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementWindows Azure for Developers - Service Management
Windows Azure for Developers - Service Management
Michael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
Michael Collier
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less Cash
Michael Collier
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block Services
Michael Collier
 
What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!
Michael Collier
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail
Michael Collier
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
Kris Wagner
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPT
Radhakrishnan Govindan
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
Michael Collier
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the Field
Michael Collier
 
Inside Azure Resource Manager
Inside Azure Resource ManagerInside Azure Resource Manager
Inside Azure Resource Manager
Michael Collier
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
New Horizons Ireland
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure Application
Michael Collier
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Michael Collier
 
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
MSDEVMTL
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
BizTalk360
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
European Collaboration Summit
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
David Chou
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
Sasha Rosenbaum
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
BizTalk360
 
Understanding the Windows Azure platform - june
Understanding the Windows Azure platform - juneUnderstanding the Windows Azure platform - june
Understanding the Windows Azure platform - june
DavidGristwood
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
Peter Selch Dahl
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
Thurupathan Vijayakumar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
Michael Collier
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the Field
Michael Collier
 
Inside Azure Resource Manager
Inside Azure Resource ManagerInside Azure Resource Manager
Inside Azure Resource Manager
Michael Collier
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure Application
Michael Collier
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Michael Collier
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
Pavel Revenkov
 
Understanding the Windows Azure platform - june
Understanding the Windows Azure platform - juneUnderstanding the Windows Azure platform - june
Understanding the Windows Azure platform - june
DavidGristwood
 

Was ist angesagt? (20)

More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less Cash
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block Services
 
What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
Azure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPTAzure AD connect- Deep Dive Webinar PPT
Azure AD connect- Deep Dive Webinar PPT
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the Field
 
Inside Azure Resource Manager
Inside Azure Resource ManagerInside Azure Resource Manager
Inside Azure Resource Manager
 
Understanding Azure AD
Understanding Azure ADUnderstanding Azure AD
Understanding Azure AD
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure Application
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
 
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
Stephane Lapointe, Frank Boucher & Alexandre Brisebois: Les micro-services et...
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Windows Azure Platform
Windows Azure PlatformWindows Azure Platform
Windows Azure Platform
 
Windows Azure Active Directory
Windows Azure Active DirectoryWindows Azure Active Directory
Windows Azure Active Directory
 
Azure AD Connect
Azure AD ConnectAzure AD Connect
Azure AD Connect
 
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s AssetsEnter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
 
Understanding the Windows Azure platform - june
Understanding the Windows Azure platform - juneUnderstanding the Windows Azure platform - june
Understanding the Windows Azure platform - june
 

Andere mochten auch

Information security in office 365 a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maioInformation security in office 365 a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maio
AntonioMaio2
 

Andere mochten auch (6)

EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
 
Azure Active Directory
Azure Active DirectoryAzure Active Directory
Azure Active Directory
 
Identity and o365 on Azure
Identity and o365 on AzureIdentity and o365 on Azure
Identity and o365 on Azure
 
Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)
 
Identity in the cloud using Microsoft
Identity in the cloud using MicrosoftIdentity in the cloud using Microsoft
Identity in the cloud using Microsoft
 
Information security in office 365 a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maioInformation security in office 365 a shared responsibility - antonio maio
Information security in office 365 a shared responsibility - antonio maio
 

Ähnlich wie Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)

Session 3c The SF SaaS Framework
Session 3c The SF SaaS FrameworkSession 3c The SF SaaS Framework
Session 3c The SF SaaS Framework
Code Mastery
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
Spiffy
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Joris Poelmans
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
Morgan Simonsen
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
Amazon Web Services
 

Ähnlich wie Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013) (20)

Session 3c The SF SaaS Framework
Session 3c The SF SaaS FrameworkSession 3c The SF SaaS Framework
Session 3c The SF SaaS Framework
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Expandindo seu Data Center com uma infraestrutura hibrida
Expandindo seu Data Center com uma infraestrutura hibridaExpandindo seu Data Center com uma infraestrutura hibrida
Expandindo seu Data Center com uma infraestrutura hibrida
 
O Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10bO Dell Secure360 Presentation5 12 10b
O Dell Secure360 Presentation5 12 10b
 
“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything“Secure Portal” or WebSphere Portal – Security with Everything
“Secure Portal” or WebSphere Portal – Security with Everything
 
Build and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows AzureBuild and Deploy LightSwitch Application on Windows Azure
Build and Deploy LightSwitch Application on Windows Azure
 
Brewing Beer with Windows Azure - ASPConf
Brewing Beer with Windows Azure - ASPConfBrewing Beer with Windows Azure - ASPConf
Brewing Beer with Windows Azure - ASPConf
 
Andy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro'sAndy Malone - The new office 365 for it pro's
Andy Malone - The new office 365 for it pro's
 
NIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud EraNIC 2014 Modern Authentication for the Cloud Era
NIC 2014 Modern Authentication for the Cloud Era
 
Net Services
Net ServicesNet Services
Net Services
 
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
AWS re:Invent 2016: Managing and Supporting the Windows Platform on AWS (GPSS...
 
Deep Dive: Hybrid Architectures
Deep Dive: Hybrid ArchitecturesDeep Dive: Hybrid Architectures
Deep Dive: Hybrid Architectures
 
Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...Understanding SharePoint Apps, authentication and authorization infrastructur...
Understanding SharePoint Apps, authentication and authorization infrastructur...
 
Federation
FederationFederation
Federation
 
Office 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfsOffice 365-single-sign-on-with-adfs
Office 365-single-sign-on-with-adfs
 
Demystifying identity on AWS
Demystifying identity on AWSDemystifying identity on AWS
Demystifying identity on AWS
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Federation
FederationFederation
Federation
 
Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010Claims-Based Identity in SharePoint 2010
Claims-Based Identity in SharePoint 2010
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Kürzlich hochgeladen (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)

  • 1. Using Windows Azure for Solving Identity Management Challenges Michael S. Collier National Architect, Cloud Level: Intermediate
  • 2. About Me Michael S. Collier National Architect, Cloud michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01
  • 3. Agenda • Identity Management Challenges • Access Control Services – Claims – Setup tips – Gotcha’s • Windows Azure Mobile Services – Quickly leverage social identities • Windows Azure Active Directory – What it is – Quick setup – Exploring the directory graph
  • 4. Who Are You? • Personalization • Business Rules • Functionality / Features
  • 5. Traditional Identity Management • Windows Integrated Authentication (Active Directory) • Membership Provider • Proven Approach • Leverage WIF? SQL AD My Enterprise
  • 6. Cloud? We Have a Problem • Multiple islands of identity • Environment not under our physical control • Disconnected from the enterprise (potentially)
  • 7. Options • Social Networks • Membership Provider – They change . . . Often – SQL Database – The right one? – Table Storage – Another? – Pros – More work! Mostly known entity Migrate existing data – Cons Microsoft Account User management Security leak New
  • 8. Windows Azure Access Control Service • No need to build your own identity management solution. • Authenticate (WIF – OAuth and WS-Federation) • Claims-based authorization • Multiple Identity Providers (ADFSv2, Google, Live ID, etc.) • Ability to bring your own via membership • One to rule them all! • Easy for your users Windows Azure icons courtesy of David Pallmann.
  • 9. Key ACS Concepts • Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app. • Identity Provider (IP): Authenticates users and issues tokens • Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app). • Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.) • Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider. • STS: Simple Token Service – issues tokens containing claims. ACS is an STS
  • 10. Authentication Workflow Identity Access Browser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
  • 11. Claims Enrichment • Identity Providers only provide a few claims – Microsoft Account / Live ID provides just one (Name Identifier) – Facebook, Google and Yahoo! Provide at least three (email, name, named identifier) – ADFSv2 – http://msdn.microsoft.com/en- us/library/windowsazure/gg185971.aspx • Add more claims that are known to your application – ClaimsAuthenticationManager
  • 13. Recap 1. Create a new ASP.NET 4.5 Web Site a) Capture User.Identity.Name 2. Create a ACS namespace a) Portal b) Visual Studio tooling 3. Configure site using ‘Identity and Access’ tool in Visual Studio a) Provide ACS namespace and management password b) Enable desired Identity Providers (i.e. Google) c) Configure realm, reply to address, etc. 4. Optional: Add ClaimsAuthenticationManager 5. Run it
  • 14. Tips & Tricks • WIF relies on the web.config file • Problematic for staging deployments – don’t know the URL until deployed • Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
  • 15. Tips & Tricks • Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit- and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
  • 16. Tips & Tricks • Cookie Encryption – DPAPI used to protect cookies sent to the client. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
  • 18. Tips & Tricks • Change request validation • Use ASP.NET 2 validation (<httpRuntime requestValidationMode=“2.0”/> • Custom validator
  • 19. Tips & Tricks <httpRuntime requestValidationType=“AccessControlRequestValidator" /> // Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form- value-was-detected-from-the-client-wresult-t-requestsecurityto.aspx
  • 20. Gotchas • Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider • Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc. • WIF not installed on Windows Azure roles (.NET 3.5) – Microsoft.IdentityModel CopyLocal = true – Install WIF via a startup task (recommended)
  • 21. The Impact for Mobile Apps • Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion • Multiple identity provider choices via Windows Azure Mobile Services
  • 22. Windows Azure Mobile Services DEMO
  • 23. Recap • Windows Azure Mobile Services app • Developer accounts for social networks – Microsoft Account – Facebook – Twitter – Google • Add key/secret to WAMS app • Prompt for user authentication await App.MobileService.LoginAsync (MobileServiceAuthenticationProvider.Twitter); • Optional – Live SDK to use SSO in Windows Store apps
  • 24. Windows Azure Active Directory • Extends AD into the cloud • Started as directory for Office365 • Provides single sign-on for cloud applications • Query-able social graph (native apps too) • Connect from any device and platform – RESTful access to the directory – XML/JSON request/response • Can sync or federate on-premises AD to cloud WAAD is in a Developer Preview status. ☺
  • 25. The Directory DirectReports MemberOf
  • 26. The Directory Windows Azure Active Directory Multi-tenant directory
  • 27. The Directory WAAD Tenant DirSync On-Premises Active Directory
  • 28. Getting Started • Organization ID – Office365 – Dev/Test Tenant http://aka.ms/WAADSignup <tenant>.onmicrosoft.com • Windows Azure Subscription • Microsoft ASP.NET Tools for Windows Azure Active Directory – Visual Studio 2012 – http://go.microsoft.com/fwlink/?LinkID=282306 • Office365 / Windows Azure Active Directory Management Cmdlets – http://aka.ms/aadposh
  • 29. Windows Azure Active Directory – Setup and Connect to WAAD DEMO
  • 30. Recap 1. Pre-reqs a) Windows Azure AD Powershell cmdlets b) Windows Azure AD tenant c) Visual Studio tools 2. Create new ASP.NET 4.5 web site 3. ‘Enable Windows Azure Authentication’ a) Under ‘Project’ menu in Visual Studio b) Authenticate with WAAD administrative account 4. Run
  • 31. Graph API • RESTful interface for Windows Azure AD – Compatible with OData V3 – Use latest WCF 5.3 update (API v0.9) – OAuth 2.0 for authentication • Programmatic access to the directory – DirectoryObject – User, Group, Role, Licenses, Tenant, etc. – Links – memberOf, directReports • Standard HTTP methods – GET, POST, PATCH, DELETE for directory objects – HTTP status codes
  • 32. Directory Permissions • The application has rights to the directory, not the authenticated user • Your application == service principal • Application Roles – Partner Tier1 Support – Partner Tier2 Support – Company Administrator – Helpdesk Administrator – Directory Readers – Directory Writers – Billing Administrator – Service Support Administrator – User Account Administrator
  • 33. Request GET https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Micro soft.WindowsAzure.ActiveDirectory.User()?%24filter=userPrincipalName+eq+%27mi chael%40michaelcollier.onmicrosoft.com%27&%24top=2&api-version=0.9 HTTP/1.1 User-Agent: Microsoft ADO.NET Data Services DataServiceVersion: 3.0;NetFx MaxDataServiceVersion: 3.0;NetFx Accept: application/atom+xml,application/xml Accept-Charset: UTF-8 DataServiceUrlConventions: KeyAsSegment Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHd BSk9NOW4tQSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMD AwMDAwMDAwMDAvZ3JhcGgud2luZG93cy5uZXRAMTEyNzExNTktYWJjOC00ZTBl LWIzYzItYzJhMDg1OGEwMzZiIiwiaXNzIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWM wMDAtMDAwMDAw…… Host: graph.windows.net
  • 34. Response <?xml version="1.0" encoding="utf-8"?> <feed xml:base="https://graph.windows.net/michaelcollier.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"> <id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" />
  • 35. Response <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03- 4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@michaelcollier.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry> * Some elements removed for readability. </feed>
  • 36. Windows Azure Authentication Library (WAAL) • Simplifies authentication • Client-side only – Used to obtain an authentication token only; no token validation – Web apps/services or rich clients • Server-side token authentication – JSON Web Token Handler (JWT Handler) – Samples http://code.msdn.com Search “aal” Filter – Technology = Windows Azure Visual Studio Version = VS2012 (AAL > Windows Azure > Visual Studio 2012)
  • 37. Registering You App with WAAD • AppPrincipalId (ServicePrincipal) – identityConfiguration/audienceUris – system.identityModel.services/federationConfiguration /wsFederation • Read this blog post by Vittorio Bertocci – http://www.cloudidentity.com/blog/2013/01/22/group- amp-role-claims-use-the-graph-api-to-get-back- isinrole-and-authorize-in-windows-azure-ad-apps/
  • 38. Registering You App with WAAD Import-Module MSOnlineExtended -force # Connect to the WAAD tenant. Use tenant admin credentials (same used in the MVC VS2012 tools). <user>@<tenant>.onmicrosoft.com Connect-MsolService # The AppPrincipalId from the web.config $AppPrincipalId = '9a90ed83-acff-44d7-813f-d7e724fef1aa' # Get the Service Principal object $servicePrincipalId = (Get-MsolServicePrincipal -AppPrincipalId $AppPrincipalId) # Add the service principal to the appropriate role in WAAD. Add-MsolRoleMember -RoleMemberType "ServicePrincipal" -RoleName "User Account Administrator" - RoleMemberObjectId $servicePrincipalId.ObjectId # Dates for which the credential is valid (1 year) $timeNow = Get-Date $expiryTime = $timeNow.AddYears(1) #Generating the symmetric key $cryptoProvider = new-object System.Security.Cryptography.RNGCryptoServiceProvider $byteArr = new-object byte[] 32 $cryptoProvider.GetBytes($byteArr) $signingKey = [Convert]::ToBase64String($byteArr) Write-Output $signingKey | Out-File signingKey.txt # Create a new service principal credential, with the created key, and assign to the service principal. New-MsolServicePrincipalCredential -AppPrincipalId $AppPrincipalId -Type symmetric -StartDate $timeNow -EndDate $expiryTime -Usage Verify -Value $signingKey
  • 39. WAAD and Expense Application (Code Walkthrough) DEMO
  • 40. Going Further • Multitenant applications – Leverage identity from other WAAD tenants – http://www.windowsazure.com/en- us/develop/net/tutorials/multitenant-apps-for-active- directory/ • Phone 2FA – Additional administrative users – Username/pwd + text message code – ONLY for WAAD users and applications now • Configure as an Identity Provider in ACS
  • 41. Windows Azure Virtual Network Windows Azure Site-to-Site VPN Tunnel Currently in Preview Image courtesy of the Windows Azure Training Kit
  • 42. Summary • Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable • ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook • Enrich functionality using WIF • Leverage Windows Azure Mobile Services for mobile apps • Windows Azure Active Directory shows the future direction
  • 43. Resources • Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access- control/#config-trust • Programming Windows Identity Foundation, Vittorio Bertocci • CloudIdentity.com, Vittorio Bertocci’s blog • “Claims-Based Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx • ACS Cheat Sheet - http://bit.ly/ACSCheatSheet • ACS How To’s - http://bit.ly/ACSHowTo • ACS Tips - http://bit.ly/HYhxjY • Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk • MVC Sample App for Windows Azure Active Directory Graph – http://code.msdn.microsoft.com/Write-Sample-App-for-79e55502 • Windows Azure Active Directory Graph Team – http://blogs.msdn.com/b/aadgraphteam/
  • 45. Thank You!! Michael S. Collier National Architect, Cloud michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01 Please fill out your session evals!