Extending identity to the cloud
This presentation is the property of its rightful owner.
Sponsored Links
1 / 53

Extending Identity to the Cloud PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on
  • Presentation posted in: General

Extending Identity to the Cloud. Paul Loonen Architect, Avanade Belgium. About me …. Paul Loonen Architect at Avanade Co-founder of the winsec.be community Microsoft Certified Master – Win2k8 Directory Forefront Identity Management MVP

Download Presentation

Extending Identity to the Cloud

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Extending identity to the cloud

Extending Identity to the Cloud

Paul Loonen

Architect, Avanade Belgium


About me

About me …

  • Paul Loonen

    • Architect at Avanade

    • Co-founder of the winsec.be community

    • Microsoft Certified Master – Win2k8 Directory

    • Forefront Identity Management MVP

    • More than 20 years in IT, of which more than 10 years in IAM

  • [email protected]


Agenda

Agenda

  • Identity Challenges in the Cloud

  • What is Windows Azure?

  • Identity and the Cloud

  • Active Directory Federation Services

  • Azure Appfabric Access Control Service

  • Forefront Identity Manager 2010

  • Cloud IAM Roadmap


Dealing with identity today

Dealing with Identity today

  • We are very good at building secure castles

    • On-premise directories, systems and applications

    • Complex and secure infrastructure

    • User identities locked and controlled within the „walls”

  • Users learned how to live with unavoidable

    • Multiple credentials

    • Additional authentication and access control measurements

      • Tokens, cards, certificates …


What does our infrastructure look like today

What does our Infrastructure look like today?

  • Our systems right now

    • Secured, locked and sealed in on-premise infrastructure

    • Multiple identity sources

    • Multiple access information sources and control systems

  • We know whobuilds, deploys and manages them


Identity challenges in the cloud

Identity challenges in the Cloud

  • End User Password Fatigue

  • Failure-Prone Manual Provisioning and De-Provisioning Process

  • Compliance Visibility: Who Has Access to What?

  • Siloed User Directories for Each Application

  • Managing Access across an Explosion of Browsers and Devices

  • Keeping Application Integrations Up to Date

  • Different Administration Models for Different Applications

  • Sub-Optimal Utilization, and Lack of Insight into Best Practices

Source: Okta


The problem trust boundaries have moved

  • John from sales is terminated.

  • He has multiple identities in the enterprise

  • Some identities are not de-provisioned correctly

  • Moderate Risk

  • John from sales is terminated.

  • He has multiple identities in the enterprise and some of them are off premise.

  • Some identities are not de-provisioned correctly

  • High Risk

The Problem - Trust boundaries have moved


So what is windows azure

So what is Windows Azure?


Cloud computing

Cloud computing

  • Characteristics

    • On-demand self-service

    • Broad network access

    • Resource pooling

    • Rapid elasticity

    • Measured service

  • Service models

    • Software as a service

    • Platform as a service

    • Infrastructure as a service

  • Deployment models

    • Private cloud

    • Community cloud

    • Public cloud

    • Hybrid cloud

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”

Source: The NIST Definition of Cloud Computing, Version 15, 2009.10.07, Peter Mell and Tim Grance

http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc


Extending identity to the cloud

Your

Own

Data Center

Someone

Else’s

Data Center

Use (services, information, etc.)

Build (applications, data, etc.)

Host (software, database, etc.)


Extending identity to the cloud

Private Cloud

Public Cloud

Service Delivery Models

Software(as-a-service)

Platform(as-a-service)

Infrastructure(as-a-service)

Community

Dedicated

Hybrid Cloud

Cloud Deployment Models


Extending identity to the cloud

Service delivery models

(On-Premise)

Infrastructure

(as a Service)

Platform

(as a Service)

Software

(as a Service)

You manage

Applications

Applications

Applications

Applications

You manage

Data

Data

Data

Data

Managed by vendor

Runtime

Runtime

Runtime

Runtime

You manage

Managed by vendor

Middleware

Middleware

Middleware

Middleware

Managed by vendor

O/S

O/S

O/S

O/S

Virtualization

Virtualization

Virtualization

Virtualization

Servers

Servers

Servers

Servers

Storage

Storage

Storage

Storage

Networking

Networking

Networking

Networking


What is windows azure

What is Windows Azure?

  • A cloud computing platform (as-a-service)

    • on-demand application platform capabilities

    • geo-distributed Microsoft data centers

    • automated, model-driven services provisioning and management

  • You manage code, data, content, policies, service models, etc.

    • not servers (unless you want to)

  • Microsoft manages the platform

    • application containers and services, distributed storage systems

    • service lifecycle, data replication and synchronization

    • server operating system, patching, monitoring, management

    • physical infrastructure, virtualization networking

    • security

    • “fabric controller” (automated, distributed service management system)


How this may be interesting to you

How this may be interesting to you

  • Not managing and interacting with server OS

    • less work for you

    • don’t have to care it is “Windows Server” (you can if you want to)

    • but have to live with some limits and constraints

  • Some level of control

    • process isolation (runs inside your own VM/guest OS)

    • service and data geo-location

    • allocated capacity, scale on-demand

    • full spectrum of application architectures and programming models

  • You can run anything that runs on Windows


Anatomy of a windows azure instance

Anatomy of a Windows Azure instance

Storage – distributed storage systems that are highly consistent, reliable, and scalable.

Compute – instance types: Web Role & Worker Role. Windows Azure applications are built with web role instances, worker role instances, or a combination of both.

HTTP/HTTPS

Each instance runs on its own VM (virtual machine) and local transient storage; replicated as needed

Guest VM

Guest VM

Guest VM

Host VM

Maintenance OS,

Hardware-optimized hypervisor

The Fabric Controller communicates with every server within the Fabric. It manages Windows Azure, monitors every application, decides where new applications should run – optimizing hardware utilization.


Extending identity to the cloud

Where does Identity fit?

User

Web Browser

Mobile

Browser

Silverlight

Application

WPF

Application

Jobs

(Worker Role)

Web Svc

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

Private Cloud

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

Public Services

Enterprise Application

ASP.NET

(Web Role)

ASP.NET

(Web Role)

ASP.NET

(Web Role)

Application

Service

Enterprise Web Svc

Data

Service

Table Storage

Service

Blob Storage

Service

Queue

Service

Enterprise Data

Storage

Service

Enterprise Identity

Identity

Service

User

Data

Application Data

Reference Data

Service Bus

Access Control Service

Workflow

Service


Identity and the cloud

Identity and the Cloud


Extending identity to the cloud

Scenarios


Introducing claims based identity

Introducing Claims-based Identity

  • Abstraction layer over identity and access control mechanisms

  • Unified access control model based on claims

  • Simplified and standardized way to access identity and access control information

  • New infrastructure to enable these scenarios


How i t w orks b asics

How It Works - Basics

Who’sthat?

Susana

Active Directory

ADFSv2

(STS)

RP-STS

(STS)

Susana, PM, FABRIKAM

Let me in

Prove your identity!

Whoam I ?

Susana, PM

Susana, PM

Susana, PM, FABRIKAM

It’s me

Service

(RP)

Who?

Service provider

(cloud)

Identity provider

(on-premise)


Microsoft s identity solutions

Microsoft’s Identity Solutions


Meet the actors microsoft s identity components

Meet The Actors – Microsoft’s Identity Components

Public Cloud

AppFabric Access Control Services

OAUTH

WS-Trust, SAML

Private Cloud

AD Federation Services

SAML

Claims based applications

Partners

AD Certificate Services

AD Rights Management Services

User

On-Premise


Active directory federation services adfs v2

Active Directory Federation Services (ADFS) v2


Ad fs 2 0 components

AD FS 2.0 Components

AD FS 2.0

  • AD FS 2.0 Configuration Database:

  • Windows Internal Database, or

  • SQL Server

  • AD FS 2.0 Proxy:

  • Perimeter Network Client Proxy for Token Requests

  • Supports Transport Layer Mutual Auth SSL

  • Exposes Separate WSDL

Management APIs and UX

AD FS 2.0Proxy

  • AD FS 2.0 Attribute Stores:

  • Active Directory (AD DS)

  • Active Directory Lightweight Directory Services (AD LDS)

  • SQL Database

  • AD FS 2.0 Clients:

  • Web Browsers

  • WS-* Aware Clients (WCF, CardSpace 2.0 RC, etc.)

  • AD FS 2.0:

  • Security Token Service for SOAP & Browser Clients

  • Policy and Service Management

Internet Client

Metadata Proxy

Token Issuance Proxy

Intranet Client

Metadata

Token Issuance

Attribute Stores

Configuration Database


Typical cross org deployment

Typical Cross-Org Deployment

Online Services in the Cloud

AD FS 2.0

AD FS 2.0

trust

trust

1. Authenticate

3. Send claims /Get claims

2. Get Claims

Application

WIF

Smart Client or Browser

WCF

ASP.Net

4. Send claims


Claims

Claims

  • Identity providers need to know what claims to send

  • Relying parties need to know what claims to expect to receive

  • Agreement must largely take place out of band, though metadata allows us to simplify

  • In AD FS 2.0:

    • The expected claims are codified into acceptance rules

    • The claims to send are codified into issuance rules

  • Input claims

  • Acceptance Rules

  • Issuance Rules

  • Output Claims

Authz


Rules processing with a transform rule set

Rules Processing with a Transform Rule Set

  • Rules determine what goes into output claim set

    • Not all claims are output

  • Use rule chaining to construct complex claims

    • Output of Rule 1 can be used as the input to Rule 2

    • Temporary claims can be used for complex constructs

  • Rules can pull data from attribute stores

    • Complex mapping should be left to a SQL database


Attribute stores

Attribute Stores

  • SQL

    • Select queries may be specified in rules (no UI)

    • Connection string stored in the clear

  • LDAP

    • Filters may be specified in rules (no UI)

    • Connection string stored in the clear


Custom attribute stores

Custom Attribute Stores

  • Allow custom code to be plugged in for retrieving attributes

  • Process

    • .NET assembly is created by developer

    • Developer gives admin assembly, class reference, and connection string format

    • IT Pro copies assembly to each machine and places in the GAC

    • IT Pro adds custom attribute store using UI/PowerShell and inputting the class reference provided

    • IT Pro authors rules by passing claims to the attribute store in the expected connection string format


Windows azure appfabric access control services acs

Windows Azure appfabric Access control services (ACS)


Access control

Access Control

Contoso’s datacenter

Mobile workforce

  • How will I control access to the service?

  • How will I onboard partners or customers to this solution? Can they use existing method of authentication?

CRM

Website or Web Service

Enterprise partner

Database

Small vendor


Access control service

Access Control Service

OAuth

Web or Rich

Application

Standard

Protocols

and

“Big Players”

Provides claims-based access control for web services

  • Usable from any platform (for real)

  • Integrates with AD FS v2

  • Many identity providers, one code base

WS-*

Standard

Protocols

Access Control

Service

Open ID Google, Yahoo

Facebook


Windows azure appfabric access control service

Windows Azure Appfabric Access Control Service

  • provides an easy way to provide identity and access control to web applications and services

  • Hosts an STS in the cloud for you

  • integrates with standards-based identity providers

    • Active Directory

    • Windows Live ID, Google, Yahoo! and Facebook.

  • Supports all relevant “standards”

    • WS-Federation, WS-Trust, OpenID, Oauth, …

  • enables authorization decisions to be pulled out of the application and into a set of declarative rules that can transform incoming security claims into claims that applications understand.


How it works

How it works

6. Map input claims to output claims based on access control rules

1. Define access control rules for a customer

2. Establish trust

(certificate or

key exchange)

Identity Provider

Contoso’s ACS

Service Namespace

7. Return Access Token

(output claims from 6)

9.Token Validated

0. Establish trust (certificate or key exchange)

4. Return the token

5. Request Access

Token

(Claims)

3. Request a token

Contoso Web Service

Contoso’s partner

8. Send Message

w/ Access Token


Forefront identity manager

Forefront Identity Manager


Managing our enterprise identities to the cloud

Managing our Enterprise Identities to the Cloud

  • Enterprise AD is easily extended to the cloud

    • ADFSv2

  • Access is managed through claims

  • Need a method to (automatically) populate claims:

    • Identity Claims – e.g. [email protected]

    • Group Claims – e.g. “Avanade FTE”

    • Custom Claims – e.g. age:18


Identity management

Identity Management

  • Policy-based identity lifecycle management system

  • Built-in workflow for identity management

  • Automatically synchronize all user information to different directories across the enterprise

  • Automates the process of on-boarding users

ActiveDirectory

LotusDomino

  • Workflow

LDAP

  • User Enrollment

  • HR System

  • FIM

SQLServer

  • Approval

Oracle DB

  • Manager

User provisioned

FIM CM


Group management

Group Management

  • Self-service group and distribution list management with the FIM 2010 Web portal

  • Office integration allows users to manage group membership from within Microsoft Office Outlook for maximum productivity

  • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory

  • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes


Group management1

Group Management

  • Integrates with Exchange and Outlook

  • Manages distribution and security groups

Self-service group management

Criteria-based group membership

Integrated approval


Example contoso and melissa the sales person

Example: Contoso and Melissa the sales person

  • Contoso is interested in adopting a new cloud app as their CRM for their sales department.

  • Melissa is a new hire for the sales department.

  • The IT department has decided to adopt Identity and Access management and leverage their Microsoft investment.


Example from ad group to cloud authentication

Example: From AD Group to Cloud Authentication

  • WS-* and SAML Claims

FIM Platform

FIM Sync

  • AD FS 2.0

2

Action

Workflow

Delegation& Permissions

AuthN

Workflow

AuthZ

Workflow


Roadmap to the cloud

Roadmap to the cloud


Getting your identities to the cloud

Getting your Identities to the cloud.

AD Federation Services

On Premise


1 understand your organization s iam needs

1. Understand your organization’s IAM needs

Business Processes

Onboarding, SSO, Promotions, Changes, Termination

Governance

(Security Policy)

User Groups

Full-Time Employees, Contractors, Partners, Vendors, Customers

LOB Apps

Active Directory, Exchange, SQL, Oracle, PeopleSoft, SAP, Financials


2 leverage your ad investment

2. Leverage your AD Investment

  • Make Active Directory the center of your Identity Roadmap.

  • Line of Business Apps should be aligning with LDAP, Kerberos or Claims-Based Authentication

  • Supplement your platforms with SSO solutions that leverage AD.

  • App Architecture should integrate WIF


3 optimize your ad metadata

3. Optimize your AD Metadata

  • How good is it?

  • How much information do you have today?

  • How much information do you need to make it work for well in premises/on the cloud(*)?

  • How can I leverage AD Groups for claims-based authentication

(*) Keep in mind that Federated Services need information about the user in order to make decisions


4 use fim 2010 capabilities to implement policy and business logic

4. Use FIM 2010 Capabilities to Implement Policy and Business Logic

  • FIM Portal: The central place to manage your enterprise identities

  • Policies: To define your business logic

  • Workflows: To automate and make the policies repeatable and auditable.

  • Group Management: Security group lifecycle management.


5 on premise is stable to the cloud

5. On Premise is Stable – To the Cloud!

  • Start gathering information about your cloud provider and their supported authentication methods. Claims-based or SAML-compatible.

  • Find out what attributes are required by your cloud app. Beware of privacy concerns.

  • Configure AD FS to use the claims rules based on attributes identified and establish trust.

  • Design and implement the infrastructure to support the service.


Concluding

Concluding

Partner

Windows Integrated/Kerberos

  • WS-* and SAML Claims

Self Service

MS Online Directory Synchronization

  • Workflow

  • AD FS 2.0

Claims-Aware

Applications

  • SharePoint Profiles and Access

  • FIM 2010

  • SAP and other apps

  • Identity directories

  • HR System

Phone

Title

Department

Manager

Group

  • Claims-Aware

  • Applications

  • Exchange GAL & DL

Role

Client List

  • ADDS

SQL Server


Session summary

Session Summary

  • Cloud adoption starts by having proper on premises Identity and Access Management in place to mitigate any data breach risks.IAM is a capability that needs it’s own enterprise roadmap

  • AD DS is in your enterprises today, make it the catalyst for your IAM strategy

  • Use FIM2010 to centrally manage and enforce corporate policy around identity

  • Leverage AD FS v2 to provide authentication to your users with cloud providers


Additional information

Additional Information

  • About FIM 2010

    http://www.microsoft.com/forefront/identitymanager/en/us/default.aspx

    http://technet.microsoft.com/en-us/forefront/ff793470.aspx

  • About AD FS 2.0

    http://technet.microsoft.com/en-us/library/cc772128%28WS.10%29.aspx

    • About Windows Azure Appfabric

      http://www.microsoft.com/windowsazure/appfabric/overview/

  • Suggested Reading:

    “Claims Based Identity and Access Controls” - MS Press

    “2010 Verizon Business Security Report” – Verizon Business


  • Login