Using Windows Azure for Solving

Identity Management Challenges

Seattle Cloud Intelligence Conference

Tuesday, April 17th

About Me

Michael S. Collier

National Architect,

Windows Azure

michael.collier@neudesic.com

@MichaelCollier

www.MichaelSCollier.com

Windows Azure Core Components

QUEUE SERVICE

BLOB SERVICE

TABLE SERVICE

DATABASE SERVICE

DATA SYNC SERVICE

IMPORT EXPORT SERVICE

REPORTING SERVICE

WORKER ROLE

WEB ROLE

VM

VM ROLE

DataMarket Service

Windows Azure Connect

Service Bus

Access Control Service

Cache Service

Windows Azure Traffic Manager

Windows Azure graphics courtesy of David Pallmann (http://azuredesignpatterns.com)

Traditional Identity Management

• Windows Integrated

Authentication (Active

Directory)

• Membership Provider

• Proven Approach

• Leverage Windows

Identity Foundation

(WIF)

Cloud Enabled Applications

Web Application

Membership Provider

AD

The User

Web Browser

Windows Live ID

Google

Facebook

Yahoo!

Open ID

Credentials

Identity Providers

We Have a Problem

• No Active Directory

• Environment not

under our physical

control

• Disconnected from

the enterprise

(potentially)

Options

• Social Networks

– They change . . . Often

– The right one?

– Another?

– More work!

• Membership Provider

– SQL Azure

– Table Storage

– Pros

• Mostly known entity

• Migrate existing data

– Cons

• User management

• Security leak

• New

Windows Live ID

Windows Azure Connect

• Secure network connectivity between on-premises and cloud.

• Hybrid apps access to on-premises servers – App access to SQL

Server

– Role domain-joined to AD

• Setup & management Enterprise

Windows Azure

Databases

Dev machines

Relay

Role B Role A

Role C (multiple VM’s)

Image courtesy Windows Azure Platform Training Kit

Windows Azure Access Control Service

• No need to build your own identity management solution.

• Authenticate (WIF – OAuth and WS-Federation)

• Claims-based authorization

• Multiple Identity Providers (ADFSv2, Google, Live ID,

etc.)

• Ability to bring your own via membership

• The one to rule them all!

• Easy for your users

Key ACS Concepts

• Relying Party (RP): Web application that outsources

authentication. The RP trusts that authority. The RP is your

app.

• Identity Provider (IP): Authenticates users and issues tokens

• Token: Digitally signed security data issued after user

authenticated. Used to gain access to the RP (your app).

• Claim: Attributes about the authenticated user (age, birthdate,

email address, name, etc.)

• Federation Provider: Intermediary between the RP and IP.

ACS is a Federation Provider.

• STS: Simple Token Service – issues tokens containing claims.

ACS is an STS

Authentication Workflow

Browser Identity

Provider

Access

Control Application

3. Login

5. Redirect to AC service

10. Validate

Token

1. Request Resource

2. Redirect to Identity Provider

4. Authenticate &

Issue Token

6. Send Token to ACS

7. Validate Token,

Run Rules Engine,

Issue Token

8. Redirect to RP with ACS Token

9. Send ACS Token to Relying Party

11. Return resource representation

Courtesy Windows Azure Boot Camp

DEMO

Getting Started with ACS

Claims Enrichment

• Identity Providers only provide a few claims

– Windows Live provides just one (Named Identifier)

– Google and Yahoo! provide three (email, name, named identifier)

– Facebook

– ADFSv2

• Add more claims that are known to your application

DEMO

Claims Enrichment

The Impact for Mobile Applications

• Social Networks – Important

– Users likely already have at least one

– Quick and easy signup

– Potential for rapid user base expansion

• NuGet package available for easy add to WP application

DEMO

Enable ACS on Your Windows Phone Application

Tips & Tricks

• Staging vs. Production

– WIF configuration in web.config

– Staging URL unknown until deployment

– Change WIF configuration in web.config during role startup

Tips & Tricks

• Staging vs. Production

– WIF configuration in web.config

– Staging URL unknown until deployment

– Change WIF configuration in web.config during role startup

private static void UpdateWIFConfiguration() { try { using (var server = new ServerManager()) { // This value is defined as part of the ServiceConfiguration/ServiceDefintion file. const string siteNameFromServiceModel = "Web"; string siteName = string.Format("{0}_{1}", RoleEnvironment.CurrentRoleInstance.Id, siteNameFromServiceModel); string configFilePath = server.Sites[siteName].Applications[0].VirtualDirectories[0].PhysicalPath + "\\web.config"; XElement element = XElement.Load(configFilePath); string setting; if (!(String.IsNullOrEmpty(setting = RoleEnvironment.GetConfigurationSettingValue("ACS.AudienceUri")))) element.Element("microsoft.identityModel").Element("service").Element("audienceUris").Element("add").Attribute("value").Value = setting; // . .. . Do for each WIF configuration parameter (issuer, realm, thumbprint, etc.) element.Save(configFilePath); } } catch (Exception ex) { // Need a safe place to log this. Windows Event Log? } }

See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx

Tips & Tricks

• Cookie Encryption

– DPAPI used to protect cookies sent to the client..

– DPAPI not supported in Windows Azure

– Use RsaEncryptionCookieTransform to encrypt with same cert

used for SSL.

Tips & Tricks

Tips & Tricks

• Development Certificate

• Customize the login experience

• User registration

• Require authentication for only part of the site

Gotchas

• Single sign-out not currently supported

• Co-admin cannot administer an ACS namespace

• WIF not installed on Windows Azure roles

– Microsoft.IdentityModel CopyLocal = true

– Install WIF via a startup task

Summary

• Identity in the cloud is hard – Many external islands of identity

– Current technology hard or not interoperable

• ACS provides standards-based approach – Integrates with Windows Identity Foundation

– Claims-based authorization

– Support for ADFSv2, Google, Live ID, Yahoo!, & Facebook

• Enrich functionality using WIF

• OData API and portal for management

Resources

• Windows Azure ACS Guide – http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-

control/#config-trust

• Programming Windows Identity Foundation, Vittorio Bertocci

• “Claims-Base Authorization with WIF”, Michele Bustamante – http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet

• ACS How To’s - http://bit.ly/ACSHowTo

• ACS Tips - http://bit.ly/HYhxjY

• Publishing a ACS v2 Federated Identity Web Role - http://bit.ly/HPT6rk

Get the Bits!

http://bit.ly/AzureSDKMC

http://bit.ly/AzureTrialMC

Thank You

• Your feedback is important!

• Please fill out and return the survey – you’ll get a copy of

the today’s decks.

michael.collier@neudesic.com

@MichaelCollier

www.MichaelSCollier.com