Using Windows Azure for Solving Identity Management Challenges

Michael S. Collier

Michael S. Collier

• Principal Cloud Architect, Aditi

• michaelc@aditi.com• @MichaelCollier• www.MichaelSCollier.com

Platinum Sponsors

Gold Sponsors

What We’re Talking About

• Identity - Current State and in The Cloud• Windows Azure solutions• Mobile Services• Access Control Service (ACS)• Windows Azure Active Directory

6

Who Are You?

• Personalization• Business Rules• Functionality / Features

7

8

Traditional Identity Management

• IT Pro – controls the known world• Developers – blissfully ignorant?

ADSQL

My Enterprise

LOB App

Cloud . . . A New Challenge

• Move the application & data• Islands of identity• Outside of “traditional” IT world• External users / partners• BYOD

• Developers ignorant no more• Developers + IT Pros

9

10

Windows Azure Options

Mobile Services

Active DirectoryAccess Control Service

(ACS)

Server Active Directory

AD w/ DirSync

11

Mobile Services

• Goal – easily build cloud-powered mobile apps

• Built-in support for multiple social identity providers

private async System.Threading.Tasks.Task Authenticate(){ while (user == null) { string message; try { user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.Twitter); message = string.Format("You are now logged in - {0}", user.UserId); CurrentUser.Text = "Welcome, " + App.MobileService.CurrentUser.UserId; } catch (InvalidOperationException) { message = "You must log in. Login Required"; }

var dialog = new MessageDialog(message); dialog.Commands.Add(new UICommand("OK")); await dialog.ShowAsync(); }}

FacebookGoogleMicrosoftAccountTwitter

Mobile Services

12

Authentication

• Microsoft Account, Facebook, Twitter, and Google

• OAuth• Does not use Windows Azure ACS

Authentication

• Microsoft Account – Use the Live SDK• Tight integration with Windows Live services

More Mobile Services?

• Programming Windows Azure Mobile Services• Jason Farrell• Wednesday at 10:30am• Portia

15

Access Control Service (ACS)

• Federated identity/authentication service• Google, Microsoft Account, Yahoo!, ADFS v2• Bring your own membership

• Claims-based authorization• Browser based (302 redirect)• Focus on your app

16

DEMO TIME!!!Access Control Service (ACS)

ACS Tips

• Enrich claims w/ a ClaimsAuthenticationManager

• Update WIF settings in web.config in OnStart()

• Web Farm Ready Cookies• Web Sites and Cloud Services• DPAPI not supported in Windows Azure

• Provide sign-out link for identity providers• Azure co-admin can’t admin ACS namespace31

Windows Azure Active Directory

• Internet scale, multi-tenant directory service

• Directory store for Office 365

• Extend Windows Server AD to the cloud

• Directory & identity services w/o need for Windows Server AD

32

Active Directory

O365 Account Portal

Intune Account Portal

Windows Azure Mgmt Portal

Azure AD PowerShell cmdlets

Windows Azure Active Directory

• Multi-tenant “directory-as-a-service”• NOT a cloud version of Windows Server AD

33

Image Source: http://technet.microsoft.com/en-us/library/jj573650.aspx

Windows Azure Active Directory

34

Windows Azure Management Portal

REST API

SAML-P

O-Auth

WS-Federation

Integration / Management Endpoints

Windows Azure Active Directory

Windows Azure Active Directory

35

Integration / Management Endpoints

Windows Azure Active Directory

• What’s in the directory?• Everything is an object• Types: User, Group, Role, Application, Device, etc.

36

WAAD Graph Response<?xml version="1.0" encoding="utf-8"?><feed xml:base="https://graph.windows.net/collierdemo.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml"><id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id> <title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title> <updated>2013-03-21T00:58:34Z</updated> <link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" /> <entry> <id>https://graph.windows.net/11271159-abc8-4e0e-b3c2-c2a0858a036b/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id> <category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" /> <link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" /> <link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" />

37

WAAD Graph Response

38

<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" /> <m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/collierdemo.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" /> <content type="application/xml"> <m:properties> <d:objectType>User</d:objectType> <d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId> <d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled> <d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" /> <d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" /> <d:city m:null="true" /> <d:displayName>Michael Collier</d:displayName> <d:givenName>Michael</d:givenName> <d:mailNickname>michael</d:mailNickname> <d:mobile>+1 6142883146</d:mobile> <d:otherMails m:type="Collection(Edm.String)"> <d:element>michaelscollier@gmail.com</d:element> </d:otherMails> <d:userPrincipalName>michael@collierdemo.onmicrosoft.com</d:userPrincipalName> </m:properties> </content> </entry></feed>

* Some elements removed for readability.

39

Graph API Helpers

• REST interface for WAAD• Graph Explorer: https://graphexplorer.cloudapp.net

/• AAD Helper: http

://code.msdn.microsoft.com/Windows-Azure-AD-Graph-API-a8c72e18

• Active Directory Authentication Library (ADAL)• https://www.nuget.org/packages/System.IdentityModel.

Clients.ActiveDirectory/

• http://www.cloudidentity.com/blog/2013/08/02/aal-becomes-adal-active-directory-authentication-library/

• Formerly Azure Authentication Library (AAL)

WAAD Authentication

• Authentication for cloud-based & native apps

• Permissions• SSO, Read Data, Read & Write Data• Applies to the APPLICATION, not the user

40

DEMO TIME!!!Windows Azure AD – Single Sign-On, Web API, and Windows

Store

WAAD and the Enterprise

59

ADSQL

My Enterprise

LOB App

WAAD and the Enterprise

60

• Passwords sync every 2 minutes

• Users sync every 3 hours

My Enterprise

Dir

Syn

c

LOB App

SQL

Where Does the Authentication Happen?

61

Portal PowerShell/ Directory GRAPH

DirSync w/Cloud identities

DirSync w/Password

Sync

DirSync w/SSO

Target customer segment

• Small • Small to Medium • Small/Medium • Small/Medium • Medium/Large

Scenario supported

• Least • Least • Some limitation • Some limitations • Most

Directory Source of Authority

• Cloud • Cloud • On-premises • On-premises • On-premises

Hardware requirements

• No additional hardware required

• No additional hardware required

• Windows Server OS for DirSync appliance

• Windows Server OS for DirSync appliance

• DirSync appliance• ADFS (or other

STS) deployment

IDP • Cloud • Cloud • Cloud • Cloud • On-premises

User login experience

• Disjoint username and password• Enter

credentials twice

• Disjoint username and password• Enter

credentials twice

• Same username, disjoint password• Enter

credentials twice

• Same username and password for on-prem and cloud• Enter

credentials twice

• Same username and password for on-prem and cloud• Login once if on-

premises

Complexity • Low • Medium • Low • Low • HighTable Source: Microsoft Office 365 Directory and Access Management with Windows Azure Active Directory, Ross Adams & Jono Luk – TechEd NA 2013

DEMO TIME!!!Windows Azure Active Directory w/ DirSync

Going Further with Windows Azure AD

• Multitenant applications• Leverage identity from other WAAD tenants• http://

www.windowsazure.com/en-us/develop/net/tutorials/multitenant-apps-for-active-directory/

• Phone 2FA (Multi-Factor Authentication)• Additional administrative users• Username/pwd + text message code

63

Summary

• Developers, Architects, & IT Pros work together• Mobile Services• Quickly add Identity Providers via portal config and code

• ACS• Federated identity authentication• Claims-based authorization

• Windows Azure AD• “Extends” Windows Server AD to the cloud• Query via REST graph API

64

65

Helpful Resources

• Mobile Services• Handling Expired Tokens -

http://www.thejoyofcode.com/Handling_expired_tokens_in_your_application_Day_11_.aspx • Carlos Figueira’s Blog - http://blogs.msdn.com/b/carlosfigueira/

• ACS• Cheat Sheet – http://bit.ly/ACSCheatSheet • How To’s – http://bit.ly/ACSHowTo• Tips – http://bit.ly/HYhxjY

• Azure Active Directory• “Microsoft Office 365 Directory and Access Management with Windows Azure Active

Directory”, Ross Adams & Jono Luk – TechEd NA 2013• “Deep Dive into the Windows Azure Active Directory Graph API: Data Model, Schema,

Query, and More”, Edward Wu – TechEd NA 2013• Securing a Windows Store App and REST API using Windows Azure AD - http://

msdn.microsoft.com/en-us/library/windowsazure/dn169448.aspx

• Vittorio Bertocci’s Blog - http://www.cloudidentity.com/blog/

Q &

A

Ask your questions

Thank You!

• Michael S. Collier• Principal Cloud Architect, Aditi

• michaelc@aditi.com• @MichaelCollier• www.MichaelSCollier.com

August 11th – 13th 2014Same Place, Same Time