implementing identity & access control for Azure-based applications – for common scenarios • Make use of the Microsoft tool & technology stack – .NET Framework (ASP.NET & WCF) – Windows Server & Windows Azure – Active Directory & Active Directory Federation Services – Access Control Service – Windows Azure Active Directory – Windows 8
Goals – host applications in the cloud – SSO from internal network to cloud application Authentication User Management Business Logic Access Control AD
free – „just works“ – central administration & authorization – rules engine • Cons – applications need to use special APIs (WIF / .NET 4.5) – availability of on-premise ADFS server crucial – client identity information is limited to transmitted claims – no „back channel“ to on-premise AD – setup for mobile users
existing ADFS infrastructure can be leveraged to federate with business partners (WS* or SAML 2p) – application programming model does not change – robust trust management system • Cons – no support for other protocols like OpenID or Oauth – availability of ADFS federation gateway crucial
Azure IaaS – persistent VMs – currently beta • Supported configurations e.g. – Active Directory – Active Directory Federations Services/Proxy – SQL Server • Together with Azure Virtual Network (VPN) interesting alternative
Integration – using the DotNetOpenAuth OSS project – different programing model (no integration with claims) – hard to mix with WS* • Windows Azure Access Control Service – pay-per-use federation gateway – application programming model stays the same – similar feature set to ADFS (less powerful rules) – supports WS*, OpenID and some of OAuth2 • but no SAML 2p
Active Directory - users, groups - service principals - directory service w/ REST API - WS* - SAML2p - OAuth2 - OpenID Connect AD sync (optional) (LDAP, Kerberos) ACS