1 / 39

Identity and Access Management: Windows Identity Foundation and Windows Azure

Required Slide. SESSION CODE: SIA303. Identity and Access Management: Windows Identity Foundation and Windows Azure. Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation. Identity and Access Management.

finola
Download Presentation

Identity and Access Management: Windows Identity Foundation and Windows Azure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Required Slide SESSION CODE: SIA303 Identity and Access Management: Windows Identity Foundation and Windows Azure Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation

  2. Identity and Access Management Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance • Provide more secure, always-on access • Enable access from virtually any device • Control access across organizations • Provide standards-based interoperability • Extend powerful self-service capabilities to users • Automate and simplify management tasks

  3. Business Ready Security Solutions Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

  4. Non-Goals • Not a comprehensive overview of WIF • Not a comprehensive overview of Windows Azure I assume you know at least a little bit of one or the other

  5. Agenda • Claims Based Identity & WIF • Windows Azure • WIF & the canonical scenario in Windows Azure • Tricks for • Browser based SSO • WCF services • Custom STS

  6. Your Applications Are Prisoners Login.aspx Page1.aspx Credential Types / APIs Credential Stores User Attributes Stores

  7. Claims Can Set Your Application Free Identity Provider Active Directory Federation Services 2.0 STS Claims Relying Party Security Token

  8. Essential claims programming model • Claims OM integrated with the .NET identity API • Single programming model for ASP.NET & WCF • Config driven • Single programming model for on-premises & cloud • Tools for metadata-driven automatic app configuration • WS-Federation, WS-Trust • Framework for custom STS development • And more…

  9. Claims Based Identity and Web Site Authentication Vittorio BertocciSr. Architect EvangelistMicrosoft Corporation DEMO

  10. Canonical Scenario & Infrastructure STS HTTPS://foo/fooapp/default.aspx GAC IIS / ASP.NET File System Certificate Store

  11. Windows Azure (1/2) • Compute: • Standard .NET 3.5 environment • Web, WCF and worker roles • Can P/Invoke • Physical machine inaccessible, immutable • Storage • Table & blob storage • Management • Manage roles, scale, storage, certificates, etc

  12. Windows Azure (2/2) • Visual Studio integration • Templates • DevFabric: on-premises simulation environment • Multi-staged deployment • Staging • Production

  13. Canonical Scenario & Infrastructure HTTPS://???/fooapp/default.aspx

  14. Scenarios & Tricks

  15. Browser Based SSO STS

  16. SSO: On-Premises STS and Windows Azure Web App Vittorio BertocciSr. Architect EvangelistMicrosoft Corporation DEMO

  17. Hosted Service Packaging • Application Package • Yourapp.cspkg: Contains all your app • Configuration Settings • ServiceConfiguration.cscfg: Roles and such • If you need something not in the standard image, package it with the app • Set Copy Local=true for microsoft.identityModel.dll • FullTrust is required • Want to change anything in your app? Redeploy • Make your app parametric, drive it from the outside

  18. Endpoints & Environments • WIF assumes URI==Application • In Windows Azure that doesn’t work • URI changes per environment: • DevFabric: 127.0.0.1:xxx/ • Staging: {GUID}.cloudapp.net/ • Production: yourapp.cloudapp.net/ • The load balancer influences the physical URI • yourapp.cloudapp.net:20000/

  19. Endpoints Strategies • On the RP • Use multiple named <identityModel/service> sections • If your STS handles it, use wreply • Get the application address from request.Headers["Host"] • On the STS • If you can, handle wreply • Otherwise, treat every deployment as a separate RP

  20. Certificates in Windows Azure • Certificate + private key: • Needed for SSL, Decryption, Signature • Certificate alone: • “Needed” for STS signature checking • In Windows Azure you don’t have direct access to the certificate store • Upload PFX in a common area • The cscfg decides which certificates are available to which roles • The fabric will deploy those “just in time” in the role • You can’t add trusted roots

  21. Certificates Strategies • For SSL, Decryption, Signature • Upload the necessary PFX(es) • More about this in the Sessions slides • For STS signature checking • Often the certificate bits will arrive with the message • All you need is to record the thumbprint in the IssuerNameRegistry… • …and set certificateValidationMode="None“ • If that’s not the case, generate a key-less PFX and upload

  22. Session • WIF typical session is implemented via cookies • The default protection method is DPAPI • Doesn’t work if you can hit multiple instances • Easy solution in Windows Azure • Inject a SessionSecurityTokenHandler with your own transforms list • Encrypt & sign the cookie via RsaXXXTransform and service certificate • You could use the machine key as well

  23. WCF Service STS

  24. WIF and WCF Services on Windows Azure Vittorio BertocciSr. Architect EvangelistMicrosoft Corporation DEMO

  25. WCF and Sessions • Similar approach to what we’ve seen for the passive case • Trickier: • Craft the binding for allowing cookie mode • Write custom SessionSecurityTokenHandler • Usual RsaXXXTransform • Validation must abstract away node port numbers in the URI • Inject custom SessionSecurityTokenHandler • behaviorExtension-> IServiceBehavior -> SessionSecurityTokenHandler

  26. WCF Metadata in Windows Azure • Default mechanism puts in the WSDL URIs with node ports • Not addressable outside, SvcUtil fails • KB971842 solves the issue, but needs to be explicitly activated • Add to the service behavior <useRequestHeadersForMetadataAddress> <defaultPorts> <add scheme="http" port="8000" /> <add scheme="https" port="8443" /> </defaultPorts></useRequestHeadersForMetadataAddress> • Manually update ports when deploying to the cloud

  27. Tracing • WIF tracing works ~ like WCF tracing • Can use the Service Trace Viewer tool • Surprise! No direct access to the VM file system • One Solution • Write a custom XmlWriterTraceListener which dumps the traces in Windows Azure storage • Use WebRole.OnStart for hooking the listener to the storage

  28. Custom Passive STS STS

  29. WSFederation Metadata Generation • RPs use STS metadata for • Discovering issuing endpoints • Signing certificate(s) • Offered claims • … • URIs need to • Reflect the environment • Handle the node port number issue • One solution: explicitly generate the metadata via HTTP WCF service • UrlRewrite for hiding the svc implementation detail

  30. More Endpoint Issues • Turn off address filtering via[ServiceBehavior(AddressFilterMode = AddressFilterMode.Any)] • On the client, override the endpoint reference

  31. RP Management • You need to maintain a list of RPs • A good STS serves tokens only to known RPs • Encrypting tokens for one RP requires knowing the RP certificate • You don’t want to redeploy a cspkg every time you add or delete an RP • Solution: keep the RPs in a Windows Azure table • Use management APIs for maintaining the list

  32. Summary • Claims Based identity works both on-premises & in the cloud • The app code is isolated from the deployment environment • Resources are handled differently in Windows Azure and on-premises • WIF needs few nudges for operating in the cloud • Endpoints • Certificates • Sessions • File system vs storage

  33. Resources • WIF Home page • http://msdn.microsoft.com/wif • Forum • http://social.msdn.microsoft.com/Forums/en-US/Geneva/threads/ • Team Blog • http://blogs.msdn.com/card/ • Downloadable Training Kit • http://go.microsoft.com/fwlink/?LinkId=148795 • Online Training Course on Channel9 • http://channel9.msdn.com/learn/courses/IdentityTrainingCourse • Channel9 Show on Identity • http://channel9.msdn.com/identity/ • My blog • http://blogs.msdn.com/vbertocci/

  34. Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet • http://microsoft.com/msdn

  35. Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Related Content • SIA303 | Identity and Access Management: Windows Identity Foundation and Windows Azure • SIA201 | Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation • SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown • Demo Station: Identity and Access Management – SIA Stations 5 & 6

  36. Download WIF SDK & the Identity Training Kit!

  37. Required Slide Complete an evaluation on CommNet and enter to win!

  38. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

  39. Required Slide

More Related