Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.
Presentation on how to chat with PDF using ChatGPT code interpreter
Using Windows Azure for Solving Identity Management Challenges (Visual Studio Live, Las Vegas 2013)
1. Using Windows Azure for
Solving Identity Management
Challenges
Michael S. Collier
National Architect, Cloud
Level: Intermediate
2. About Me
Michael S. Collier
National Architect, Cloud
michael.collier@neudesic.com
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
3. Agenda
• Identity Management Challenges
• Access Control Services
– Claims
– Setup tips
– Gotcha’s
• Windows Azure Mobile Services
– Quickly leverage social identities
• Windows Azure Active Directory
– What it is
– Quick setup
– Exploring the directory graph
4. Who Are You?
• Personalization
• Business Rules
• Functionality / Features
5. Traditional Identity Management
• Windows Integrated Authentication
(Active Directory)
• Membership Provider
• Proven Approach
• Leverage WIF?
SQL
AD
My Enterprise
6. Cloud? We Have a Problem
• Multiple islands of identity
• Environment not under our physical control
• Disconnected from the enterprise (potentially)
7. Options
• Social Networks • Membership Provider
– They change . . . Often – SQL Database
– The right one? – Table Storage
– Another? – Pros
– More work! Mostly known entity
Migrate existing data
– Cons
Microsoft Account User management
Security leak
New
8. Windows Azure Access Control
Service
• No need to build your own identity management
solution.
• Authenticate (WIF – OAuth and WS-Federation)
• Claims-based authorization
• Multiple Identity Providers (ADFSv2, Google, Live
ID, etc.)
• Ability to bring your own via membership
• One to rule them all!
• Easy for your users
Windows Azure icons courtesy of David Pallmann.
9. Key ACS Concepts
• Relying Party (RP): Web application that outsources
authentication. The RP trusts that authority. The RP is
your app.
• Identity Provider (IP): Authenticates users and
issues tokens
• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your
app).
• Claim: Attributes about the authenticated user (age,
birthdate, email address, name, etc.)
• Federation Provider: Intermediary between the RP
and IP. ACS is a Federation Provider.
• STS: Simple Token Service – issues tokens
containing claims. ACS is an STS
10. Authentication Workflow
Identity Access
Browser Application
Provider Control
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate &
3. Login
Issue Token
5. Redirect to AC service
7. Validate Token,
Run Rules Engine,
6. Send Token to ACS Issue Token
8. Redirect to RP with ACS Token 10. Validate
Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
11. Claims Enrichment
• Identity Providers only provide a few claims
– Microsoft Account / Live ID provides just one (Name
Identifier)
– Facebook, Google and Yahoo! Provide at least three (email,
name, named identifier)
– ADFSv2
– http://msdn.microsoft.com/en-
us/library/windowsazure/gg185971.aspx
• Add more claims that are known to your
application
– ClaimsAuthenticationManager
13. Recap
1. Create a new ASP.NET 4.5 Web Site
a) Capture User.Identity.Name
2. Create a ACS namespace
a) Portal
b) Visual Studio tooling
3. Configure site using ‘Identity and Access’
tool in Visual Studio
a) Provide ACS namespace and management password
b) Enable desired Identity Providers (i.e. Google)
c) Configure realm, reply to address, etc.
4. Optional: Add ClaimsAuthenticationManager
5. Run it
14. Tips & Tricks
• WIF relies on the web.config file
• Problematic for staging deployments – don’t know the
URL until deployed
• Add logic to WebRole’s OnStart() to update the WIF
settings in web.config
– Read in configuration settings from .cscfg
– Update and save the web.config
– Changing .cscfg settings can cause a role recycle . . . causing
web.confg to update
15. Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-
and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
16. Tips & Tricks
• Cookie Encryption
– DPAPI used to protect cookies sent to the client.
– DPAPI not supported in Windows Azure
– Use RsaEncryptionCookieTransform to encrypt with
same cert used for SSL.
20. Gotchas
• Single sign-out not currently supported
– Provide a sign-out link for the specific Identity Provider
• Windows Azure co-admin cannot administer
an ACS namespace
– Add Live ID, WAAD, Google, etc.
• WIF not installed on Windows Azure roles
(.NET 3.5)
– Microsoft.IdentityModel CopyLocal = true
– Install WIF via a startup task (recommended)
21. The Impact for Mobile Apps
• Social Networks – Important
– Users likely already have at least one
– Quick and easy signup
– Potential for rapid user base expansion
• Multiple identity provider choices via Windows
Azure Mobile Services
23. Recap
• Windows Azure Mobile Services app
• Developer accounts for social networks
– Microsoft Account
– Facebook
– Twitter
– Google
• Add key/secret to WAMS app
• Prompt for user authentication
await App.MobileService.LoginAsync
(MobileServiceAuthenticationProvider.Twitter);
• Optional
– Live SDK to use SSO in Windows Store apps
24. Windows Azure Active Directory
• Extends AD into the cloud
• Started as directory for Office365
• Provides single sign-on for cloud applications
• Query-able social graph (native apps too)
• Connect from any device and platform
– RESTful access to the directory
– XML/JSON request/response
• Can sync or federate on-premises AD to cloud
WAAD is in a Developer Preview status. ☺
26. The Directory
Windows Azure Active Directory
Multi-tenant directory
27. The Directory
WAAD Tenant
DirSync
On-Premises Active Directory
28. Getting Started
• Organization ID
– Office365
– Dev/Test Tenant
http://aka.ms/WAADSignup
<tenant>.onmicrosoft.com
• Windows Azure Subscription
• Microsoft ASP.NET Tools for Windows Azure
Active Directory – Visual Studio 2012
– http://go.microsoft.com/fwlink/?LinkID=282306
• Office365 / Windows Azure Active Directory
Management Cmdlets
– http://aka.ms/aadposh
30. Recap
1. Pre-reqs
a) Windows Azure AD Powershell cmdlets
b) Windows Azure AD tenant
c) Visual Studio tools
2. Create new ASP.NET 4.5 web site
3. ‘Enable Windows Azure Authentication’
a) Under ‘Project’ menu in Visual Studio
b) Authenticate with WAAD administrative account
4. Run
31. Graph API
• RESTful interface for Windows Azure AD
– Compatible with OData V3
– Use latest WCF 5.3 update (API v0.9)
– OAuth 2.0 for authentication
• Programmatic access to the directory
– DirectoryObject – User, Group, Role, Licenses,
Tenant, etc.
– Links – memberOf, directReports
• Standard HTTP methods
– GET, POST, PATCH, DELETE for directory objects
– HTTP status codes
32. Directory Permissions
• The application has rights to the directory,
not the authenticated user
• Your application == service principal
• Application Roles
– Partner Tier1 Support
– Partner Tier2 Support
– Company Administrator
– Helpdesk Administrator
– Directory Readers
– Directory Writers
– Billing Administrator
– Service Support Administrator
– User Account Administrator
36. Windows Azure Authentication
Library (WAAL)
• Simplifies authentication
• Client-side only
– Used to obtain an authentication token only; no token
validation
– Web apps/services or rich clients
• Server-side token authentication
– JSON Web Token Handler (JWT Handler)
– Samples
http://code.msdn.com
Search “aal”
Filter – Technology = Windows Azure
Visual Studio Version = VS2012
(AAL > Windows Azure > Visual Studio 2012)
37. Registering You App with WAAD
• AppPrincipalId (ServicePrincipal)
– identityConfiguration/audienceUris
– system.identityModel.services/federationConfiguration
/wsFederation
• Read this blog post by Vittorio Bertocci
– http://www.cloudidentity.com/blog/2013/01/22/group-
amp-role-claims-use-the-graph-api-to-get-back-
isinrole-and-authorize-in-windows-azure-ad-apps/
38. Registering You App with WAAD
Import-Module MSOnlineExtended -force
# Connect to the WAAD tenant. Use tenant admin credentials (same used in the MVC VS2012 tools).
<user>@<tenant>.onmicrosoft.com
Connect-MsolService
# The AppPrincipalId from the web.config
$AppPrincipalId = '9a90ed83-acff-44d7-813f-d7e724fef1aa'
# Get the Service Principal object
$servicePrincipalId = (Get-MsolServicePrincipal -AppPrincipalId $AppPrincipalId)
# Add the service principal to the appropriate role in WAAD.
Add-MsolRoleMember -RoleMemberType "ServicePrincipal" -RoleName "User Account Administrator" -
RoleMemberObjectId $servicePrincipalId.ObjectId
# Dates for which the credential is valid (1 year)
$timeNow = Get-Date
$expiryTime = $timeNow.AddYears(1)
#Generating the symmetric key
$cryptoProvider = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$byteArr = new-object byte[] 32
$cryptoProvider.GetBytes($byteArr)
$signingKey = [Convert]::ToBase64String($byteArr)
Write-Output $signingKey | Out-File signingKey.txt
# Create a new service principal credential, with the created key, and assign to the service principal.
New-MsolServicePrincipalCredential -AppPrincipalId $AppPrincipalId -Type symmetric -StartDate $timeNow
-EndDate $expiryTime -Usage Verify -Value $signingKey
40. Going Further
• Multitenant applications
– Leverage identity from other WAAD tenants
– http://www.windowsazure.com/en-
us/develop/net/tutorials/multitenant-apps-for-active-
directory/
• Phone 2FA
– Additional administrative users
– Username/pwd + text message code
– ONLY for WAAD users and applications now
• Configure as an Identity Provider in ACS
41. Windows Azure Virtual Network
Windows Azure
Site-to-Site
VPN Tunnel
Currently in Preview Image courtesy of the Windows Azure Training Kit
42. Summary
• Traditional identity management in the cloud is hard
– Many external islands of identity
– Current technology hard or not interoperable
• ACS provides standards-based approach
– Integrates with Windows Identity Foundation
– Claims-based authorization
– Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• Leverage Windows Azure Mobile Services for mobile apps
• Windows Azure Active Directory shows the future direction
43. Resources
• Windows Azure ACS Guide
– http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-
control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• CloudIdentity.com, Vittorio Bertocci’s blog
• “Claims-Based Authorization with WIF”, Michele Bustamante
– http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role -
http://bit.ly/HPT6rk
• MVC Sample App for Windows Azure Active Directory Graph
– http://code.msdn.microsoft.com/Write-Sample-App-for-79e55502
• Windows Azure Active Directory Graph Team
– http://blogs.msdn.com/b/aadgraphteam/
45. Thank You!!
Michael S. Collier
National Architect, Cloud
michael.collier@neudesic.com
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
Please fill out your session evals!