1 / 25

Enabling Single Sign-On To Windows Azure Applications

SVC17. Enabling Single Sign-On To Windows Azure Applications. Hervey Wilson Architect Microsoft Corporation. Agenda. Externalizing Authentication Windows Identity Foundation Active Directory Federation Services 2.0 Single Sign-On to Windows Azure Demo, Code, Details.

estralita
Download Presentation

Enabling Single Sign-On To Windows Azure Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SVC17 Enabling Single Sign-On To Windows Azure Applications Hervey Wilson Architect Microsoft Corporation

  2. Agenda • Externalizing Authentication • Windows Identity Foundation • Active Directory Federation Services 2.0 • Single Sign-On to Windows Azure • Demo, Code, Details

  3. federatedidentity.cloudapp.net- Windows Azure, WIF and ADFS2 demo

  4. Externalizing Authentication Active Directory Federation Services 2.0 2. Look up claims, transform for application trust Identity Provider 1. Logon 3. Claims, Session Relying Party Windows Identity Foundation 4. Present Claims 5. Establish Session Client 6. Service Requests

  5. Windows Identity Foundation (WIF) • Enables rich Claim-based Identity in .NET Applications • ASP.NET Web Sites • WCF Services • Builds on familiar concepts • IPrincipal and IIdentity • PrincipalPermission • Role and Membership providers • Handles Federation Protocols • Extensible set of Security Token formats (U/P, X.509, SAML, …) • WS-Federation and WS-Trust • Federation Metadata • Provides additional support for building • Identity Providers • Federation Providers

  6. Active Directory Federation Services 2.0 • Next Generation AD Security Token Service • Built on the Windows Identity Foundation • Multiple protocols • WS-Federation, WS-Trust, SAML 2.0 protocols • FederationMetadata for trust setup and management • Authenticate using • Kerberos, X.509, Username/Password, SAML 1.1/2.0 • SAML 2.0 protocol • IdPLite, SP Lite, eGov profiles • Rule-based claims transformation engine • Inbound and outbound transformation, request Authorization • AD LDS + SQL attribute stores, custom store extensibility • Identity Delegation with ActAs • Intranet and Extranet capable with smart proxy service

  7. federatedidentity.cloudapp.net- Basic build out demo

  8. Working with WIF in Windows Azure • Basics • Must be Full Trust • Xcopy deploy Windows Identity Foundation • Web Farm Session Management • Caching • Transforms • Dev, Staging and Production • Build it into your development model

  9. Session Management • WIF provides a consistent model for ASP.NET and WCF • Everything is managed as a SessionSecurityToken • ASP.NET uses HTTP Cookies, WCF uses Secure Conversation • The logical Session contains: • Principal, Identities and Claims • Optionally, the Bootstrap token • Cookie-mode and Session-mode • “cache to wire” or “cache to storage” • Cookie Mode • Everything goes to the wire, service is stateless • Always works in a Web Farm, usually best performance • Recommended approach; must use this for WCF • Session Mode • Small artifact goes to the wire, service needs state • Works in a Web Farm with a shared database • Recommended for ASP.NET if your cookies get too big

  10. Implementing a Session Cache • SecurityTokenCache abstract base for caches • MruSecurityTokenCache is default for Sessions • In memory, single machine cache • To enable Session-mode, you’ll need to write a new implementation • Cache key is always SecurityTokenCacheKey • Cookie Mode or Session Mode • Endpoint, Context and Key Generation • Token is always SessionSecurityToken • Owner property always points to a SecurityTokenHandler • You’ll need this to serialize tokens for a database • Samples for Azure Storage and SQL Server • In-memory with database backing

  11. Session Transforms • Session Transforms protect data going to the client • WIF defaults are compression plus DPAPI protection • Fine for a single machine, not in a farm • Alternatives • RSA Protection • SSL certificate or token encryption certificate • ASP.NET <machineKey> • AES encryption with a key from web.config • Setup either with web.config or programmatically • web.config using a custom SessionSecurityTokenHandler • Programatically for tweaking existing handler • Works for on-premise as well

  12. federatedidentity.cloudapp.net- Session Management Additions demo

  13. Lifecycle – Dev, Staging, Production • Lots to think about – plan ahead! • Moving between environments may change: • Hostnames and Ports • Certificates • SSL and Token Encryption • Realm (optional) • Federation Metadata • Identity Providers • Signing certificates, Issuer Names • Changes impact the Federation protocols • Realm names, wtrealm, AppliesTo • Redirection addresses

  14. Lifecycle Strategies • No “one size fits all” answer • Depends on your environment and development processes • Three main options: • Protocol tweaks • Multiple configuration files • Dynamic configuration selection • Key questions: • Is each deployment a different Relying Party? • Does each deployment use a different STS?

  15. Lifecycle – Protocol Tweaks Development Staging Production • myapp.cloudapp.net • 127.0.0.1:444 • identity.sts.com • metadata.xml • web.config • myapp.csdef • myapp.cscfg • myapp.cloudapp.net • nnn.cloudapp.net • identity.sts.com • metadata.xml • web.config • myapp.csdef • myapp.cscfg • myapp.cloudapp.net • myapp.cloudapp.net • identity.sts.com • metadata.xml • web.config • myapp.csdef • myapp.cscfg • Everything except hosting addresses is constant • Modify wreply and AppliesTo for the Identity Provider • Fine for a custom STS or Testing, but ADFS2 doesn’t support this!

  16. Lifecycle – Multiple Configuration Files Development Staging Production • dev.myapp.cloudapp.net • 127.0.0.1:444 • dev.identity.sts.com • dev.metadata.xml • dev.web.config • dev.myapp.csdef • dev.myapp.cscfg • staging.myapp.cloudapp.net • nnn.cloudapp.net • staging.identity.sts.com • staging.metadata.xml • staging.web.config • staging.myapp.csdef • staging.myapp.cscfg • myapp.cloudapp.net • myapp.cloudapp.net • prod.identity.sts.com • prod.metadata.xml • prod.web.config • prod.myapp.csdef • prod.myapp.cscfg • All of the configuration can change • Cannot fast switch between Staging and Production, must rebuild and deploy

  17. Lifecycle – Dynamic Configuration Development Staging Production • dev.myapp.cloudapp.net • 127.0.0.1:444 • dev.identity.sts.com • dynamic metadata • web.config [dev] • myapp.csdef • dev.myapp.cscfg • staging.myapp.cloudapp.net • nnn.cloudapp.net • staging.identity.sts.com • dynamic metadata • web.config [staging] • myapp.csdef • staging.myapp.cscfg • myapp.cloudapp.net • myapp.cloudapp.net • prod.identity.sts.com • dynamic metadata • web.config [prod] • myapp.csdef • prod.myapp.cscfg • All of the configuration can change • Can fast switch between Staging and Production • Must deploy all certificates, even those for Development • Can lead to complex configuration files

  18. federatedidentity.cloudapp.net- Adding a dynamic configuration demo

  19. Beyond Web Single Sign-On • WIF and ADFS2 do WCF as well • We’ve tried many bindings in Windows Azure • You’ll need KB971842 to enable WCF WSDL in a web farm • Custom Security Token Services • Identity and Federation Providers all work • Store trust data in Azure Storage or SQL Azure • Certificates without keys are fine in a database

  20. Summary • WIF lets you externalize Authentication • Federate with Identity Providers • Program with Claims • ADFS opens up AD for Federation • Multiple protocols, Active and Passive • Intranet and Extranet Authentication • Smart Claims generation • WIF on-premise or in Windows Azure • Same conceptual model • Same application code • Same configuration model

  21. Identity @ PDC 2009 • Come visit us at the booth in the pavilion! • Try a hands on lab • Introduction to Windows Identity Foundation • Using WIF to Secure Windows Azure Applications • Attend identity sessions • SVC28: System.Identity Model Accessing Directory Services • PR11: Leveraging & Extending SharePoint Identity Features • SVC26: How Microsoft SharePoint 2010 was Built with WIF • SVC17: Enabling SSO to Windows Azure Applications • SVC02: Windows Identity Foundation Overview • SVC19: REST Security Services in Windows Azure using the Access Control Service

  22. YOUR FEEDBACK IS IMPORTANT TO US! Please fill out session evaluation forms online at MicrosoftPDC.com

  23. Learn More On Channel 9 • Expand your PDC experience through Channel 9 • Explore videos, hands-on labs, sample code and demos through the new Channel 9 training courses channel9.msdn.com/learn Built by Developers for Developers….

  24. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related