2 identity & cloud services vittorio bertocci sr. architect evangelist microsoft corporation ...
TRANSCRIPT
2
Identity & Cloud Services
Vittorio BertocciSr. Architect EvangelistMicrosoft Corporationhttp://www.cloudidentity.net/
Session Code: ARC302
3
Agenda
The CloudCloud & IdentityClaims based IdentityIdentity.Biztalk.Net
4
What is the Cloud?
5
Once Upon a Time…
…if you needed electricity, you had to produce it yourself.
6
Then a New Idea Came Out…
…generate A LOT of electricity centrally, and have everybody tap from it
7
What is Cloud Computing
Evolution of hosting
Source: Forrester Research, “Is Cloud Computing Ready For The Enterprise?”, March 2008
8
Why Cloud Computing
S+S: Outsource functions to external servicesThe Cloud is “Platform as a Service”
Host your own resources “in the cloud”Storage, Workflows, Services…
Expose your on-premise services “in the cloud” for others to consume
AdvantagesNo more IT headacheScaleReachPay as you use
9
Everything in the Cloud from now on?
“…larger companies…can be expected to pursue a hybrid approach for many years, supplying some hardware and software requirements themselves and purchasing others over the grid. One of the key challenges for corporate IT departments, in fact, lies in making the right decisions about what to hold on to and what to let go.”
Nicholas Carr“The Big Switch”
Microsoft Data Center in Chicago
Cost: $500 millionSize: 500,000 square foot facility (10 football fields)Container-based
FYI: Microsoft Averages the deployment of 10000 new servers
each month
11
Cloud & Identity
OnPremise Identity Management
Moving Assets to the Cloud
Identity & Cloud: Challenges & Opportunities
OpportunitiesOutsource aspects of identity managementManage relationshipsOffload credential managementAutomatic support for multiple technologies
ChallengesResources decentralizationInvestments in directory harder to ROIForces true service orientation
15
Claims Based Identity
Claims Based Identity ManagementIntroduction
TraditionallyWeb authentication uses “pure credentials”“Intranet” authentication relies on info from well known authoritiesDifferent authentication technologies are isolated silos
Claims based identity change all this byMerging credentials & subject information in a single artifactNegotiating authentication details on the fly via
Policies, open standards, trust relationship
When working with cloud resources we cannot afford any of these
Authentication in the Offline World
?!
??
Web ServerBrowser
AGE:36
Authority Web Service
Tools of the Trade
ClaimsStatements about an entity (subject) made by an entity (issuer)
TokensSigned XML fragments which transport credentials and claims about a subject
Security Token Service (STS)Web service that Issues security tokens
A Token
ClaimName1: Value1
ClaimNamen: Valuen
S…
Issuer’s signature[optional] key material
Claims collection
E
Encryption for the intended audience
20
SAML SAML
SAML
Subject
Relying Party (RP) Identity Provider (IP)
Policy
RST RSTR
The Canonical S-IP-RP Pattern
21
SAML
SAML
Subject
RP IP
SAML
SAML
SAML
Claims Transformer
RST
Trust Trust
SAML
The R-STS Pattern
22
Trust
Trust
Trust
IP
IP
Reso
urce
s
R-STS
R-STS
The R-STS as Point ofTrust & Access Management
23
The R-STS Pattern is Ideal for Cloud Providers
Natural point of trust brokering with customers & partnersNatural point of authorization evaluation & enforcementResources are decouples by the original credentialsUse of StandardsPolicy based dynamic negotiations
24
Example: Exposing a Service via an R-STS in the Cloud
25
Identity.Biztalk.Net
Biztalk ServicesWhat is it
“BizTalk Labs provides early access to experimental connectivity and business process technologies”
ConnectivityNaming, firewall traversal, Eventing
WorkflowHosted workflows
Identity
Identity.Biztalk.Net
The IBN is a rules-driven, federated, claims based access control system
In practiceEvery BTS.Net account gets a dedicated R-STS instanceThe claim transformation logic is driven by user defined rulesCertain claims are evaluated directly into authorization decisionsClaims, rules, recognized issuers & crypto can be managed both via web portal and via API
28
Trust
Federated Credentials
http://connect.biztalk.net/relay
SAML
Policy
ISVResource
Claims TransformationRules
U/P, LiveID, Personal Card, X509
Federated Credentials
Trust
Trust
Rules, Trust & Credentials
Rule Model
Identity.biztalk.netUsername
Value
Resource#Operation
Claim Types
IBN/{username}
Live
<custom…>
Issuers
Value
Username
Resource#Operation
input
output
Source Issuer
R-STS
Rules
…
Management & Delegated Access
Identity.biztalk.net
IBN/{username}
Issuers Rules Scopes/Admins
31
FederatedIdentity.net
Vote For Laptops
Rules
Example: voting application
Vote For Phones
If from FederatedIdentity.net&& “Group” is “domain users”Can call VoteForPhones
If from FederatedIdentity.net&& “Group” is “domain users”Can call VoteForLaptops
32
Identity.Biztalk.Net
demo
33
Summary
The shift toward the Cloud drives to an utility modelThe Cloud can simplify identity & access managementThe claims based approach supports onpremise, cloud and hybrid scenariosIdentity.Biztalk.Net provides a nice testbed for those ideas
34
Q & A
35
Call to Action
…
Familiarize with claims based identityExperiment with Lab.Biztalk.NetStay tuned for PDC!
36
Resources
www.microsoft.com/teched Tech·Talks Tech·Ed BloggersLive Simulcasts Virtual Labs
http://microsoft.com/technet
Evaluation licenses, pre-released products, and MORE!
http://microsoft.com/msdn
Developer’s Kit, Licenses, and MORE!
Related Content
Breakout Sessions
•SOA308 “Zermatt” Developer Framework: Putting Authentication Code in its Place•SOA205 Extending the Application Platform with Cloud Services•ARC203 Understanding Software-Plus-Services: A Perspective
Related Content
Biztalk.NET:http://labs.biztalk.nethttp://blogs.msdn.com/justinjsmith/http://blogs.msdn.com/clemensv
Identitywww.identityblog.comhttp://blogs.msdn.com/vbertocci
Issue#16 of the Architecture Journal:http://msdn.microsoft.com/en-us/arcjournal/
39
Please complete anevaluation
40
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED
OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.