Azure Active Directory and Web Single Signon

Transcript

1. None

2. Windows Azure Active Directory and WebSSO Alex Thissen Principal Architect,

   Achmea

3. Agenda Azure apps Internet apps ADFS 2.0 Firewall Windows Azure

   Active Directory LoB apps Windows Server Active Directory On-premise Internet Other apps 1. Web Single Sign-on Claims, trust, federation 2. On-premise SSO Active Directory 3. Azure AD 4. Migration scenarios Synchronization, federation 5. Questions and answers

4. Web Single Sign-on aka identity federation 1. Prove who you

   are to an authority once 2. Get authenticated by every trusting application It’s all about claims and trust Problem of YAUP Yet Another Username & Password

5. demo Web Single Sign-on Using Office 365

6. Security Token Service (STS) How it all works App 1

   App 2 Identity store Trust Security token holding claims Autoritative source of identities RP Application trusting same issuer Relying Party (RP) application

7. The old thinking LoB apps Windows Server Active Directory On-premise

   Resources Printers Network shares Intranet sites Azure sites SQL Azure LDAP Store aspnet.mdf Different stores for different apps Internet

8. Towards a single Active Directory • Move all identities to

   Active Directory • Leverage on-premise SSO protocols – Windows Integrated – NTLM – Kerberos LoB apps Windows Server Active Directory On-premise Other resources 2. On-premise SSO Active Directory Printers Network shares

9. Adding claims to the picture • Create On-premise STS –

   Active Directory Federation Server (ADFS) 2.0 • Trust between apps and STS • Add ADFS proxy when apps are not on-premise ADFS 2.0 LoB apps Windows Server Active Directory On-premise Other resources 2. On-premise SSO Active Directory Trust ADFS Proxy STS Printers Network shares Internet apps Trust

10. demo Signing in with Passive Requestor Profile using Active Directory

    Federation Server 2.0

11. Moving AD into the cloud • Directory Services (ADDS) •

    Lightweight Directory Services (ADLDS) • Federation Server (ADFS) • Certificate Services (ADCS) • Rights Management Server (ADRMS) • Directory (WAAD) • Access Control Service (ACS) Windows Server AD Windows Azure AD Active Directory

12. Introducing Azure AD “One cloud directory for every organization” •

    AD identity store in cloud – Authentication, STS – Management capabilities • Single or multi-tenant Azure apps Internet apps Windows Azure Active Directory During Preview and after General Availability

13. Azure AD Design Principles • Maximize device & platform reach

    – http/web/REST based protocols • Multi-tenancy – Customer owns directory, not Microsoft • Optimize for availability, consistent performance, and scale – Keep it simple

14. Azure AD protocols and tenants Windows Azure Active Directory Graph

    API OAuth 2 SAML-P WS-Federation Metadata yourdomain.onmicrosoft.com yourdomain.com Management portal Your AD Tenant Other AD tenants Authentication Management

15. walkthrough Windows Azure Active Directory Create a tenant Using Management

    Portal

16. Directory graphs and Graph API • Programmatic access – AD

    objects inside graph – Differential queries • REST interface to Azure AD – Read/write objects using HTTP verbs – OData 3 compliant – OAuth 2 authentication for RP application – Libraries available (.NET, PHP, …) The Boss Manager of One Graphs inside directory Group

17. Azure Active Directory Single tenant apps 1. Unauthenticated user visits

    website 2. Redirected to Azure AD STS 3. Authenticates and receives security token 4. Client authenticates with token 5. Application authenticates for Graph API 6. App retrieves additional directory information (if necessary) Web app OAuth 2 WS-Federation WIF Security token holds identity claims only AAL Service principal represents app identity Graph API

18. demo Exploring Graph API Ta(l)king a little REST

19. Multi-tenant app support Tenant customer gives consent to access their

    directory Windows Azure Active Directory Customer directories Your multi-tenant Web app Tenant customer Tenant customer Tenant customer Customer directories Customer directories Consent Consent Consent

20. demo Multi-tenant application sample Customer consent for directory access

21. Azure Active Directory Take existing directory to cloud • Synchronize

    users and groups to Azure AD • Using DirSync tool – One way only – No passwords Windows Server Active Directory On-premise Internet DirSync Azure apps Internet apps LoB apps Trust

22. Azure Active Directory Merging on-premise and cloud • Federate from

    Azure AD to on-premise • It’s all your directory – Only technical federation, not from business perspective Windows Server Active Directory On-premise Internet DirSync Azure apps Internet apps LoB apps Trust ADFS 2.0 Trust

23. Azure Access Control Service What about Access Control Service? Web

    app Yahoo Microsoft Account Windows Live ID Facebook Trust Configured identity providers Google Windows Azure AD ADFS 2.0 Shilobeth Trust Example configuration HRD

24. Summary Azure apps Internet apps ADFS 2.0 Firewall Windows Azure

    Active Directory LoB apps Windows Server Active Directory On-premise Internet Other apps

25. Questions and Answers Maybe later? @alexthissen [email protected]

26. Popquiz How many “Laws of Identity” did Kim Cameron describe?

    Who is the WIF program manager with the black ponytail? #Achmea Price for 1st twitter with correct answers:

27. Wat kun jij ons vertellen over?