Developing and deploying Identity-enabled applications for the cloud
Download as PPTX, PDF0 likes1,350 views
The document outlines a session focused on developing and deploying identity-enabled applications for the cloud, highlighting the role of Active Directory Federation Services (ADFS) in facilitating single sign-on (SSO) for both on-premises and cloud-based applications. It discusses the benefits of federation, deployment configurations, and the integration of ADFS with various identity providers, including Windows Azure AppFabric Access Control Service (ACS). The session also covers practical implementation details and resources for further learning about identity management in cloud environments.
![Configuring your AD FS ServerOr: %ProgramFiles%\Active Directory Federation Services 2.0\FsConfigWizard.exeManually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]](https://image.slidesharecdn.com/identityappsforthecloud-110930012945-phpapp01/85/Developing-and-deploying-Identity-enabled-applications-for-the-cloud-23-320.jpg)
Developing and deploying Identity-enabled applications for the cloud
- 1. Developing and deploying Identity-enabled applications for the cloud
- 2. This sessionmeetsDeveloping and deploying Identity-enabled applications for the cloud
- 3. Winsec.bethanks his sponsors for their continued support
- 5. Thanksforbeinghereandenjoy the show!Feedback to winsec@winsec.be
- 6. board@azug.beDeveloping and deploying Identity-enabled applications for the cloud
- 7. Your Presenters for TodayMaarten@maartenballiauw / about.me/maarten.balliauwCo-founder of AZUGMVP: Windows AzureBlogs at http://blog.maartenballiauw.bePaul@ploonen / paul@winsec.beCo-founder of winsec.beMVP: Microsoft Forefront Identity ManagerMCM DirectoryCurrent hobby: Architect@AvanadeBlog @ http://be-id.blogspot.com
- 8. AgendaPresenting the problem (a.k.a. “The Scenario”)How federation saves the dayHow ADFS solves federationHow to connect an app to ADFSHow Windows Azure adds extra sauce to federationQ&A
- 10. Introducing AD FS v2
- 11. Some vocabulary
- 12. Federation benefitsBenefits of SSOreduce administrative overheadreduce security vulnerabilities as a result of lost or stolen passwordsimprove user productivityIntra-Enterprise: provide SSO for all your web sites and applicationsInter-Enterprise:provide SSO experiences for your users to access apps in other organizationsprovide SSO experience for users from external organizations to access your appsEasily externalize authentication & authorizationRich claims rules processing engineManagement & Configuration Tools
- 13. What is AD FS 2.0?Other Claims ProvidersAD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the WebCAIBMSUNAD FS 2.0 Major ComponentsFederation ServerFederation Server ProxyWIFAttribute StoresClaims EngineWebsiteManagement Snap-inOther STSWeb ServiceActive DirectoryWindows Server 2008 SP2, 2008 R2MS SQLRelying PartiesBrowser AppsWIFWindows Internal DB.NET 3.5 SP1IIS 7Smart ClientsWeb Services
- 14. Why consider AD FS 2.0?Building a production-ready STS is hard.The Visual Studio STS templates are just starters for trivial dev scenarios.Lots of configuration to manage, UI's to present in real world STS!
- 15. Typical Traffic FlowIdentity ProviderRelying PartyFederationTrustActive DirectoryAccountResourceFederation ServerFederation ServerWeb ServerInternal Client
- 16. Scenario 1 – Intra OrganizationClaims-aware appADFS STSActive DirectoryUserApp trusts STSBrowse appNot authenticatedRedirected to STS AuthenticateReturn Security TokenQuery for user attributesSend TokenSTSTReturn pageand cookie
- 17. Scenario 2 – Inter OrganizationActiveDirectoryYourADFS STSPartnerADFS STS & IPYourClaims-aware appPartner userBrowse appNot authenticatedRedirect to your STSHome realm discoveryRedirected to partner STS requesting ST for partner userAuthenticateReturn ST for consumption by your STS Redirected to your STS STSTSTSTProcess tokenReturn new ST Send TokenReturn pageand cookie
- 18. Installing AD FS v2Requires Windows Server 2008 / 2008 R2Requires IIS 7, .NET 3.5 SP1, WIFSee deployment guide for required hot fixes and updatesIssue and install server certificates for HTTPSThink about implications for partner organisationCross certification when few partners, otherwise, buy required certsDownload and install ADFS 2.0Simple WizardNew / farm member / Proxy – SSL cert – Names
- 19. AuthN, Attribute StoresAD FS v2 can only use Active Directory as an identity store for authenticationADFSv1 could also use AD LDS / ADAMAD FS v2 can extract attributes from AD DS and from SQL ServerSQL and LDAP stores are directly supportedAdditional stores can be added through custom extensionsIAttributeStore(see: http://msdn.microsoft.com/en-us/library/ee895358.aspx) Register your custom store using Add-ADFSAttributeStoreissue(store = "FileAttributeStore", types = ( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "Age=33;EmpName,Role");Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:\temp\data.txt"} -Name FileAttributeStore
- 20. Setting up your STSDemo
- 22. AD FS 2.0 deployment optionsSingle server configurationAD FS 2.0 server farm and load-balancerAD FS 2.0 proxy server (offsite users)ActiveDirectoryAD FS 2.0 ServerProxyAD FS 2.0 ServerAD FS 2.0 ServerAD FS 2.0 ServerProxyExternal userInternaluserDMZEnterprise
- 23. Configuring your AD FS ServerOr: %ProgramFiles%\Active Directory Federation Services 2.0\FsConfigWizard.exeManually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm | GenerateSQLScripts} [deployment specific parameters]
- 24. FSConfigWizard
- 25. Implementing ADFS in your infra
- 26. Configuring your federation serverIdentity ProviderRelying PartyClaimsDemo
- 27. Configuring the RP Trust
- 28. Claim RulesRule templates simplify the creation of rulesExamples of rules are:Permit / deny user based on incoming claim valueTransform the incoming claim valuePass through / filter an incoming claimMultiple claim rules can be specified and are processed in top to bottom orderResults from previously processed claims can be used as the input for subsequent rules
- 29. Creating RulesOn IdPOn RPOn RP
- 30. Creating RulesConditionIssuance StatementA claim rule consists of two parts, condition and issuance statement
- 31. Custom ClaimsCapabilities of custom rules includeSending claims from a SQL attribute storeSending claims from an LDAP attribute store using a custom LDAP filterSending claims from a custom attribute storeSending claims only when 2 or more incoming claims are metSending claims only when an incoming claim matches a complex valueSending claims with complex changes to an incoming claim valueCreating claims for use in later rules
- 32. Further CustomizationsCustom Style SheetHome realm discoveryLogon PageAuthentication…
- 33. What Else?HardeningSCW profiles are on the boxSizingPowerShellIn Win8 becomes a server role again (v2.1)
- 35. Windows Identity FoundationYour one and only partner for .NET identity developmentAdds claims-based authentication to your application in no timeMy advise: forget custom user storesAnd if you need them: WIF-ify (?) them
- 36. Connecting an app to an STSDemo
- 37. Where things get cloudy...Windows Azure AppFabricAccess Control ServiceACS
- 38. Windows Azure AppFabric ACSAn STS in the cloudPluggable with identity providersWindows Live IDFacebookGoogleYahoo!Any ADFS or better: any WS-federation passive endpointAny OAuth2 provider
- 39. Why ACS?
- 40. Let’s step back...No, we’re not the USFederation across organizations does not happen often todaySo why would I use ACS anyway?Dev, test, accept, prod are different RP’s!2 apps with all these environments is 8 RP’s!Imagine 10 apps... Or a hundred...
- 41. ACS advantagesA scalable STSWith one or more identity providersWith one or more relying partiesWith one or more rule groupsIntegrates with WIFIntegrates with ADFSInstant win!
- 42. ACSIdentityProvidersYour ApplicationACSSAMLSWTBrowser-basedWS-FederationADFS2 . WS-FederationRichClientSAMLWS-TrustADFS2 . WS-TrustServer 2 ServerSWTOAuth WRAP/2.0Service Identities
- 43. Connecting an app to ACSDemo
- 44. Connecting ACS to ADFSDemo
- 45. Using ACS at its full extentACS as an identity service busDemo
- 46. Conclusion
- 47. ConclusionIt is possible to do SSO over security boundariesIt is possible to integrate multiple apps with multiple identity providersADFS and ACS form a nice coupleStandards based solution
- 48. Some ResourcesAD FS v2 on TechNet and MSDNAD FS v2 content on TechNet WikiClaims-Based Identity BlogWindows Azure AppFabric Access Control ServiceWIF and ACS Content Map on Technet WikiVittorio’s Bloghttp://identityserver.codeplex.com
- 49. Q&A
- 50. Winsec.bethanks his sponsors for their continued support
Editor's Notes
- #15: Real world STS's need to manage multiple relying parties, each with multiple claim issuance and authorization rules. Delegation authorization for users of the RP require even further configuration. Federated scenarios add requirement for trusting other STS's.Access to Identity Providers and Attribute Stores, rules for querying
- #23: Capacity planning: http://www.microsoft.com/download/en/details.aspx?id=2278
- #24: FSConfig.exe CreateSQLFarm /ServiceAccount <username> [/ServiceAccountPassword <password>] /SQLConnectionString <connection string> [/CertThumbprint <Cert Thumbprint>] [/Port <Port Number>] [/FederationServiceName <Federation Service Name>] [/CleanConfig] /AutoCertRolloverEnabled [/SigningCertThumbprint <Cert thumbprint>] [/DecryptCertThumbprint <Cert thumbprint>]
- #25: Here there’s a list of cloud scenarios we consider of interest in term of how identity is handled.<click> our baseline is the classic on premises scenario.<click> you have a data center, <click> a population of internal users and <click> some authentication infrastructure, such as Active Directory, maintaining their accounts.<click> applications targeting such environment will follow the current intranet practices.<click> We will then introduce Windows Azure in the picture and observe how things change when the application moves to the cloud; we'll consider this both from the architecture and products usage perspectives.<click> Then we'll move to consider what happens when the application is exposed to multiple business partners, and the implications on authentication and relationships management.<click> However business partners represent an important but tiny fraction of all the possible population <click> you an cater to if you target the internet users.<click> live id, Google, Facebook and yahoo! have hundreds of millions of users; the authentication requirements in those conditions are completely different than the business case, although as we will see the solutions may end up being surprisingly similar.<click> Finally, the mobile scenario is of great importance and again apparently a completely different problem space. Using claims-based identity makes it very easy to progressively accommodate all those different scenarios.
- #43: The ACS would deserve multiple sessions on its own right to be properly covered, here I'm just giving you a quick sampler.What we have seen so far is just a small part of its surface. The schema here shows the ws-federation subsystem, what is normally used for browser-based, session-oriented application types. We've been playing only with ADFS IP types, but in fact <click> there are many out of the box popular IPs you can use right away with your application sticking to the same protocol <click> and a browser<click>.ACS can also do WS-Trust, a high-security protocol for SOAP web services, accepting identities from ADFS2 ws-trust endpoints or bare credentials registered in ACS for management purposes.<click> the same sources can be used within OAuth2.0 calls. OAuth is the current state of the art for securing REST calls: it is still in draft state, hence expect changes, but you can already experiment with it.<click> Both protocols can be used for rich client application types and in general <click> server 2 server interactions.Not shown here there are the management endpoints, the other portion of ACS' development surface, which can be used instead or alongside the portal for managing the namespace.