Using Windows Azure for Solving Identity Management Challenges Michael S. Collier National Architect, Cloud Level: Intermediate
Jan 14, 2015
Using Windows Azure for
Solving Identity Management
Challenges
Michael S. CollierNational Architect, Cloud
Level: Intermediate
About Me
Michael S. Collier
National Architect, Cloud
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
Agenda
• Identity Management Challenges
• Access Control Services– Claims
– Setup tips
– Gotcha’s
• Windows Azure Mobile Services– Quickly leverage social identities
• Windows Azure Active Directory– What it is
– Quick setup
– Exploring the directory graph
Who Are You?
• Personalization
• Business Rules
• Functionality / Features
Traditional Identity Management
• Windows Integrated Authentication (Active Directory)
• Membership Provider
• Proven Approach
• Leverage WIF?
AD
SQL
My Enterprise
Cloud? We Have a Problem
• Multiple islands of identity
• Environment not under our physical control
• Disconnected from the enterprise (potentially)
Options
• Social Networks– They change . . . Often
– The right one?
– Another?
– More work!
• Membership Provider– SQL Database
– Table Storage
– Pros
Mostly known entityMigrate existing data
– Cons
User managementSecurity leakNew
Microsoft Account
Windows Azure Access Control
Service
• No need to build your own identity management solution.
• Authenticate (WIF – OAuth and WS-Federation)
• Claims-based authorization
• Multiple Identity Providers (ADFSv2, Google, Live ID, etc.)
• Ability to bring your own via membership
• One to rule them all!
• Easy for your users
Windows Azure icons courtesy of David Pallmann.
Key ACS Concepts
• Relying Party (RP): Web application that outsources authentication. The RP trusts that authority. The RP is your app.
• Identity Provider (IP): Authenticates users and issues tokens
• Token: Digitally signed security data issued after user authenticated. Used to gain access to the RP (your app).
• Claim: Attributes about the authenticated user (age, birthdate, email address, name, etc.)
• Federation Provider: Intermediary between the RP and IP. ACS is a Federation Provider.
• STS: Simple Token Service – issues tokens containing claims. ACS is an STS
Authentication Workflow
BrowserIdentity Provider
Access Control
Application
3. Login
5. Redirect to AC service
10. ValidateToken
1. Request Resource
2. Redirect to Identity Provider
4. Authenticate &Issue Token
6. Send Token to ACS
7. Validate Token, Run Rules Engine,
Issue Token
8. Redirect to RP with ACS Token
9. Send ACS Token to Relying Party
11. Return resource representation
Courtesy Windows Azure Boot Camp
Claims Enrichment
• Identity Providers only provide a few claims– Microsoft Account / Live ID provides just one (Name
Identifier)
– Facebook, Google and Yahoo! Provide at least three (email, name, named identifier)
– ADFSv2
– http://msdn.microsoft.com/en-us/library/windowsazure/gg185971.aspx
• Add more claims that are known to your
application– ClaimsAuthenticationManager
DEMO
Getting Started with ACS
Recap
1. Create a new ASP.NET 4.5 Web Sitea) Capture User.Identity.Name
2. Create a ACS namespacea) Portal
b) Visual Studio tooling
3. Configure site using ‘Identity and Access’ tool in Visual Studio
a) Provide ACS namespace and management password
b) Enable desired Identity Providers (i.e. Google)
c) Configure realm, reply to address, etc.
4. Optional: Add ClaimsAuthenticationManager
5. Run it
Tips & Tricks
• WIF relies on the web.config file
• Problematic for staging deployments – don’t know the URL until deployed
• Add logic to WebRole’s OnStart() to update the WIF settings in web.config– Read in configuration settings from .cscfg
– Update and save the web.config
– Changing .cscfg settings can cause a role recycle . . . causing web.confg to update
Tips & Tricks
• Staging vs. Production– WIF configuration in web.config
– Staging URL unknown until deployment
– Change WIF configuration in web.config during role startup
See Vittorio Bertocci’s blog post at http://blogs.msdn.com/b/vbertocci/archive/2011/05/31/edit-and-apply-new-wif-s-config-settings-in-your-windows-azure-webrole-without-redeploying.aspx
Tips & Tricks
• Cookie Encryption– DPAPI used to protect cookies sent to the client.
– DPAPI not supported in Windows Azure
– Use RsaEncryptionCookieTransform to encrypt with same cert used for SSL.
Tips & Tricks
Tips & Tricks
• Change request validation
• Use ASP.NET 2 validation (<httpRuntime requestValidationMode=“2.0”/>
• Custom validator
Tips & Tricks
<httpRuntime requestValidationType=“AccessControlRequestValidator" />
// Source: http://social.technet.microsoft.com/wiki/contents/articles/1725.windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult-t-requestsecurityto.aspx
Gotchas
• Single sign-out not currently supported– Provide a sign-out link for the specific Identity Provider
• Windows Azure co-admin cannot administer an ACS namespace– Add Live ID, WAAD, Google, etc.
• WIF not installed on Windows Azure roles (.NET 3.5)– Microsoft.IdentityModel � CopyLocal = true
– Install WIF via a startup task (recommended)
The Impact for Mobile Apps
• Social Networks – Important– Users likely already have at least one
– Quick and easy signup
– Potential for rapid user base expansion
• Multiple identity provider choices via Windows Azure Mobile Services
DEMO
Windows Azure Mobile Services
Recap
• Windows Azure Mobile Services app
• Developer accounts for social networks– Microsoft Account
• Add key/secret to WAMS app
• Prompt for user authenticationawait App.MobileService.LoginAsync
(MobileServiceAuthenticationProvider.Twitter);
• Optional– Live SDK to use SSO in Windows Store apps
Windows Azure Active Directory
• Extends AD into the cloud
• Started as directory for Office365
• Provides single sign-on for cloud applications
• Query-able social graph (native apps too)
• Connect from any device and platform– RESTful access to the directory
– XML/JSON request/response
• Can sync or federate on-premises AD to cloud
WAAD is in a Developer Preview status. ☺
The Directory
MemberOf
DirectReports
The DirectoryWindows Azure Active Directory
Multi-tenant directory
The Directory
WAAD Tenant
On-Premises Active Directory
DirSync
Getting Started
• Organization ID– Office365
– Dev/Test Tenant
http://aka.ms/WAADSignup<tenant>.onmicrosoft.com
• Windows Azure Subscription
• Microsoft ASP.NET Tools for Windows Azure Active Directory – Visual Studio 2012– http://go.microsoft.com/fwlink/?LinkID=282306
• Office365 / Windows Azure Active Directory Management Cmdlets– http://aka.ms/aadposh
DEMO
Windows Azure Active Directory – Setup and Connect to WAAD
Recap
1. Pre-reqsa) Windows Azure AD Powershell cmdlets
b) Windows Azure AD tenant
c) Visual Studio tools
2. Create new ASP.NET 4.5 web site
3. ‘Enable Windows Azure Authentication’a) Under ‘Project’ menu in Visual Studio
b) Authenticate with WAAD administrative account
4. Run
Graph API
• RESTful interface for Windows Azure AD– Compatible with OData V3
– Use latest WCF 5.3 update (API v0.9)
– OAuth 2.0 for authentication
• Programmatic access to the directory– DirectoryObject – User, Group, Role, Licenses,
Tenant, etc.
– Links – memberOf, directReports
• Standard HTTP methods– GET, POST, PATCH, DELETE for directory objects
– HTTP status codes
Directory Permissions
• The application has rights to the directory, not the authenticated user
• Your application == service principal
• Application Roles– Partner Tier1 Support
– Partner Tier2 Support
– Company Administrator
– Helpdesk Administrator
– Directory Readers
– Directory Writers
– Billing Administrator
– Service Support Administrator
– User Account Administrator
Request
GET https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User()?%24filter=userPrincipalName+eq+%27michael%40michaelcollier.onmicrosoft.com%27&%24top=2&api-version=0.9 HTTP/1.1
User-Agent: Microsoft ADO.NET Data Services
DataServiceVersion: 3.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/atom+xml,application/xml
Accept-Charset: UTF-8
DataServiceUrlConventions: KeyAsSegment
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAvZ3JhcGgud2luZG93cy5uZXRAMTEyNzExNTktYWJjOC00ZTBlLWIzYzItYzJhMDg1OGEwMzZiIiwiaXNzIjoiMDAwMDAwMDEtMDAwMC0wMDAwLWMwMDAtMDAwMDAw……
Host: graph.windows.net
Response<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://graph.windows.net/michaelcollier.onmicrosoft.com/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:georss="http://www.georss.org/georss" xmlns:gml="http://www.opengis.net/gml">
<id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/$/Microsoft.WindowsAzure.ActiveDirectory.User</id>
<title type="text">Microsoft.WindowsAzure.ActiveDirectory.User</title>
<updated>2013-03-21T00:58:34Z</updated>
<link rel="self" title="Microsoft.WindowsAzure.ActiveDirectory.User" href="Microsoft.WindowsAzure.ActiveDirectory.User" />
<entry>
<id>https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6</id>
<category term="Microsoft.WindowsAzure.ActiveDirectory.User" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
<link rel="edit" title="User" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/manager" type="application/atom+xml;type=entry" title="manager" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/manager" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/directReports" type="application/atom+xml;type=feed" title="directReports" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/directReports" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/members" type="application/atom+xml;type=feed" title="members" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/members" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/memberOf" type="application/atom+xml;type=feed" title="memberOf" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/memberOf" />
<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/related/permissions" type="application/atom+xml;type=feed" title="permissions" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/permissions" />
Response<link rel="http://schemas.microsoft.com/ado/2007/08/dataservices/edit-media/thumbnailPhoto" title="thumbnailPhoto" href="directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/thumbnailPhoto" />
<m:action metadata="https://graph.windows.net/michaelcollier.onmicrosoft.com/$metadata#DirectoryDataService.assignLicense" title="assignLicense" target="https://graph.windows.net/michaelcollier.onmicrosoft.com/directoryObjects/23dc9514-64ec-4c94-8f03-4edf9016b2a6/Microsoft.WindowsAzure.ActiveDirectory.User/assignLicense" />
<content type="application/xml">
<m:properties>
<d:objectType>User</d:objectType>
<d:objectId>23dc9514-64ec-4c94-8f03-4edf9016b2a6</d:objectId>
<d:accountEnabled m:type="Edm.Boolean">true</d:accountEnabled>
<d:assignedLicenses m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedLicense)" />
<d:assignedPlans m:type="Collection(Microsoft.WindowsAzure.ActiveDirectory.AssignedPlan)" />
<d:city m:null="true" />
<d:displayName>Michael Collier</d:displayName>
<d:givenName>Michael</d:givenName>
<d:mailNickname>michael</d:mailNickname>
<d:mobile>+1 6142883146</d:mobile>
<d:otherMails m:type="Collection(Edm.String)">
<d:element>[email protected]</d:element>
</d:otherMails>
<d:userPrincipalName>[email protected]</d:userPrincipalName>
</m:properties>
</content>
</entry>
</feed> * Some elements removed for readability.
Windows Azure Authentication
Library (WAAL)
• Simplifies authentication
• Client-side only– Used to obtain an authentication token only; no token
validation
– Web apps/services or rich clients
• Server-side token authentication– JSON Web Token Handler (JWT Handler)
– Samples
http://code.msdn.comSearch “aal”Filter – Technology = Windows Azure
Visual Studio Version = VS2012(AAL > Windows Azure > Visual Studio 2012)
Registering You App with WAAD
• AppPrincipalId (ServicePrincipal)– identityConfiguration/audienceUris
– system.identityModel.services/federationConfiguration/wsFederation
• Read this blog post by Vittorio Bertocci– http://www.cloudidentity.com/blog/2013/01/22/group-
amp-role-claims-use-the-graph-api-to-get-back-isinrole-and-authorize-in-windows-azure-ad-apps/
Registering You App with WAADImport-Module MSOnlineExtended -force
# Connect to the WAAD tenant. Use tenant admin credentials (same used in the MVC VS2012 tools).
<user>@<tenant>.onmicrosoft.com
Connect-MsolService
# The AppPrincipalId from the web.config
$AppPrincipalId = '9a90ed83-acff-44d7-813f-d7e724fef1aa'
# Get the Service Principal object
$servicePrincipalId = (Get-MsolServicePrincipal -AppPrincipalId $AppPrincipalId)
# Add the service principal to the appropriate role in WAAD.
Add-MsolRoleMember -RoleMemberType "ServicePrincipal" -RoleName "User Account Administrator" -
RoleMemberObjectId $servicePrincipalId.ObjectId
# Dates for which the credential is valid (1 year)
$timeNow = Get-Date
$expiryTime = $timeNow.AddYears(1)
#Generating the symmetric key
$cryptoProvider = new-object System.Security.Cryptography.RNGCryptoServiceProvider
$byteArr = new-object byte[] 32
$cryptoProvider.GetBytes($byteArr)
$signingKey = [Convert]::ToBase64String($byteArr)
Write-Output $signingKey | Out-File signingKey.txt
# Create a new service principal credential, with the created key, and assign to the service principal.
New-MsolServicePrincipalCredential -AppPrincipalId $AppPrincipalId -Type symmetric -StartDate $timeNow
-EndDate $expiryTime -Usage Verify -Value $signingKey
DEMO
WAAD and Expense Application (Code Walkthrough)
Going Further
• Multitenant applications– Leverage identity from other WAAD tenants
– http://www.windowsazure.com/en-us/develop/net/tutorials/multitenant-apps-for-active-directory/
• Phone 2FA– Additional administrative users
– Username/pwd + text message code
– ONLY for WAAD users and applications now
• Configure as an Identity Provider in ACS
Windows Azure Virtual Network
Image courtesy of the Windows Azure Training Kit
Windows Azure
Site-to-Site VPN Tunnel
Currently in Preview
Summary
• Traditional identity management in the cloud is hard– Many external islands of identity
– Current technology hard or not interoperable
• ACS provides standards-based approach– Integrates with Windows Identity Foundation
– Claims-based authorization
– Built-in support for ADFSv2, Google, Live ID, Yahoo!, & Facebook
• Enrich functionality using WIF
• Leverage Windows Azure Mobile Services for mobile apps
• Windows Azure Active Directory shows the future direction
Resources
• Windows Azure ACS Guide– http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-
control/#config-trust
• Programming Windows Identity Foundation, Vittorio Bertocci
• CloudIdentity.com, Vittorio Bertocci’s blog
• “Claims-Based Authorization with WIF”, Michele Bustamante– http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
• ACS Cheat Sheet - http://bit.ly/ACSCheatSheet
• ACS How To’s - http://bit.ly/ACSHowTo
• ACS Tips - http://bit.ly/HYhxjY
• Publishing a ACS v2 Federated Identity Web Role -http://bit.ly/HPT6rk
• MVC Sample App for Windows Azure Active Directory Graph– http://code.msdn.microsoft.com/Write-Sample-App-for-79e55502
• Windows Azure Active Directory Graph Team– http://blogs.msdn.com/b/aadgraphteam/
Ask your questions
Thank You!!Michael S. Collier
National Architect, Cloud
@MichaelCollier
www.MichaelSCollier.com
http://www.slideshare.net/buckeye01
Please fill out your session evals!