24
Cloud Identity & Access Control Services Cloud Computing Soup to Nuts Mike Benkovich Microsoft Corporation www.benkoTips.com - @mbenko btlod-74

Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

Embed Size (px)

DESCRIPTION

Cloud Identity & Access Control Services Cloud Computing Soup to Nuts. Mike Benkovich Microsoft Corporation www.benkoTips.com - @ mbenko. btlod-74. Agenda. What is ACS How is it configured Using in web applications Mobile scenarios Part of provider model. Windows Azure. Core Services. - PowerPoint PPT Presentation

Citation preview

Page 1: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

Cloud Identity & Access Control Services

Cloud Computing Soup to Nuts

Mike BenkovichMicrosoft Corporationwww.benkoTips.com - @mbenko

btlod-74

Page 2: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

Agenda

What is ACS

How is it configured

Using in web applications

Mobile scenarios

Part of provider model

Page 3: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Core Services

Caching CDN

Service Bus Reporting

Data Sync Azure Connect

Identity HPC

Additional Services

Windows Azure

Compute Storage Database

Page 4: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Who are you?

Page 5: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Really?

Page 6: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Can you prove it?

Page 7: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Identityin the cloud

Page 8: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Three geeks walk into a bar…

Page 9: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Airport securityDo you have a valid ID?

• Drivers license• Visa• Other…

Other rules• Current flight• Exceptions

Page 10: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Identity in the Cloud is HardOutside of identity domainsToo many islands of identityCurrent technology hard or not interoperableManaging 3rd party accounts in your system is risky

Page 11: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Some definitionsClaims based identity

Relying Party ApplicationDepends on knowing user identity

IP - Identity ProviderAuthenticates user credentialsResets/Recovers password

Identity SelectorThe interface that is used to work with identity

WIF – Windows Identity FoundationSTS – Security Token ServiceHDR – Home Realm DiscoveryFP – Federation Provider

Page 12: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Access Control Services (ACS)…

• Used to authenticate and authorize users

• Integration single sign on and centralized authorization into your web applications

• Standards-based identity providers• Enterprise directories (e.g. Active

Directory Federation Server v2.0)• Web identities (e.g. Windows Live

ID, Google, Yahoo!, and Facebook)

Page 13: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

BrowserIdentity Provider

Access Control

Application

3. Login

5. Redirect to AC service

10. Validate Token

1. Request Resource

2. Redirect to Identity Provider

4. Authenticate & Issue Token

6. Send Token to ACS

7. Validate Token, Run Rules Engine, Issue Token

8. Redirect to RP with ACS Token

9. Send ACS Token to Relying Party

11. Return resource representation

Access Control Website Sequence

Page 14: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Access Control Features• Integrates with Windows Identity

Foundation (WIF) tooling• Claims-based access control• Support for OAuth WRAP, WS-Trust, and WS-

Federation • Support for the SAML 1.1, SAML 2.0, and

Simple Web Token formats• Integrated and customizable Home Realm

Discovery• OData-based Management Service to ACS

configuration

Page 15: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Configuring ACS• Provision your namespace in management

portal• Create from: http://windows.azure.com • Manage:

https://<namespace>.accesscontrol.windows.net • Select trusted identity providers• Describe relying application

• Realm• Token format• Return URI

• Define claims processing rules

Page 16: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

demo

Configuration

Page 17: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Adding Identity to Web App• After ACS has been configured you can

integrate it in your app by adding a STS Reference to project• Download WIF SDK from http://bit.ly/bqtWIFsdk • FederationMetadata.xml defines conversation

• Customize Login experience by specifying the issuer to be your html page (download example from management portal)

Page 18: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

ACS + Web

demo

Page 19: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Device integration

• ACS works with Mobile thru same mechanism• Use sample control from http://acs.codeplex.com

- or -• Add NuGet package from Package Manager

Console

PM> Install-Package Phone.Identity.AccessControl.BasePage

• Download toolkits for control to work with Devices at• Windows Phone http://bit.ly/bqtWATWP • Android http://bit.ly/bqtWATAndroid• iOS http://bit.ly/bqtWATiOS

• Realm is URI as opposed to web URL

Page 20: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

ACS + Mobile

demo

Page 21: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Integrate with other providers• Profile, Role and other parts of provider

model require data store for information• Download scripts from http://bit.ly/bqtAzRegSQL

• Create SQL Azure database and run scripts

• In Web.config define sections for usage• Profile• RoleManager

Page 22: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

Providers

demo

Page 23: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Summary• Access Control Services simplify the

way to enable applications to work with existing identity sources

• Configure who the identity providers are, the nature of your application, and the rules for processing claims

• Integrate with Web apps via STS reference

• Integrate with Phone via User Control• Leverage the features of the Provider

Model with ACS

Page 24: Cloud Identity & Access Control Services Cloud Computing Soup to Nuts

MICROSOFT CONFIDENTIAL – INTERNAL ONLY

Where can I get more info?• Visit my site http://www.benkotips.com

• Resources from today’s talk• Webcasts• Downloads• More!

• Check out the rest of this series!• http://bit.ly/s2nCloud

• Ask questions on Windows Azure Office Hours

http://aka.ms/WazOH-Live