Embed Size (px)
Citation preview
Windows Azure Active Directory
90 Day Free Trial: http://aka.ms/vs4rdw
Public
Commontechnologie
s
Identity ▪ Virtualization ▪ Management ▪ Development
Private
Broad & deep array of solutions enables customers to use cloud in their own way, at their own pace
Microsoft approach: hybrid cloud
What if we could?
RESPONDING to the needs for interoperability, social networking, flexibility, and simplicity
REINVENTED for the cloud with modern protocols
PROVIDE the enterprise capabilities of Active Directory
Windows Azure Active Directory is a modern cloud service providing identity management and access control capabilities to cloud applications.
Identity Solution: Cloud Single Sign-on with Access Control
Windows Live ID
On-PremisesActive Directory
ADFS 2.0
Third Party Apps
Windows AzureActive Directory
Microsoft Apps
Your Apps
Active Directory in IaaS
• Through Virtual Networking connectivity, on-premises Active Directory allows domain join and single sign-on for applications in Azure
• Windows Server Active Directory can now be hosted in a Virtual Machine in Windows Azure to support SharePoint or SQL Server and for performance and redundancy
On-premise subnets
DCDNS
Active Directory
Persistent VM Role
DC DNS
Active Directory
Persistent VM Role
Persistent VM Role
SQL
SharePoint
Windows Azure Active Directory
Windows Azure Authentication
LibraryDeveloper library to make authentication in Azure apps easy
Windows Azure AD Graph
Developer Restful API for the cloud directory
Windows Azure AD
Access ControlCentralized
authentication and authorization hub
Windows Azure AD
DirectoryCloud-based identity
store / provider
WHAT IT ISWHAT IT DOES USE IT TO
Access Control
Claims-based, Federated authorization management service
Simplify user access authorization across organizations and ID providers
Perform claims transformation to map identities with access levels
Secure Service Bus communications
Secure web services
Secure web applications
Access Control
Identity Challenges
UserDoesn’t want to use different identity for every app
DeveloperDoesn’t want to write code to support multiple identity providers
AdministratorWants to easily grant access to apps to Active Directory identities
Active Directory
Cloud App
Identity Challenges
Identity Solution: Cloud Single Sign-on with Access Control User
Can use his preferred Identity Provider
DeveloperWrites one set of code to accommodate multiple Identity Providers
AdministratorGrants access to all AD users by establishing trust between AD and ACS
Access Control Active
Directory
ADFS 2.0
Identity Solution: Cloud Single Sign-on With Access Control
WHAT IT ISWHAT IT DOES USE IT TO
Access Control
A multi-tenant cloud directory
Stores identities, group and role information that can be used for authentication and authorization
Control access to Microsoft online services such as Office 365, Dynamics CRM Online and Windows Intune, as well as Windows Azure applications for a true single sign-on experience
Directory
Directory• Cloud authentication, authorization multi-tenant
directory for Microsoft and 3rd party cloud services
• “Organization-owned” identity provider
• Easily federates and synchronizes with on-premises AD
• Central “hub” to provision/de-provision/manage users and their computers/devices
• Support for multi-factor authentication
PREVIEW IN JULYUser accounts in Windows Azure AD can access Azure and 3rd party applications with a simple configuration through Windows Azure AD Access Control
Currently requires Office 365, Dynamics online, or InTune. Will open up later to general Azure usage.
SAML
WHAT IT ISWHAT IT DOES USE IT TO
Access Control
An enterprise social graph service
Provides a way for applications to query the Directory and other sources for identity information and relationships, to provide a richer experience for users
Build social enterprise apps
Graph
Windows Azure AD GraphPREVIEW IN JULY
New enterprise social graph for Active DirectoryREST interfaces and explorer to read and modify – secure and easy
Enterprise people picker for applications
Extensible AD graph – links to external resources enabling discovery – enables an “enterprise social graph”
Applications publish information in Windows Azure AD
RESTful interface supporting OAuth, JSON and OData
WHAT IT ISWHAT IT DOES USE IT TO
Access Control
A developer library Provides a way for developers to easily take advantage of Windows Azure AD from their rich client applications and services
Add authentication capabilities to your rich client applications
Authenticate incoming calls to your services
Windows Azure Authentication Library
Windows Azure Authentication LibraryPREVIEW IN JULYNew library for helping developers to authenticate against Windows Azure AD
First release supports rich clients and services, web pages will follow in the near future
First release on .NET: Node.JS, Java, PHP will follow
Rich clients:
• Add authentication experiences for users from AAD, ADFS2 and any other IdP type supported by AAD with as little as two lines of code
Services:
• Easily add validation logic in just few lines of code
Single sign-on across all your cloud applications
ScenariosWindows Azure Active Directory enables:
Build social enterprise apps in the cloud
Build Secure Applications that integrate with multiple web identity providers
For ISVs and organizations of all sizes
Enterprises
CSVs
• Centralized policy and access control• Single sign-on for users to Microsoft and 3rd
party applications running in the cloud• Easy administration – sync and federate to on-
prem AD• Deliver SaaS solutions in Azure with single-
sign-on from users in Windows Azure AD (Office 365)
• Write applications using a new enterprise social graph
Small Business• Provide access control with no on-prem identity
infrastructure required• Easy to use with little IT skills required
How it works
ACCESS CONTROL
YOUR SERVICE CUSTOMER
1 Define access control rules
0 Establish trust via key exchange
2Request token(pass input claims)
4 Return token (receive output claims)
5 Send messagewith token
3 Map input claims to output claims based on access control rules
6 Process
token
How it Works
Now
Access Control GA
July 2012
Preview• SSO against Directory• Graph API• WAAL
GA• SSO against Directory• Graph API• WAALWindows Azure Portal uses WA AD for authentication and authorization
Q4 CY12
Roadmap and Timeline
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
90 Day Free Trial: http://aka.ms/vs4rdw
