Windows Azure, Identity & Access Control - and You

Transcript

1. Windows Azure, Identity & Access – and You. Dominick Baier

2. 2 Dominick Baier •  Solution architect and security consultant at

   thinktecture •  Focus on –  security in distributed applications –  identity management –  Windows/.NET security –  cloud computing •  Microsoft MVP for Developer Security •  http://www.leastprivilege.com •  [email protected] •  @leastprivilege

3. 3 Objectives •  Have a look at different approaches for

   implementing identity & access control for Azure-based applications –  for common scenarios •  Make use of the Microsoft tool & technology stack –  .NET Framework (ASP.NET & WCF) –  Windows Server & Windows Azure –  Active Directory & Active Directory Federation Services –  Access Control Service –  Windows Azure Active Directory –  Windows 8

4. 4 The „real men“ solution PC Phone Tablet Browser Database

   Business Logic Authentication Access Control User Management ...

5. 5 How hard can it be?

6. 6

7. 7 The „real men“ solution PC Phone Tablet Browser Database

   Business Logic Authentication Access Control User Management ...

8. 8 Separation of concerns Authentication User Management Business Logic Access

   Control Domain Controller Application Active Directory Client

9. 9 Scenario 1: „Outsourcing“ internal applications to Windows Azure • 

   Goals –  host applications in the cloud –  SSO from internal network to cloud application Authentication User Management Business Logic Access Control AD

10. 10 Scenario 1: Active Directory Federation Services Authentication User Management

    Business Logic Access Control AD ADFS DC Access Control 1 2 3

11. 11 Scenario 1: ADFS Pros & Cons •  Pros – 

    free –  „just works“ –  central administration & authorization –  rules engine •  Cons –  applications need to use special APIs (WIF / .NET 4.5) –  availability of on-premise ADFS server crucial –  client identity information is limited to transmitted claims –  no „back channel“ to on-premise AD –  setup for mobile users

12. 12 Scenario 2: Federation with Business Partners Authentication User Management

    Access Control 1 2 AD Business Logic Access Control Partner ADFS

13. 13 Scenario 2: Federation with ADFS Pro/Cons •  Pros – 

    existing ADFS infrastructure can be leveraged to federate with business partners (WS* or SAML 2p) –  application programming model does not change –  robust trust management system •  Cons –  no support for other protocols like OpenID or Oauth –  availability of ADFS federation gateway crucial

14. 14 Scenario 3: Identity Infrastructure as a Service •  Windows

    Azure IaaS –  persistent VMs –  currently beta •  Supported configurations e.g. –  Active Directory –  Active Directory Federations Services/Proxy –  SQL Server •  Together with Azure Virtual Network (VPN) interesting alternative

15. 15 Scenario 3: Virtualized Identity Infrastructure 2 Partner AD ReadOnly

    Domain Controller ADFS VPN 1 one-way sync

16. 16 Scenario 4: Integrating Web Identities

17. 17 Scenario 4: Integrating Web Identities •  ASP.NET 4.5 OpenID/OAuth

    Integration –  using the DotNetOpenAuth OSS project –  different programing model (no integration with claims) –  hard to mix with WS* •  Windows Azure Access Control Service –  pay-per-use federation gateway –  application programming model stays the same –  similar feature set to ADFS (less powerful rules) –  supports WS*, OpenID and some of OAuth2 •  but no SAML 2p

18. 18 Scenario 4: Access Control Service https://[yourname].accesscontrol.windows.net/* Rules engine *

    Endpoints for various protocols (e.g. WS-Trust, WS-Federation, WRAP, OAuth2) Management API, Web frontend

19. 19 Scenario 5: Identity Management as a Service Windows Azure

    Active Directory - users, groups - service principals - directory service w/ REST API - WS* - SAML2p - OAuth2 - OpenID Connect AD sync (optional) (LDAP, Kerberos) ACS

20. 20 Outlook: Authentication experience for “modern” Apps Windows Store App

    Web Authentication Broker 1. Request token 3. Use token 2. Store token IdP Service

21. 21 Summary •  Cool stuff! •  Get going!