Embed Size (px)
Citation preview
TechnofoliesBrussels, Oct 29 & 30
Tech
nofo
lies
• Azure Single sign on Authentication.
The target of this session is to build a very simple 3 Tiers business applications and see what we need to do to deploy this in Azure as a cloud services. See how we configure ADFS to have a single sign on authentication and authorization experience. See the infrastructure needed to build an application integrated in a company ecosystem but on servers unmanaged by the infrastructure. What is the role of the development team and the IT Ops.
Welc
om
e• The world changes and IT constraints are
bigger than ever!
Mobile Cloud.
SecurityComplexity
Consumerization.
Dem
o• Show the context.
Create a 3 Tiers application. Execute it on premise. Execute it from the internet.
Install the app on azure cloud service. Execute it on premise. Execute it from the internet.
Why
Clo
ud S
erv
ices
• Unmanaged servers.• Scalability.• Highly configurable.
See Arc4u.CloudService.Configurator.
• Price.• Remote desktop is possible.
Kerb
ero
s <
toke
n• Kerberos Token is a closed system.• Doesn’t fit well for Software as a Service.• Delegation is often unauthorized.
Developers inject weak security information between backend application services.
• => Federation Service is the solution. AD FS is the Microsoft implementation.
AD
FS D
efinitio
ns
• AD FS = Active Directory Federation Service! Service on top of AD.
• Replace the Kerberos token by a trusted token.• The token contains a collection of claims (Key – Value).• Trust is based on certificates.• Delagate the authorization from the application to an
external authority.• Service Token Service (STS) is the application delivering
the token. AD FS is a STS. • Relaying Party (RP) is a backend application using token
from the STS.
AD
FS R
ela
ying
part
ies• 2 kinds of RP: Web – Backend servers.
• Passive (Web) The user is redirected to the ADFS Server and receives a
token, he/she can give to the web server.
• Active (Services) The client MUST contact the ADFS server and provides the
token!
AD
FS T
ool
• Relaying Party Definition. Rule Engine to build
claims.
• Endpoints. Kerberos. Certificate.
• Extensibility. Sql Any others
AD
FS A
ctiv
e M
ode
DomainController
1
3
KerberosServiceTicket
Trust
ADFS 3.0
2SAML Token
AD
FS P
ass
ive M
ode
DomainController
1, Request a Page
2, Redirect
KerberosServiceTicket
ADFS 3.0
WWW
3
SAML Token4
5
AD
FS F
ull
Pict
ure
DomainController
1, Request a Page
2, Redirect
KerberosServiceTicket
ADFS 3.0
WWW
3
SAML Token4
5
6 7
8
AD
FS In
tern
et
Auth
entica
tion
DomainController
1, Request a Page
2, Redirect
UserName / PasswordMultiFactor Auth.E-Token, etc…
ADFS 3.0
WWW
3
SAML Token
4
5
6 7
8
AD
FS C
loud S
erv
ice
DomainController
1, Request a Page
2, Redirect
UserName / PasswordMultiFactor Auth.E-Token, etc…
ADFS 3.0
WWW
3
SAML Token
4
5
6 7
8
KerberosServiceTicket
Certificate Delegation Authentication.
Dis
trib
ute
d
Arc
hitect
ure
On premiseAzure Cloud Service
WWW
WWW
VPN
KerberosServiceTicket
UserName / PasswordMultiFactor Auth.E-Token, etc… Single Sign On
Https
AD
FS C
ross
C
om
panie
s
WWW
TrustedAD FSClient Company AD FS Service Company
1 & 9
2
34
56
78
AD
FS E
nvi
ronm
ent
split
ting
DomainController
Dev Test Acc
AD FS Servers
Prod.
AD
FS L
imitation
• Trust delegation only possible in Passive mode.
• Azure AD and AD FS are two differents STS even if you do a Dir Sync. Impossible to start an authentication from the STS of Azure
AD and continue with a backend service in AD FS.
• No transformation between a JWT Token via OAuth 2.0 and SAML Token!
• => Delegation for OAuth 2.0 is ongoing.• => Active delegation between 2 differents
AD FS is impossible.
Tech
Net
Tech
Net
on T
witte
r
Azu
re t
rial f
or
free
Get your free Azure trial at Azure.com/trial
Conta
cts
Gilles [email protected]
Arnaud [email protected]
Vincent [email protected]
See you next year 2015
Note
• Show the rule engine Delegation!
