Technofolies Brussels, Oct 29 & 30. Technofolies.
-
Upload
caren-richardson -
Category
Documents
-
view
215 -
download
0
Transcript of Technofolies Brussels, Oct 29 & 30. Technofolies.
![Page 1: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/1.jpg)
TechnofoliesBrussels, Oct 29 & 30
![Page 2: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/2.jpg)
Tech
nofo
lies
• Azure Single sign on Authentication.
The target of this session is to build a very simple 3 Tiers business applications and see what we need to do to deploy this in Azure as a cloud services. See how we configure ADFS to have a single sign on authentication and authorization experience. See the infrastructure needed to build an application integrated in a company ecosystem but on servers unmanaged by the infrastructure. What is the role of the development team and the IT Ops.
![Page 3: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/3.jpg)
Welc
om
e• The world changes and IT constraints are
bigger than ever!
Mobile Cloud.
SecurityComplexity
Consumerization.
![Page 4: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/4.jpg)
Dem
o• Show the context.
Create a 3 Tiers application. Execute it on premise. Execute it from the internet.
Install the app on azure cloud service. Execute it on premise. Execute it from the internet.
![Page 5: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/5.jpg)
Why
Clo
ud S
erv
ices
• Unmanaged servers.• Scalability.• Highly configurable.
See Arc4u.CloudService.Configurator.
• Price.• Remote desktop is possible.
![Page 6: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/6.jpg)
Kerb
ero
s <
toke
n• Kerberos Token is a closed system.• Doesn’t fit well for Software as a Service.• Delegation is often unauthorized.
Developers inject weak security information between backend application services.
• => Federation Service is the solution. AD FS is the Microsoft implementation.
![Page 7: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/7.jpg)
AD
FS D
efinitio
ns
• AD FS = Active Directory Federation Service! Service on top of AD.
• Replace the Kerberos token by a trusted token.• The token contains a collection of claims (Key – Value).• Trust is based on certificates.• Delagate the authorization from the application to an
external authority.• Service Token Service (STS) is the application delivering
the token. AD FS is a STS. • Relaying Party (RP) is a backend application using token
from the STS.
![Page 8: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/8.jpg)
AD
FS R
ela
ying
part
ies• 2 kinds of RP: Web – Backend servers.
• Passive (Web) The user is redirected to the ADFS Server and receives a
token, he/she can give to the web server.
• Active (Services) The client MUST contact the ADFS server and provides the
token!
![Page 9: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/9.jpg)
AD
FS T
ool
• Relaying Party Definition. Rule Engine to build
claims.
• Endpoints. Kerberos. Certificate.
• Extensibility. Sql Any others
![Page 10: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/10.jpg)
AD
FS A
ctiv
e M
ode
DomainController
1
3
KerberosServiceTicket
Trust
ADFS 3.0
2SAML Token
![Page 11: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/11.jpg)
AD
FS P
ass
ive M
ode
DomainController
1, Request a Page
2, Redirect
KerberosServiceTicket
ADFS 3.0
WWW
3
SAML Token4
5
![Page 12: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/12.jpg)
AD
FS F
ull
Pict
ure
DomainController
1, Request a Page
2, Redirect
KerberosServiceTicket
ADFS 3.0
WWW
3
SAML Token4
5
6 7
8
![Page 13: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/13.jpg)
AD
FS In
tern
et
Auth
entica
tion
DomainController
1, Request a Page
2, Redirect
UserName / PasswordMultiFactor Auth.E-Token, etc…
ADFS 3.0
WWW
3
SAML Token
4
5
6 7
8
![Page 14: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/14.jpg)
AD
FS C
loud S
erv
ice
DomainController
1, Request a Page
2, Redirect
UserName / PasswordMultiFactor Auth.E-Token, etc…
ADFS 3.0
WWW
3
SAML Token
4
5
6 7
8
KerberosServiceTicket
Certificate Delegation Authentication.
![Page 15: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/15.jpg)
Dis
trib
ute
d
Arc
hitect
ure
On premiseAzure Cloud Service
WWW
WWW
VPN
KerberosServiceTicket
UserName / PasswordMultiFactor Auth.E-Token, etc… Single Sign On
Https
![Page 16: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/16.jpg)
AD
FS C
ross
C
om
panie
s
WWW
TrustedAD FSClient Company AD FS Service Company
1 & 9
2
34
56
78
![Page 17: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/17.jpg)
AD
FS E
nvi
ronm
ent
split
ting
DomainController
Dev Test Acc
AD FS Servers
Prod.
![Page 18: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/18.jpg)
AD
FS L
imitation
• Trust delegation only possible in Passive mode.
• Azure AD and AD FS are two differents STS even if you do a Dir Sync. Impossible to start an authentication from the STS of Azure
AD and continue with a backend service in AD FS.
• No transformation between a JWT Token via OAuth 2.0 and SAML Token!
• => Delegation for OAuth 2.0 is ongoing.• => Active delegation between 2 differents
AD FS is impossible.
![Page 19: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/19.jpg)
Tech
Net
![Page 20: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/20.jpg)
Tech
Net
on T
witte
r
![Page 21: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/21.jpg)
Azu
re t
rial f
or
free
Get your free Azure trial at Azure.com/trial
![Page 22: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/22.jpg)
Conta
cts
Gilles [email protected]
Arnaud [email protected]
Vincent [email protected]
See you next year 2015
![Page 23: Technofolies Brussels, Oct 29 & 30. Technofolies.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bffd1a28abf838cc1e4b/html5/thumbnails/23.jpg)
Note
• Show the rule engine Delegation!