Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
How AD has been re-engineered to extend to the cloud
1. How AD has been reengineered to extend to the
Cloud
Philippe Beraud, @philberd
Architect | Office of CTO | Microsoft France
2. A Brief History
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"
• Concept of security and administrative domains/realms
• Collection of resources tightly integrated under a single and closed administration
• Age of organization’s directory services and NOS but also the beginning of metadirectories and other virtual directories to manage multiple identities silos
2. Identity model against the age of the Internet
• Consideration of suppliers, customers, and partners as a different category of objects
BUT still in the same "administrative domain"
• Declaration of these objects in various repositories while having the need for a unified
management
3. A Brief History (cont’d)
Over the years, there main model have emerged
and coexist
3. First generation of the identity ecosystem model
•
Concept of the so-called extended enterprise for collaboration
with suppliers and partners as well as the interaction with
customers
•
Age of Web SSO, of identity federation with a HUGE step
crossed BUT ALSO a lot of complexities, of burdens, etc.
4. About Windows Server Active Directory
(AD)
Windows Server Active Directory (AD) represents an
illustration of products and technologies that sustain
these three models
•
AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory
Service
• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Domain Services (AD LDS)
•
With complementary services
• Active Directory Federation Services (AD FS)
• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• Forefront Identity Management (FIM)
5. Towards a New Identity Model
Identity (and Access) Management as a Service (IdMaaS)
•
Commodities accessible to EVERYONE
• "Organization-owned" identity provider for applications wherever they run, whatever they are on any
platform, on any device
• Central "hub" to provision/de-provision/manage users and their common devices
•
Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.
• Seamless federation and synchronization with on-premises directory services
• Multi-factor authentication
•
Replace the today complexity at the application level by an IdMaaS feature
•
Combine the most advanced capabilities with operations externalization to achieve a reduction
in risk, effort and cost
•
Control or even reduce costs by taking full advantage of the efficiency of the Cloud and
automation
7. Windows Azure Active Directory (AAD)
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMaaS cloud-based solution
•
AAD offers a large set of features at NO cost
AAD is the Directory Service for Microsoft’s Online services
•
Office 365, Dynamics CRM Online, Windows Intune, and now the Windows
Azure Portal
Microsoft Account (Live ID) is yet ANOTHER identity
infrastructure
8. AAD Design Principles (cont’d)
Such a Cloud-based service requires specific capabilities
• Optimization of availability, consistent performances, scalability, geo-redundancy, etc.
but NOT only
AAD is a multi-tenant environment
• "Organization-owned“ tenant - The customer organization owns the data of their
directory, NOT Microsoft
AAD relies on a schema
• For the semi-structured information on entities and their relationships
AAD does not allow for custom schema
AAD will however provide the ability for attribute extensions, links
to (external) resources, etc.
• As per Windows Azure Graph Store capabilities (Preview)
9. AAD Design Principles (cont’d)
AAD aims at maximizing the reach in terms of platforms
and devices
•
AAD uses http/web/REST-based modern protocols for identity and access
management
AAD provides RESTful interface for CRUD operations
•
Directory Graph API provides a programmatic access to directory typed
objects and their relationships
• GET, POST, PATCH, DELETE are used to create, read, update, and delete
•
•
Response supports JSON, XML, standard HTTP status codes
Compatible with OASIS OData
• Directory Graph API supports OAuth 2.0 for authentication role-based
assignment for apps and user authorization
• Operations are scoped to individual tenant context
11. AAD Design Principles (cont’d)
AAD is not AD or LDAP in the cloud BUT there are four aspects to
LDAP:
•
LDAP – network communications protocol (389/636)
• AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2)
instead of LDAP or Kerberos
http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx
•
LDAP – object data model with inheritance
• AAD supports the Graph Entity Data model with inheritance
http://msdn.microsoft.com/en-us/library/ee382825.aspx
•
LDAP – layout (namespace) is hierarchical (i.e. ou=)
• AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant
environment
http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx
•
LDAP – distribution model aka replication
• AAD is a manage service with geo-redundancy
12. AAD Key Scenarios
Many
applications,
one identity
repository.
Manage
access to
cloud
applications.
SaaS apps
Monitor and
protect access
to enterprise
applications.
Personalized
access to my
applications.
13. Many applications, one identity
repository
Connect and sync
Windows Server
Active Directory (or
other (LDAP)
identity
infrastructure) with
an AAD tenant.
Preintegrated
popular SaaS apps.
Easily add custom
cloud-based apps.
Facilitate developers
with
identity
management.
Windows Server
Active Directory
(or other (LDAP)
identity
infrastructure)
SaaS apps
LOB & custom apps
Identities and applications in one place.
Consumer identity
providers
15. Deliver a seamless user authentication
experience
Multi-Factor
Authentication can be
configured through
Windows Azure
Windows Server
Active Directory
(or other (LDAP)
identity
infrastructure)
Cloud Authentication
Directory
synchronization with
password hash sync
User attributes are synchronized
including the password hash,
authentication is completed
against AAD
Federated Authentication
Windows Server
Active Directory
(or other (LDAP)
identity
infrastructure)
Multi-Factor Authentication can be
configured through the integration
with Windows Azure or thanks to other
capability
Directory
synchronizatio
n
On-premises
Identity
provider
User attributes are
synchronized, authentication
is passed back through
federation and completed
against the on-premises
identity federation
infrastructure
16. Synchronize the identities with LDAPbased directories
The FIM 2010 R2 synchronization engine can be leveraged
•
AAD Connector available on Microsoft Connect
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
•
Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect
• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported
Directories for Delta import and Password : Open LDAP, Novell NDS
• LDAP referrals between servers (RFC 4511/4.1.10) are not supported
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
•
OpenLDAP Extensible Management Agent (XMA) available on Source Forge
http://openldap-xma.sourceforge.net/
17. SaaS apps
Manage access to many cloud
applications
Comprehensive identity
and
access management
console.
Centralized access
administration for
preintegrated SaaS apps
and other Cloud-based
apps.
Secure business
processes with advanced
access
management
IT
capabilities.
professional
SaaS apps
Your cloud apps ready when you are.
21. Monitor and protect access to
enterprise apps
Built-in security
features.
Security reporting
that tracks
inconsistent access
patterns.
Step up to Multi-Factor
authentication.
X X X X X
X X X X X
X X X X X
Ensure secure access and visibility on usage patterns for SaaS
and cloud-hosted LOB applications.
23. Personalized access to my
applications
All assigned SaaS
apps in one web
page: The Access
Panel.
Single Sign On
experience for all
SaaS applications.
Use Access Panel
from all devices
with your existing
credentials.
Users can easily access the SaaS apps they need, using
their existing credentials.
25. Identities everywhere, accessing
everything
Microsoft apps
Windows Server Active
Directory (or other (LDAP)
identity infrastructure)
Custom ISV/CSV
LOB apps
apps
3rd party clouds/hosting
PCs and devices
Consumer identity
providers
26. Manage
access to
cloud
applications.
Many
applications,
one identity
repository.
•
•
•
IdMaaS
directory on
Windows
Azure.
Connect/
synchronize
on-premises
directories
with
Windows
Azure.
Provide IdM
to new apps
(ACS, Graph
API, SDKs).
•
•
Manage Users.
Add Cloudbased
applications
for SSO.
Monitor and
protect access
to enterprise
applications.
•
•
•
SaaS apps
•
Build-in
security.
Secure tools for
synchronizat
ion (DirSync,
AAD
connector).
Block user
access.
Personalized
access to my
applications.
27. SaaS apps
Manage
access to
cloud
applications.
Many
applications,
one identity
repository.
•
IdMaaS
directory on
Windows
Azure.
• Connect/
synchronize
on-premises
directories
with
Windows
Azure.
• Provide IdM
• Preintegrate
to new apps
d popular
(ACS, Graph
SaaS
API, SDKs).
application
s
(Preview).
•
•
•
•
Manage Users.
Add Cloudbased
applications
for SSO.
Add
preintegra
ted SaaS
apps from
the gallery
for SSO
(Preview).
Add/Remove
users
to top
preintegra
ted SaaS
apps
(Preview).
Personalized
access to my
applications.
Monitor and
protect access
to enterprise
applications.
•
•
•
•
•
•
Build-in
security.
Secure tools for
synchronizat
ion (DirSync,
AAD
connector,
etc.).
Block user
Security
access.
reports
Multi-factor
(Preview).
authentication.
•
•
Single screen
with
assigned
SaaS apps
for every
user:
Access
Panel
(Preview).
Single Sign on
for SaaS
apps from
Access
Panel
(Preview).
28. In GA since April, 2013
Sign-up for your free AAD tenant and trial Windows
Azure account
•
https://account.windowsazure.com/organization
29. To Go Beyond
Places to start
• http://www.windowsazure.com/en-us/solutions/identity/
• http://channel9.msdn.com/search?term=directory
Microsoft T
echNet Documentation
• http://go.microsoft.com/fwlink/p/?linkid=290967
Microsoft MSDN Documentation
• http://go.microsoft.com/fwlink/p/?linkid=290966
Microsoft Active Directory T
eam Blog
• http://blogs.msdn.com/b/active_directory_team_blog
Windows Azure Active Directory Graph Team Blog
• http://blogs.msdn.com/aadgraphteam
30. Whitepapers and Step-by-step Guides
Active Directory from the
on-premises to the Cloud
Office 365 Single Sign-On
with AD FS 2.0
Office 365 Single Sign-On
with Shibboleth 2.0
Office 365 Adapter:
Deploying Office 365
Single Sign-On using
Windows Azure
Available on the Microsoft Download Center
31. Additional Resources
Windows Azure Trust
Center
•
A single location where
are aggregated
information on
security, privacy,
and compliance
http://www.windowsaz
ure.com/enus/support/trustcenter/