SlideShare uma empresa Scribd logo

Using Windows Azure for Solving Identity Management Challenges

Transferir como PPTX, PDF
Michael Collier
Michael Collier

Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We’ll also demonstrate how to configure ACS for development, as well as production environments. We’ll wrap up by showing you how to bring you’re new found love of claims and ACS to your mobile applications as well.

Tecnologia
1 de 28
Using Windows Azure for Solving Identity Management Challenges
About Me Michael S. Collier National Architect, Windows Azure michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01
Traditional Identity Management • Windows Integrated Authentication (Active Directory) • Membership Provider • Proven Approach • Leverage Windows Identity Foundation (WIF)
We Have a Problem • No Active Directory • Environment not under our physical control • Disconnected from the enterprise (potentially)
Windows Azure Connect • Secure network connectivity between Windows Azure on-premises and Role A Role B cloud. Role C (multiple VM’s) • Hybrid apps access to Relay on-premises servers – App access to SQL Server – Role domain-joined to Dev machines AD Databases • Setup & management Enterprise Image courtesy Windows Azure Platform Training Kit
Windows Azure Virtual Network Windows Azure Site-to-Site VPN Tunnel Currently in Preview Image courtesy of the Windows Azure Training Kit
Options • Social Networks • Membership Provider – They change . . . Often – SQL Azure – The right one? – Table Storage – Another? – Pros – More work! • Mostly known entity • Migrate existing data Windows Live ID – Cons • User management • Security leak • New
Windows Azure Access Control Service • No need to build your own identity management solution. • Authenticate (WIF – OAuth and WS-Federation) • Claims-based authorization • Multiple Identity Providers (ADFSv2, Google, Live ID, etc.) • Ability to bring your own via membership • One to rule them all! • Easy for your users
Key ACS Concepts • Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app. • Identity Provider (IP): Authenticates users and issues tokens • Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app). • Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.) • Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider. • STS: Simple Token Service – issues tokens containing claims. ACS is an STS
Authentication Workflow Identity Access Browser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
Getting Started with ACS DEMO
Claims Enrichment • Identity Providers only provide a few claims – Windows Live provides just one (Named Identifier) – Google and Yahoo! provide three (email, name, named identifier) – Facebook – ADFSv2 • Add more claims that are known to your application – ClaimsAuthenticationManager
Claims Enrichment DEMO
Tips & Tricks • WIF relies on the web.config file • URLs related to the site are set in the web.config . . . can’t change • Problematic for staging deployments – don’t know the URL until deployed • Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
Tips & Tricks • Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and- apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
Tips & Tricks • Cookie Encryption – DPAPI used to protect cookies sent to the client.. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
Tips & Tricks
Tips & Tricks • Change request validation – Use ASP.NET 2 request validation – Custom validator
Tips & Tricks // Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value- was-detected-from-the-client-wresult-t-requestsecurityto.aspx
Tips & Tricks • Development Certificate • Customize the login experience • User registration • Require authentication for only part of the site
Gotchas • Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider • Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc. • WIF not installed on Windows Azure roles – Microsoft.IdentityModel  CopyLocal = true – Install WIF via a startup task (recommended)
The Impact for Mobile Applications • Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion • NuGet package available for easy add to WP application – Install-Package Phone.Identity.AcessControl.BasePage
Enable ACS on Your Windows Phone Application DEMO
Windows Azure Active Directory • Extends AD into the cloud • Primarily for cloud applications • Connect from any device and platform – RESTful access to the directory – XML or JSON • Social providers or organizations • Can sync or federated on-premises AD to cloud • Currently need Office 365 WAAD is in a Developer Preview mode – tread lightly. 
Summary • Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable • ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook • Enrich functionality using WIF • OData API and portal for management
Resources • Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access- control/#config-trust • Programming Windows Identity Foundation, Vittorio Bertocci • “Claims-Based Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx • ACS Cheat Sheet - http://bit.ly/ACSCheatSheet • ACS How To’s - http://bit.ly/ACSHowTo • ACS Tips - http://bit.ly/HYhxjY • Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
How to Get Started WindowsAzure.com – 90 days free! http://bit.ly/MikeAzureTrial Activate MSDN benefits Install SDK via Web PI Windows Azure Training Kit Windows Azure Developer Center
Using Windows Azure for Solving Identity Management Challenges

Recomendados

What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!Michael Collier
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationMichael Collier
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Michael Collier
 
Inside Azure Resource Manager
Inside Azure Resource ManagerInside Azure Resource Manager
Inside Azure Resource ManagerMichael Collier
 
Automating Your Azure Environment
Automating Your Azure EnvironmentAutomating Your Azure Environment
Automating Your Azure EnvironmentMichael Collier
 
Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Michael Collier
 
Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)Michael Collier
 
More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)Michael Collier
 

Recomendados

What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!What's New for the Windows Azure Developer? Lots!!
What's New for the Windows Azure Developer? Lots!!Michael Collier
 
The Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationThe Hybrid Windows Azure Application
The Hybrid Windows Azure ApplicationMichael Collier
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Michael Collier
 
Inside Azure Resource Manager
Inside Azure Resource ManagerInside Azure Resource Manager
Inside Azure Resource ManagerMichael Collier
 
Automating Your Azure Environment
Automating Your Azure EnvironmentAutomating Your Azure Environment
Automating Your Azure EnvironmentMichael Collier
 
Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Automating Your Microsoft Azure Environment (DevLink 2014)
Automating Your Microsoft Azure Environment (DevLink 2014)Michael Collier
 
Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)Inside Azure Diagnostics (DevLink 2014)
Inside Azure Diagnostics (DevLink 2014)Michael Collier
 
More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)More Cache for Less Cash (DevLink 2014)
More Cache for Less Cash (DevLink 2014)Michael Collier
 
Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Michael Collier
 
Inside Azure Diagnostics
Inside Azure DiagnosticsInside Azure Diagnostics
Inside Azure DiagnosticsMichael Collier
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will FailMichael Collier
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less CashMichael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerMichael Collier
 
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesMichael Collier
 
What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)Michael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerMichael Collier
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldMichael Collier
 
Windows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementWindows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementMichael Collier
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudMichael Collier
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesMichael Collier
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Mais conteúdo relacionado

Mais de Michael Collier

Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Michael Collier
 
Inside Azure Diagnostics
Inside Azure DiagnosticsInside Azure Diagnostics
Inside Azure DiagnosticsMichael Collier
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will FailMichael Collier
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less CashMichael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerMichael Collier
 
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesMichael Collier
 
What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)Michael Collier
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerMichael Collier
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldMichael Collier
 
Windows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementWindows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementMichael Collier
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudMichael Collier
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesMichael Collier
 

Mais de Michael Collier (12)

Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)
 
Inside Azure Diagnostics
Inside Azure DiagnosticsInside Azure Diagnostics
Inside Azure Diagnostics
 
10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail10 Ways to Gaurantee Your Azure Project will Fail
10 Ways to Gaurantee Your Azure Project will Fail
 
More Cache for Less Cash
More Cache for Less CashMore Cache for Less Cash
More Cache for Less Cash
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
 
Using Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management ChallengesUsing Windows Azure for Solving Identity Management Challenges
Using Windows Azure for Solving Identity Management Challenges
 
What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)What's New for the Windows Azure Developer? Lots! (July 2013)
What's New for the Windows Azure Developer? Lots! (July 2013)
 
Windows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect PartnerWindows Azure Mobile Services - The Perfect Partner
Windows Azure Mobile Services - The Perfect Partner
 
Windows Azure: Lessons From the Field
Windows Azure: Lessons From the FieldWindows Azure: Lessons From the Field
Windows Azure: Lessons From the Field
 
Windows Azure for Developers - Service Management
Windows Azure for Developers - Service ManagementWindows Azure for Developers - Service Management
Windows Azure for Developers - Service Management
 
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the CloudWindows Phone 7 and Windows Azure – A Match Made in the Cloud
Windows Phone 7 and Windows Azure – A Match Made in the Cloud
 
Windows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block ServicesWindows Azure for Developers - Building Block Services
Windows Azure for Developers - Building Block Services
 

Último

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Último (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Using Windows Azure for Solving Identity Management Challenges

  • 1. Using Windows Azure for Solving Identity Management Challenges
  • 2. About Me Michael S. Collier National Architect, Windows Azure michael.collier@neudesic.com @MichaelCollier www.MichaelSCollier.com http://www.slideshare.net/buckeye01
  • 3. Traditional Identity Management • Windows Integrated Authentication (Active Directory) • Membership Provider • Proven Approach • Leverage Windows Identity Foundation (WIF)
  • 4. We Have a Problem • No Active Directory • Environment not under our physical control • Disconnected from the enterprise (potentially)
  • 5. Windows Azure Connect • Secure network connectivity between Windows Azure on-premises and Role A Role B cloud. Role C (multiple VM’s) • Hybrid apps access to Relay on-premises servers – App access to SQL Server – Role domain-joined to Dev machines AD Databases • Setup & management Enterprise Image courtesy Windows Azure Platform Training Kit
  • 6. Windows Azure Virtual Network Windows Azure Site-to-Site VPN Tunnel Currently in Preview Image courtesy of the Windows Azure Training Kit
  • 7. Options • Social Networks • Membership Provider – They change . . . Often – SQL Azure – The right one? – Table Storage – Another? – Pros – More work! • Mostly known entity • Migrate existing data Windows Live ID – Cons • User management • Security leak • New
  • 8. Windows Azure Access Control Service • No need to build your own identity management solution. • Authenticate (WIF – OAuth and WS-Federation) • Claims-based authorization • Multiple Identity Providers (ADFSv2, Google, Live ID, etc.) • Ability to bring your own via membership • One to rule them all! • Easy for your users
  • 9. Key ACS Concepts • Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app. • Identity Provider (IP): Authenticates users and issues tokens • Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app). • Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.) • Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider. • STS: Simple Token Service – issues tokens containing claims. ACS is an STS
  • 10. Authentication Workflow Identity Access Browser Application Provider Control 1. Request Resource 2. Redirect to Identity Provider 4. Authenticate & 3. Login Issue Token 5. Redirect to AC service 7. Validate Token, Run Rules Engine, 6. Send Token to ACS Issue Token 8. Redirect to RP with ACS Token 10. Validate Token 9. Send ACS Token to Relying Party 11. Return resource representation Courtesy Windows Azure Boot Camp
  • 12. Claims Enrichment • Identity Providers only provide a few claims – Windows Live provides just one (Named Identifier) – Google and Yahoo! provide three (email, name, named identifier) – Facebook – ADFSv2 • Add more claims that are known to your application – ClaimsAuthenticationManager
  • 14. Tips & Tricks • WIF relies on the web.config file • URLs related to the site are set in the web.config . . . can’t change • Problematic for staging deployments – don’t know the URL until deployed • Add logic to WebRole’s OnStart() to update the WIF settings in web.config – Read in configuration settings from .cscfg – Update and save the web.config – Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
  • 15. Tips & Tricks • Staging vs. Production – WIF configuration in web.config – Staging URL unknown until deployment – Change WIF configuration in web.config during role startup See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and- apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
  • 16. Tips & Tricks • Cookie Encryption – DPAPI used to protect cookies sent to the client.. – DPAPI not supported in Windows Azure – Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
  • 18. Tips & Tricks • Change request validation – Use ASP.NET 2 request validation – Custom validator
  • 19. Tips & Tricks // Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value- was-detected-from-the-client-wresult-t-requestsecurityto.aspx
  • 20. Tips & Tricks • Development Certificate • Customize the login experience • User registration • Require authentication for only part of the site
  • 21. Gotchas • Single sign-out not currently supported – Provide a sign-out link for the specific Identity Provider • Windows Azure co-admin cannot administer an ACS namespace – Add Live ID, WAAD, Google, etc. • WIF not installed on Windows Azure roles – Microsoft.IdentityModel  CopyLocal = true – Install WIF via a startup task (recommended)
  • 22. The Impact for Mobile Applications • Social Networks – Important – Users likely already have at least one – Quick and easy signup – Potential for rapid user base expansion • NuGet package available for easy add to WP application – Install-Package Phone.Identity.AcessControl.BasePage
  • 23. Enable ACS on Your Windows Phone Application DEMO
  • 24. Windows Azure Active Directory • Extends AD into the cloud • Primarily for cloud applications • Connect from any device and platform – RESTful access to the directory – XML or JSON • Social providers or organizations • Can sync or federated on-premises AD to cloud • Currently need Office 365 WAAD is in a Developer Preview mode – tread lightly. 
  • 25. Summary • Traditional identity management in the cloud is hard – Many external islands of identity – Current technology hard or not interoperable • ACS provides standards-based approach – Integrates with Windows Identity Foundation – Claims-based authorization – Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook • Enrich functionality using WIF • OData API and portal for management
  • 26. Resources • Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access- control/#config-trust • Programming Windows Identity Foundation, Vittorio Bertocci • “Claims-Based Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx • ACS Cheat Sheet - http://bit.ly/ACSCheatSheet • ACS How To’s - http://bit.ly/ACSHowTo • ACS Tips - http://bit.ly/HYhxjY • Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk
  • 27. How to Get Started WindowsAzure.com – 90 days free! http://bit.ly/MikeAzureTrial Activate MSDN benefits Install SDK via Web PI Windows Azure Training Kit Windows Azure Developer Center

Notas do Editor

  1. Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
  2. Windows integrated authentication (Active Directory)Kerberos ticketsUser doesn't have to do a separate loginOption for credentials passed to SQL ServerMembership ProviderSQL ServerAny data storeWindows authentication & membership providers - proven approachDone this for yearsCode readily availableTooling to helpPossibly even used WIF
  3. Let’s take a look at this scenarioChallengesWhich provider to choose?How to redirect to the right provider?How to validate and parse the tokens returned by each provider?How to add, remove, or change the claims returned?How much code do we have to right?http://msdn.microsoft.com/en-us/library/gg185928.aspx
  4. http://www.sxc.hu/photo/1083976/?forcedownload=1No AD – sort of (more on that coming up)Lack of physical control – a different way of administering and configuring the environment.Running in someone else’s data center – potentially hundreds of miles away.Connectivity options may incur additional latency.
  5. Options- AD On-Premises- AD in the Cloud (Replicated)- AD in the Cloud Only
  6. Tap into Facebook, Google, LinkedIn, etc. They have problems tooThey change - you changeViscous cyclePick the right one?Add another? More code/logic.Membership ProviderSQL AzureWindows Azure Table StorageProsYou know this - may do it alreadyMigrate existing user dataConsManagementUser supportPasswords (security)Password resetsPotential for security leakHow secure are you?New providersWindows AzureNew - not well establishedProvided as a sample - ready for prime time?SQL AzureUses the same provider as SQL ServerWe need cloud-ready identity solutions . . . We need identity management built for the cloud! <click>
  7. The one to rule them allYour app integrates with ACS, ACS deals with the Identity ProvidersNo more changing code as APIs changeConfiguration to add new IdPs
  8. STS: ACS is an STS in that it issues tokens to relying parties that use ACS to perform authentication. The STS must trust the identity provider(s) it uses.
  9. WIF relies on settings in the web.config – which we typically can’t change easily w/ Azure apps
  10. http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
  11. Request validation for all requests in ASP.NET 4.; Security feature – cross-site scripting attacks
  12. Development certificate – use IIS or makecert. Allow NETWORK_SERVICE access to cert (use certmgr).
  13. Social importantMobile users likely already have itWindows Phone users already have Windows Live IDQuick and easy signupPotential for rapid user base expansionTap into a large and growing marketGlobal marketNuGet package to quickly add ACS to app<DEMO - USING NUGET IN WP7>
  14. OData for rich controlPortal for simpler things
  15. http://bit.ly/ACSCheatSheet - http://social.technet.microsoft.com/wiki/contents/articles/1546.aspx#T-shooting_cheat_sheetshttp://bit.ly/ACSHowTo - http://msdn.microsoft.com/en-us/library/windowsazure/gg185939.aspxhttp://bit.ly/HPT6rk - http://blogs.msdn.com/b/davidmcg/archive/2011/04/05/publishing-a-acs-v2-federated-identity-web-role.aspxhttp://bit.ly/HYhxjY - http://fabriccontroller.net/blog/a-few-tips-to-get-up-and-running-with-theazure-appfabric-access-control-service