Windows azure for identity management challenges
-
Upload
quickstart-intelligence -
Category
Documents
-
view
663 -
download
4
description
Transcript of Windows azure for identity management challenges
Using Windows Azure for Solving
Identity Management Challenges
Seattle Cloud Intelligence Conference
Tuesday, April 17th
About Me
Michael S. Collier
National Architect,
Windows Azure
@MichaelCollier
www.MichaelSCollier.com
Windows Azure Core Components
QUEUE SERVICE
BLOB SERVICE
TABLE SERVICE
DATABASE SERVICE
DATA SYNC SERVICE
IMPORT EXPORT SERVICE
REPORTING SERVICE
WORKER ROLE
WEB ROLE
VM
VM ROLE
DataMarket Service
Windows Azure Connect
Service Bus
Access Control Service
Cache Service
Windows Azure Traffic Manager
Windows Azure graphics courtesy of David Pallmann (http://azuredesignpatterns.com)
Traditional Identity Management
• Windows Integrated
Authentication (Active
Directory)
• Membership Provider
• Proven Approach
• Leverage Windows
Identity Foundation
(WIF)
Cloud Enabled Applications
Web Application
Membership Provider
AD
The User
Web Browser
Windows Live ID
Yahoo!
Open ID
Credentials
Identity Providers
We Have a Problem
• No Active Directory
• Environment not
under our physical
control
• Disconnected from
the enterprise
(potentially)
Options
• Social Networks
– They change . . . Often
– The right one?
– Another?
– More work!
• Membership Provider
– SQL Azure
– Table Storage
– Pros
• Mostly known entity
• Migrate existing data
– Cons
• User management
• Security leak
• New
Windows Live ID
Windows Azure Connect
• Secure network connectivity between on-premises and cloud.
• Hybrid apps access to on-premises servers – App access to SQL
Server
– Role domain-joined to AD
• Setup & management Enterprise
Windows Azure
Databases
Dev machines
Relay
Role B Role A
Role C (multiple VM’s)
Image courtesy Windows Azure Platform Training Kit
Windows Azure Access Control Service
• No need to build your own identity management solution.
• Authenticate (WIF – OAuth and WS-Federation)
• Claims-based authorization
• Multiple Identity Providers (ADFSv2, Google, Live ID,
etc.)
• Ability to bring your own via membership
• The one to rule them all!
• Easy for your users
Key ACS Concepts
• Relying Party (RP): Web application that outsources
authentication. The RP trusts that authority. The RP is your
app.
• Identity Provider (IP): Authenticates users and issues tokens
• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your app).
• Claim: Attributes about the authenticated user (age, birthdate,
email address, name, etc.)
• Federation Provider: Intermediary between the RP and IP.
ACS is a Federation Provider.
• STS: Simple Token Service – issues tokens containing claims.
ACS is an STS
Authentication Workflow
Browser Identity
Provider
Access
Control Application
3. Login
5. Redirect to AC service
10. Validate
Token
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate &
Issue Token
6. Send Token to ACS
7. Validate Token,
Run Rules Engine,
Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
DEMO
Getting Started with ACS
Claims Enrichment
• Identity Providers only provide a few claims
– Windows Live provides just one (Named Identifier)
– Google and Yahoo! provide three (email, name, named identifier)
– ADFSv2
• Add more claims that are known to your application
DEMO
Claims Enrichment
The Impact for Mobile Applications
• Social Networks – Important
– Users likely already have at least one
– Quick and easy signup
– Potential for rapid user base expansion
• NuGet package available for easy add to WP application
DEMO
Enable ACS on Your Windows Phone Application
Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
private static void UpdateWIFConfiguration() { try { using (var server = new ServerManager()) { // This value is defined as part of the ServiceConfiguration/ServiceDefintion file. const string siteNameFromServiceModel = "Web"; string siteName = string.Format("{0}_{1}", RoleEnvironment.CurrentRoleInstance.Id, siteNameFromServiceModel); string configFilePath = server.Sites[siteName].Applications[0].VirtualDirectories[0].PhysicalPath + "\\web.config"; XElement element = XElement.Load(configFilePath); string setting; if (!(String.IsNullOrEmpty(setting = RoleEnvironment.GetConfigurationSettingValue("ACS.AudienceUri")))) element.Element("microsoft.identityModel").Element("service").Element("audienceUris").Element("add").Attribute("value").Value = setting; // . .. . Do for each WIF configuration parameter (issuer, realm, thumbprint, etc.) element.Save(configFilePath); } } catch (Exception ex) { // Need a safe place to log this. Windows Event Log? } }
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
Tips & Tricks
• Cookie Encryption
– DPAPI used to protect cookies sent to the client..
– DPAPI not supported in Windows Azure
– Use RsaEncryptionCookieTransform to encrypt with same cert
used for SSL.
Tips & Tricks
Tips & Tricks
• Development Certificate
• Customize the login experience
• User registration
• Require authentication for only part of the site
Gotchas
• Single sign-out not currently supported
• Co-admin cannot administer an ACS namespace
• WIF not installed on Windows Azure roles
– Microsoft.IdentityModel CopyLocal = true
– Install WIF via a startup task
Summary
• Identity in the cloud is hard – Many external islands of identity
– Current technology hard or not interoperable
• ACS provides standards-based approach – Integrates with Windows Identity Foundation
– Claims-based authorization
– Support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• OData API and portal for management
Resources
• Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-
control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• “Claims-Base Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
Get the Bits!
http://bit.ly/AzureSDKMC
http://bit.ly/AzureTrialMC
Thank You
• Your feedback is important!
• Please fill out and return the survey – you’ll get a copy of
the today’s decks.
@MichaelCollier
www.MichaelSCollier.com