Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Windows Azure, Identity & Access Control - and You

Windows Azure, Identity & Access Control - and You

Presented originally at Cloudburst 2012, Stockholm.

Date: 2012-09-27

Dominick Baier

September 27, 2012
Tweet

More Decks by Dominick Baier

Other Decks in Programming

Transcript

  1. 2 Dominick Baier •  Solution architect and security consultant at

    thinktecture •  Focus on –  security in distributed applications –  identity management –  Windows/.NET security –  cloud computing •  Microsoft MVP for Developer Security •  http://www.leastprivilege.com •  [email protected] •  @leastprivilege
  2. 3 Objectives •  Have a look at different approaches for

    implementing identity & access control for Azure-based applications –  for common scenarios •  Make use of the Microsoft tool & technology stack –  .NET Framework (ASP.NET & WCF) –  Windows Server & Windows Azure –  Active Directory & Active Directory Federation Services –  Access Control Service –  Windows Azure Active Directory –  Windows 8
  3. 4 The „real men“ solution PC Phone Tablet Browser Database

    Business Logic Authentication Access Control User Management ...
  4. 6

  5. 7 The „real men“ solution PC Phone Tablet Browser Database

    Business Logic Authentication Access Control User Management ...
  6. 8 Separation of concerns Authentication User Management Business Logic Access

    Control Domain Controller Application Active Directory Client
  7. 9 Scenario 1: „Outsourcing“ internal applications to Windows Azure • 

    Goals –  host applications in the cloud –  SSO from internal network to cloud application Authentication User Management Business Logic Access Control AD
  8. 10 Scenario 1: Active Directory Federation Services Authentication User Management

    Business Logic Access Control AD ADFS DC Access Control 1 2 3
  9. 11 Scenario 1: ADFS Pros & Cons •  Pros – 

    free –  „just works“ –  central administration & authorization –  rules engine •  Cons –  applications need to use special APIs (WIF / .NET 4.5) –  availability of on-premise ADFS server crucial –  client identity information is limited to transmitted claims –  no „back channel“ to on-premise AD –  setup for mobile users
  10. 12 Scenario 2: Federation with Business Partners Authentication User Management

    Access Control 1 2 AD Business Logic Access Control Partner ADFS
  11. 13 Scenario 2: Federation with ADFS Pro/Cons •  Pros – 

    existing ADFS infrastructure can be leveraged to federate with business partners (WS* or SAML 2p) –  application programming model does not change –  robust trust management system •  Cons –  no support for other protocols like OpenID or Oauth –  availability of ADFS federation gateway crucial
  12. 14 Scenario 3: Identity Infrastructure as a Service •  Windows

    Azure IaaS –  persistent VMs –  currently beta •  Supported configurations e.g. –  Active Directory –  Active Directory Federations Services/Proxy –  SQL Server •  Together with Azure Virtual Network (VPN) interesting alternative
  13. 17 Scenario 4: Integrating Web Identities •  ASP.NET 4.5 OpenID/OAuth

    Integration –  using the DotNetOpenAuth OSS project –  different programing model (no integration with claims) –  hard to mix with WS* •  Windows Azure Access Control Service –  pay-per-use federation gateway –  application programming model stays the same –  similar feature set to ADFS (less powerful rules) –  supports WS*, OpenID and some of OAuth2 •  but no SAML 2p
  14. 18 Scenario 4: Access Control Service https://[yourname].accesscontrol.windows.net/* Rules engine *

    Endpoints for various protocols (e.g. WS-Trust, WS-Federation, WRAP, OAuth2) Management API, Web frontend
  15. 19 Scenario 5: Identity Management as a Service Windows Azure

    Active Directory - users, groups - service principals - directory service w/ REST API - WS* - SAML2p - OAuth2 - OpenID Connect AD sync (optional) (LDAP, Kerberos) ACS
  16. 20 Outlook: Authentication experience for “modern” Apps Windows Store App

    Web Authentication Broker 1. Request token 3. Use token 2. Store token IdP Service