2 Identity & Cloud Services Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation Session Code: ARC302
3 Agenda The Cloud Cloud & Identity Claims based Identity Identity.Biztalk.Net
4 What is the Cloud?
5 Once Upon a Time…
6 Then a New Idea Came Out…
7 What is Cloud Computing Evolution of hosting Source: Forrester Research, “Is Cloud Computing Ready For The Enterprise?”, March 2008
8 Why Cloud Computing S+S: Outsource functions to external services The Cloud is “Platform as a Service” Host your own resources “in the cloud” Storage, Workflows, Services… Expose your on-premise services “in the cloud” for others to consume Advantages No more IT headache Scale Reach Pay as you use
9 Everything in the Cloud from now on? “…larger companies…can be expected to pursue a hybrid approach for many years, supplying some hardware and software requirements themselves and purchasing others over the grid. One of the key challenges for corporate IT departments, in fact, lies in making the right decisions about what to hold on to and what to let go.” Nicholas Carr “The Big Switch”
Microsoft Data Center in Chicago Cost: $500 million Size: 500,000 square foot facility (10 football fields) Container-based FYI: Microsoft Averages the deployment of new servers each month
11 Cloud & Identity
OnPremise Identity Management
Moving Assets to the Cloud
Identity & Cloud: Challenges & Opportunities Opportunities Outsource aspects of identity management Manage relationships Offload credential management Automatic support for multiple technologies Challenges Resources decentralization Investments in directory harder to ROI Forces true service orientation
15 Claims Based Identity
Claims Based Identity Management Introduction Traditionally Web authentication uses “pure credentials” “Intranet” authentication relies on info from well known authorities Different authentication technologies are isolated silos Claims based identity change all this by Merging credentials & subject information in a single artifact Negotiating authentication details on the fly via Policies, open standards, trust relationship When working with cloud resources we cannot afford any of these When working with cloud resources we cannot afford any of these
Authentication in the Offline World ? ! ? ? Web Server Browser AGE:36 Authority Web Service
Tools of the Trade Claims Statements about an entity (subject) made by an entity (issuer) Tokens Signed XML fragments which transport credentials and claims about a subject Security Token Service (STS) Web service that Issues security tokens
A Token ClaimName 1 : Value 1 ClaimName n : Value n S … Issuer’s signature [optional] key material Claims collection E Encryption for the intended audience
20 SAML Subject Relying Party (RP)Identity Provider (IP) Policy RSTRSTR The Canonical S-IP-RP Pattern
21 SAML Subject RP IP SAML Claims Transformer RST Trust SAML The R-STS Pattern
22 Trust IP Resources R-STS The R-STS as Point of Trust & Access Management
23 The R-STS Pattern is Ideal for Cloud Providers Natural point of trust brokering with customers & partners Natural point of authorization evaluation & enforcement Resources are decouples by the original credentials Use of Standards Policy based dynamic negotiations
24 Example: Exposing a Service via an R-STS in the Cloud
25 Identity.Biztalk.Net
Biztalk Services What is it “BizTalk Labs provides early access to experimental connectivity and business process technologies” Connectivity Naming, firewall traversal, Eventing Workflow Hosted workflows Identity
Identity.Biztalk.Net The IBN is a rules-driven, federated, claims based access control system In practice Every BTS.Net account gets a dedicated R-STS instance The claim transformation logic is driven by user defined rules Certain claims are evaluated directly into authorization decisions Claims, rules, recognized issuers & crypto can be managed both via web portal and via API
28 Trust Federated Credentials SAML Policy ISV Resource Claims Transformation Rules U/P, LiveID, Personal Card, X509 Federated Credentials Trust Rules, Trust & Credentials
Rule Model
Management & Delegated Access Identity.biztalk.netIdentity.biztalk.net IBN/{username}IBN/{username}
31 FederatedIdentity.net Vote For Laptops Rules Example: voting application Vote For Phones If from FederatedIdentity.net && “Group” is “domain users” Can call VoteForPhones If from FederatedIdentity.net && “Group” is “domain users” Can call VoteForLaptops
32 Identity.Biztalk.Net
33 Summary The shift toward the Cloud drives to an utility model The Cloud can simplify identity & access management The claims based approach supports onpremise, cloud and hybrid scenarios Identity.Biztalk.Net provides a nice testbed for those ideas
34
35 Call to Action
36 Resources Tech·TalksTech·Ed Bloggers Live SimulcastsVirtual Labs Evaluation licenses, pre-released products, and MORE! Developer’s Kit, Licenses, and MORE!
Related Content Breakout Sessions SOA308 “Zermatt” Developer Framework: Putting Authentication Code in its Place SOA308 “Zermatt” Developer Framework: Putting Authentication Code in its Place SOA205 Extending the Application Platform with Cloud Services SOA205 Extending the Application Platform with Cloud Services ARC203 Understanding Software-Plus-Services: A Perspective ARC203 Understanding Software-Plus-Services: A Perspective
Related Content Biztalk.NET: Identity Issue#16 of the Architecture Journal:
39 Please complete an evaluation
40 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.