Post on 14-Dec-2015
transcript
Cloud Identity & Access Control Services
Cloud Computing Soup to Nuts
Mike BenkovichMicrosoft Corporationwww.benkoTips.com - @mbenko
btlod-74
Agenda
What is ACS
How is it configured
Using in web applications
Mobile scenarios
Part of provider model
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Core Services
Caching CDN
Service Bus Reporting
Data Sync Azure Connect
Identity HPC
Additional Services
Windows Azure
Compute Storage Database
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Airport securityDo you have a valid ID?
• Drivers license• Visa• Other…
Other rules• Current flight• Exceptions
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Identity in the Cloud is HardOutside of identity domainsToo many islands of identityCurrent technology hard or not interoperableManaging 3rd party accounts in your system is risky
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Some definitionsClaims based identity
Relying Party ApplicationDepends on knowing user identity
IP - Identity ProviderAuthenticates user credentialsResets/Recovers password
Identity SelectorThe interface that is used to work with identity
WIF – Windows Identity FoundationSTS – Security Token ServiceHDR – Home Realm DiscoveryFP – Federation Provider
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Access Control Services (ACS)…
• Used to authenticate and authorize users
• Integration single sign on and centralized authorization into your web applications
• Standards-based identity providers• Enterprise directories (e.g. Active
Directory Federation Server v2.0)• Web identities (e.g. Windows Live
ID, Google, Yahoo!, and Facebook)
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
BrowserIdentity Provider
Access Control
Application
3. Login
5. Redirect to AC service
10. Validate Token
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate & Issue Token
6. Send Token to ACS
7. Validate Token, Run Rules Engine, Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Access Control Website Sequence
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Access Control Features• Integrates with Windows Identity
Foundation (WIF) tooling• Claims-based access control• Support for OAuth WRAP, WS-Trust, and WS-
Federation • Support for the SAML 1.1, SAML 2.0, and
Simple Web Token formats• Integrated and customizable Home Realm
Discovery• OData-based Management Service to ACS
configuration
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Configuring ACS• Provision your namespace in management
portal• Create from: http://windows.azure.com • Manage:
https://<namespace>.accesscontrol.windows.net • Select trusted identity providers• Describe relying application
• Realm• Token format• Return URI
• Define claims processing rules
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Adding Identity to Web App• After ACS has been configured you can
integrate it in your app by adding a STS Reference to project• Download WIF SDK from http://bit.ly/bqtWIFsdk • FederationMetadata.xml defines conversation
• Customize Login experience by specifying the issuer to be your html page (download example from management portal)
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Device integration
• ACS works with Mobile thru same mechanism• Use sample control from http://acs.codeplex.com
- or -• Add NuGet package from Package Manager
Console
PM> Install-Package Phone.Identity.AccessControl.BasePage
• Download toolkits for control to work with Devices at• Windows Phone http://bit.ly/bqtWATWP • Android http://bit.ly/bqtWATAndroid• iOS http://bit.ly/bqtWATiOS
• Realm is URI as opposed to web URL
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Integrate with other providers• Profile, Role and other parts of provider
model require data store for information• Download scripts from http://bit.ly/bqtAzRegSQL
• Create SQL Azure database and run scripts
• In Web.config define sections for usage• Profile• RoleManager
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Summary• Access Control Services simplify the
way to enable applications to work with existing identity sources
• Configure who the identity providers are, the nature of your application, and the rules for processing claims
• Integrate with Web apps via STS reference
• Integrate with Phone via User Control• Leverage the features of the Provider
Model with ACS
MICROSOFT CONFIDENTIAL – INTERNAL ONLY
Where can I get more info?• Visit my site http://www.benkotips.com
• Resources from today’s talk• Webcasts• Downloads• More!
• Check out the rest of this series!• http://bit.ly/s2nCloud
• Ask questions on Windows Azure Office Hours
http://aka.ms/WazOH-Live