Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We’ll also demonstrate how to configure ACS for development, as well as production environments. We’ll wrap up by showing you how to bring you’re new found love of claims and ACS to your mobile applications as well.
2. About Me
Michael S. Collier
National Architect,
Windows Azure
michael.collier@neudesic.com
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
3. Traditional Identity Management
• Windows Integrated
Authentication (Active
Directory)
• Membership Provider
• Proven Approach
• Leverage Windows
Identity Foundation
(WIF)
4. We Have a Problem
• No Active Directory
• Environment not
under our physical
control
• Disconnected from
the enterprise
(potentially)
5. Windows Azure Connect
• Secure network
connectivity between Windows Azure
on-premises and Role A Role B
cloud. Role C
(multiple VM’s)
• Hybrid apps access to Relay
on-premises servers
– App access to SQL
Server
– Role domain-joined to Dev machines
AD Databases
• Setup & management Enterprise
Image courtesy Windows Azure Platform Training Kit
6. Windows Azure Virtual Network
Windows Azure
Site-to-Site
VPN Tunnel
Currently in Preview Image courtesy of the Windows Azure Training Kit
7. Options
• Social Networks • Membership Provider
– They change . . . Often – SQL Azure
– The right one? – Table Storage
– Another? – Pros
– More work! • Mostly known entity
• Migrate existing data
Windows Live ID – Cons
• User management
• Security leak
• New
8. Windows Azure Access Control Service
• No need to build your own identity management solution.
• Authenticate (WIF – OAuth and WS-Federation)
• Claims-based authorization
• Multiple Identity Providers (ADFSv2, Google, Live ID,
etc.)
• Ability to bring your own via membership
• One to rule them all!
• Easy for your users
9. Key ACS Concepts
• Relying Party (RP): Web application that outsources
authentication. The RP trusts that authority. The RP is your
app.
• Identity Provider (IP): Authenticates users and issues tokens
• Token: Digitally signed security data issued after user
authenticated. Used to gain access to the RP (your app).
• Claim: Attributes about the authenticated user (age, birthdate,
email address, name, etc.)
• Federation Provider: Intermediary between the RP and IP.
ACS is a Federation Provider.
• STS: Simple Token Service – issues tokens containing claims.
ACS is an STS
10. Authentication Workflow
Identity Access
Browser Application
Provider Control
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate &
3. Login
Issue Token
5. Redirect to AC service
7. Validate Token,
Run Rules Engine,
6. Send Token to ACS Issue Token
8. Redirect to RP with ACS Token 10. Validate
Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
12. Claims Enrichment
• Identity Providers only provide a few claims
– Windows Live provides just one (Named Identifier)
– Google and Yahoo! provide three (email, name, named identifier)
– Facebook
– ADFSv2
• Add more claims that are known to your application
– ClaimsAuthenticationManager
14. Tips & Tricks
• WIF relies on the web.config file
• URLs related to the site are set in the web.config . . .
can’t change
• Problematic for staging deployments – don’t know the
URL until deployed
• Add logic to WebRole’s OnStart() to update the WIF
settings in web.config
– Read in configuration settings from .cscfg
– Update and save the web.config
– Changing .cscfg settings can cause a role recycle . . . causing
web.confg to update
15. Tips & Tricks
• Staging vs. Production
– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-
apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
16. Tips & Tricks
• Cookie Encryption
– DPAPI used to protect cookies sent to the client..
– DPAPI not supported in Windows Azure
– Use RsaEncryptionCookieTransform to encrypt with same cert
used for SSL.
20. Tips & Tricks
• Development Certificate
• Customize the login experience
• User registration
• Require authentication for only part of the site
21. Gotchas
• Single sign-out not currently supported
– Provide a sign-out link for the specific Identity Provider
• Windows Azure co-admin cannot administer an ACS
namespace
– Add Live ID, WAAD, Google, etc.
• WIF not installed on Windows Azure roles
– Microsoft.IdentityModel CopyLocal = true
– Install WIF via a startup task (recommended)
22. The Impact for Mobile Applications
• Social Networks – Important
– Users likely already have at least one
– Quick and easy signup
– Potential for rapid user base expansion
• NuGet package available for easy add to WP application
– Install-Package Phone.Identity.AcessControl.BasePage
24. Windows Azure Active Directory
• Extends AD into the cloud
• Primarily for cloud applications
• Connect from any device and platform
– RESTful access to the directory
– XML or JSON
• Social providers or organizations
• Can sync or federated on-premises AD to cloud
• Currently need Office 365
WAAD is in a Developer Preview
mode – tread lightly.
25. Summary
• Traditional identity management in the cloud is hard
– Many external islands of identity
– Current technology hard or not interoperable
• ACS provides standards-based approach
– Integrates with Windows Identity Foundation
– Claims-based authorization
– Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• OData API and portal for management
26. Resources
• Windows Azure ACS Guide
– http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-
control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• “Claims-Based Authorization with WIF”, Michele Bustamante
– http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
27. How to Get Started
WindowsAzure.com – 90 days
free!
http://bit.ly/MikeAzureTrial
Activate MSDN benefits
Install SDK via Web PI
Windows Azure Training Kit
Windows Azure Developer Center
Notas do Editor
Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
Windows integrated authentication (Active Directory)Kerberos ticketsUser doesn't have to do a separate loginOption for credentials passed to SQL ServerMembership ProviderSQL ServerAny data storeWindows authentication & membership providers - proven approachDone this for yearsCode readily availableTooling to helpPossibly even used WIF
Let’s take a look at this scenarioChallengesWhich provider to choose?How to redirect to the right provider?How to validate and parse the tokens returned by each provider?How to add, remove, or change the claims returned?How much code do we have to right?http://msdn.microsoft.com/en-us/library/gg185928.aspx
http://www.sxc.hu/photo/1083976/?forcedownload=1No AD – sort of (more on that coming up)Lack of physical control – a different way of administering and configuring the environment.Running in someone else’s data center – potentially hundreds of miles away.Connectivity options may incur additional latency.
Options- AD On-Premises- AD in the Cloud (Replicated)- AD in the Cloud Only
Tap into Facebook, Google, LinkedIn, etc. They have problems tooThey change - you changeViscous cyclePick the right one?Add another? More code/logic.Membership ProviderSQL AzureWindows Azure Table StorageProsYou know this - may do it alreadyMigrate existing user dataConsManagementUser supportPasswords (security)Password resetsPotential for security leakHow secure are you?New providersWindows AzureNew - not well establishedProvided as a sample - ready for prime time?SQL AzureUses the same provider as SQL ServerWe need cloud-ready identity solutions . . . We need identity management built for the cloud! <click>
The one to rule them allYour app integrates with ACS, ACS deals with the Identity ProvidersNo more changing code as APIs changeConfiguration to add new IdPs
STS: ACS is an STS in that it issues tokens to relying parties that use ACS to perform authentication. The STS must trust the identity provider(s) it uses.
WIF relies on settings in the web.config – which we typically can’t change easily w/ Azure apps
Request validation for all requests in ASP.NET 4.; Security feature – cross-site scripting attacks
Development certificate – use IIS or makecert. Allow NETWORK_SERVICE access to cert (use certmgr).
Social importantMobile users likely already have itWindows Phone users already have Windows Live IDQuick and easy signupPotential for rapid user base expansionTap into a large and growing marketGlobal marketNuGet package to quickly add ACS to app<DEMO - USING NUGET IN WP7>