Embed Size (px)
DESCRIPTION
Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We’ll also demonstrate how to configure ACS for development, as well as production environments. We’ll wrap up by showing you how to bring you’re new found love of claims and ACS to your mobile applications as well.
Citation preview
Using Windows Azure for Solving Identity Management Challenges
About Me
Michael S. Collier
National Architect,
Windows Azure
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
Traditional Identity Management
• Windows Integrated Authentication (Active Directory)
• Membership Provider
• Proven Approach• Leverage Windows
Identity Foundation (WIF)
We Have a Problem
• No Active Directory• Environment not
under our physical control
• Disconnected from the enterprise (potentially)
Windows Azure Connect
• Secure network connectivity between on-premises and cloud.
• Hybrid apps access to on-premises servers– App access to SQL
Server– Role domain-joined to
AD
• Setup & management Enterprise
Windows Azure
Databases
Dev machines
Relay
Role BRole A
Role C(multiple VM’s)
Image courtesy Windows Azure Platform Training Kit
Windows Azure Virtual Network
Corp Network
IIS Servers
AD / DNS
SQL Servers
S2S VPN Device
Image courtesy of the Windows Azure Training Kit
Windows Azure
IIS ServersSQL Servers
Site-to-Site VPN Tunnel
Currently in Preview
Options
• Social Networks– They change . . . Often– The right one?– Another?– More work!
• Membership Provider– SQL Azure– Table Storage– Pros
• Mostly known entity• Migrate existing data
– Cons• User management• Security leak• New
Windows Live ID
Yahoo!
Windows Azure Access Control Service
• No need to build your own identity management solution.• Authenticate (WIF – OAuth and WS-Federation)• Claims-based authorization• Multiple Identity Providers (ADFSv2, Google, Live ID,
etc.)• Ability to bring your own via membership• One to rule them all!• Easy for your users
Key ACS Concepts
• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.
• Identity Provider (IP): Authenticates users and issues tokens• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your app).• Claim: Attributes about the authenticated user (age, birthdate,
email address, name, etc.)• Federation Provider: Intermediary between the RP and IP.
ACS is a Federation Provider.• STS: Simple Token Service – issues tokens containing claims.
ACS is an STS
Authentication Workflow
BrowserIdentity Provider
Access Control
Application
3. Login
5. Redirect to AC service
10. Validate Token
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate & Issue Token
6. Send Token to ACS
7. Validate Token, Run Rules Engine, Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
DEMOGetting Started with ACS
Claims Enrichment
• Identity Providers only provide a few claims– Windows Live provides just one (Named Identifier)– Google and Yahoo! provide three (email, name, named
identifier)– Facebook– ADFSv2
• Add more claims that are known to your application– ClaimsAuthenticationManager
DEMOClaims Enrichment
• WIF relies on the web.config file• URLs related to the site are set in the web.config . . .
can’t change• Problematic for staging deployments – don’t know the
URL until deployed• Add logic to WebRole’s OnStart() to update the WIF
settings in web.config– Read in configuration settings from .cscfg– Update and save the web.config– Changing .cscfg settings can cause a role recycle . . . causing
web.confg to update
Tips & Tricks
Tips & Tricks
• Staging vs. Production– WIF configuration in web.config– Staging URL unknown until deployment– Change WIF configuration in web.config during role startup
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
Tips & Tricks
• Cookie Encryption– DPAPI used to protect cookies sent to the client..– DPAPI not supported in Windows Azure– Use RsaEncryptionCookieTransform to encrypt with same cert
used for SSL.
Tips & Tricks
• Change request validation
– Use ASP.NET 2 request validation– Custom validator
Tips & Tricks
Tips & Tricks
// Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult-t-requestsecurityto.aspx
Tips & Tricks
• Development Certificate
• Customize the login experience
• User registration
• Require authentication for only part of the site
Gotchas
• Single sign-out not currently supported– Provide a sign-out link for the specific Identity Provider
• Windows Azure co-admin cannot administer an ACS namespace– Add Live ID, WAAD, Google, etc.
• WIF not installed on Windows Azure roles– Microsoft.IdentityModel CopyLocal = true– Install WIF via a startup task (recommended)
The Impact for Mobile Applications
• Social Networks – Important– Users likely already have at least one– Quick and easy signup– Potential for rapid user base expansion
• NuGet package available for easy add to WP application– Install-Package Phone.Identity.AcessControl.BasePage
DEMOEnable ACS on Your Windows Phone Application
Windows Azure Active Directory
• Extends AD into the cloud• Primarily for cloud applications
• Connect from any device and platform– RESTful access to the directory– XML or JSON
• Social providers or organizations
• Can sync or federated on-premises AD to cloud
• Currently need Office 365 WAAD is in a Developer Preview mode – tread lightly.
Summary
• Traditional identity management in the cloud is hard– Many external islands of identity– Current technology hard or not interoperable
• ACS provides standards-based approach– Integrates with Windows Identity Foundation– Claims-based authorization– Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• OData API and portal for management
Resources
• Windows Azure ACS Guide– http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• “Claims-Based Authorization with WIF”, Michele Bustamante– http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
WindowsAzure.com – 90 days free!
http://bit.ly/MikeAzureTrial
Activate MSDN benefits
Install SDK via Web PI
Windows Azure Training Kit
How to Get Started
Windows Azure Developer Center
Q &
A
Ask your questions
