5. What We’re Talking About
• Identity - Current State and in The Cloud
• Windows Azure solutions
• Mobile Services
• Access Control Service (ACS)
• Windows Azure Active Directory
6
6. Who Are You?
• Personalization
• Business Rules
• Functionality / Features
7
7. Traditional Identity Management
• IT Pro – controls the known world
• Developers – blissfully ignorant?
8
AD
SQL
My Enterprise
LOB App
8. Cloud . . . A New Challenge
• Move the application & data
• Islands of identity
• Outside of “traditional” IT world
• External users / partners
• BYOD
• Developers ignorant no more
• Developers + IT Pros
9
14. More Mobile Services?
• Programming Windows Azure Mobile Services
• Jason Farrell
• Wednesday at 10:30am
• Portia
15
15. Access Control Service (ACS)
• Federated identity/authentication service
• Google, Microsoft Account, Yahoo!, ADFS v2
• Bring your own membership
• Claims-based authorization
• Browser based (302 redirect)
• Focus on your app
16
17. ACS Tips
• Enrich claims w/ a ClaimsAuthenticationManager
• Update WIF settings in web.config in OnStart()
• Web Farm Ready Cookies
• Web Sites and Cloud Services
• DPAPI not supported in Windows Azure
• Provide sign-out link for identity providers
• Azure co-admin can’t admin ACS namespace
31
18. Windows Azure Active Directory
• Internet scale, multi-tenant
directory service
• Directory store for Office 365
• Extend Windows Server AD to
the cloud
• Directory & identity services
w/o need for Windows Server
AD
32
Active Directory
O365 Account
Portal
Intune Account
Portal
Windows Azure
Mgmt Portal
Azure AD PowerShell
cmdlets
19. Windows Azure Active Directory
• Multi-tenant “directory-as-a-service”
• NOT a cloud version of Windows Server AD
33
Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx
20. Windows Azure Active Directory
34
Windows Azure
Management Portal
REST API
SAML-P
O-Auth
WS-Federation
Integration / Management Endpoints
Windows Azure Active Directory
26. WAAD Authentication
• Authentication for cloud-based & native apps
• Permissions
• SSO, Read Data, Read & Write Data
• Applies to the APPLICATION, not the user
40
28. WAAD and the Enterprise
59
AD
SQL
My Enterprise
LOB App
29. WAAD and the Enterprise
60
• Passwords sync every 2 minutes
• Users sync every 3 hours
My Enterprise
DirSync
LOB App
SQL
30. Where Does the Authentication Happen?
61
Portal PowerShell/
Directory GRAPH
DirSync w/Cloud
identities
DirSync
w/Password Sync
DirSync w/SSO
Target customer
segment
• Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large
Scenario supported • Least • Least • Some limitation • Some limitations • Most
Directory Source of
Authority
• Cloud • Cloud • On-premises • On-premises • On-premises
Hardware
requirements
• No additional
hardware required
• No additional
hardware required
• Windows Server
OS for DirSync
appliance
• Windows Server
OS for DirSync
appliance
• DirSync appliance
• ADFS (or other
STS) deployment
IDP • Cloud • Cloud • Cloud • Cloud • On-premises
User login
experience
• Disjoint username
and password
• Enter credentials
twice
• Disjoint username
and password
• Enter credentials
twice
• Same username,
disjoint password
• Enter credentials
twice
• Same username
and password for
on-prem and cloud
• Enter credentials
twice
• Same username
and password for
on-prem and cloud
• Login once if on-
premises
Complexity • Low • Medium • Low • Low • High
Table Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013
32. Going Further with Windows Azure AD
• Multitenant applications
• Leverage identity from other WAAD tenants
• http://www.windowsazure.com/en-
us/develop/net/tutorials/multitenant-apps-for-active-
directory/
• Phone 2FA (Multi-Factor Authentication)
• Additional administrative users
• Username/pwd + text message code
63
33. Summary
• Developers, Architects, & IT Pros work together
• Mobile Services
• Quickly add Identity Providers via portal config and code
• ACS
• Federated identity authentication
• Claims-based authorization
• Windows Azure AD
• “Extends” Windows Server AD to the cloud
• Query via REST graph API
64
34. Helpful Resources
• Mobile Services
• Handling Expired Tokens -
http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx
• Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/
• ACS
• Cheat Sheet – http://bit.ly/ACSCheatSheet
• How To’s – http://bit.ly/ACSHowTo
• Tips – http://bit.ly/HYhxjY
• Azure Active Directory
• “Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory”,
Ross Adams & Jono Luk – TechEd NA 2013
• “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema, Query,
and More”, Edward Wu – TechEd NA 2013
• Securing a Windows Store App and REST API using Windows Azure AD -
http://msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx
• Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/
65
Title slide for anyone looking to use this years logo.
Principal Cloud ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
Please take a brief opportunity and thank our platinum and gold sponsors. They have invested a lot of time and money into making That Conference the success it is.
Nearly every application asks at least one simple question – who are you?PersonalizationBusiness rules (access to specific areas / functionality)
MSFT Account – OAuth and integrated Windows Store app (SSO)
OAuthRenders the OAuth web interface for the selected provider.
Provide SSO for Windows 8 users
Mobile Services helps w/ mobile apps, but what about web apps. We can leverage ACS.Authorization – your responsibility; use provided claims and map to your business rules
With the somewhat more consumer offerings out of the way, let’s spend the rest of the time talking about enterprises.
Accessibility options
DirectoryObject is the base type for the following entity types: Application, Device,DirectoryLinkChange, Contact, Group, Role, ServicePrincipal, TenantDetail, and User.http://msdn.microsoft.com/en-us/library/windowsazure/jj134105.aspx
Simple SSO for web appWeb API and Windows Store App - AAL
Integration Options
Show AD server and VM in cloudShow WAAD dir integrationChange user password . . . Wait for syncShow demo app
Phone 2FA – formerly known as ‘Active Authentication’
Windows Azure National ArchitectWindows Azure MVPHelp customers nationwide with their Windows Azure projects. This can include architectural design sessions, training, development, evangelism, etc.Reach me via email, Twitter, or my blog.
At the end of your presentation we would be grateful if you could help us announce next years date.