Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide

Published byChrystal Carr Modified over 6 years ago

Similar presentations

Presentation on theme: "Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide"— Presentation transcript:

1 Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide SESSION CODE: SIA303 Identity and Access Management: Windows Identity Foundation and Windows Azure Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Identity and Access Management
Enable more secure, identity-based access to applications on-premises and in the cloud from virtually any location or device PROTECT everywhere ACCESS anywhere INTEGRATE and EXTEND security SIMPLIFY security, MANAGE compliance Provide more secure, always-on access Enable access from virtually any device Control access across organizations Provide standards-based interoperability Extend powerful self- service capabilities to users Automate and simplify management tasks

3 Business Ready Security Solutions
Secure Messaging Secure Collaboration Secure Endpoint Information Protection Identity and Access Management

4 Non-Goals Not a comprehensive overview of WIF
1/16/2019 Non-Goals Not a comprehensive overview of WIF Not a comprehensive overview of Windows Azure I assume you know at least a little bit of one or the other © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Agenda Claims Based Identity & WIF Windows Azure
Tech Ed North America 2010 1/16/2019 5:46 PM Agenda Claims Based Identity & WIF Windows Azure WIF & the canonical scenario in Windows Azure Tricks for Browser based SSO WCF services Custom STS © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Your Applications Are Prisoners
1/16/2019 5:46 PM Your Applications Are Prisoners Login.aspx Page1.aspx Credential Types / APIs Credential Stores User Attributes Stores © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Claims Can Set Your Application Free
1/16/2019 5:46 PM Claims Can Set Your Application Free Identity Provider Active Directory Federation Services 2.0 STS Claims Relying Party Security Token © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Essential claims programming model
1/16/2019 5:46 PM Essential claims programming model Claims OM integrated with the .NET identity API Single programming model for ASP.NET & WCF Config driven Single programming model for on-premises & cloud Tools for metadata-driven automatic app configuration WS-Federation, WS-Trust Framework for custom STS development And more… © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Claims Based Identity and Web Site Authentication
Tech Ed North America 2010 1/16/2019 5:46 PM Claims Based Identity and Web Site Authentication Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Canonical Scenario & Infrastructure
STS IIS / ASP.NET GAC File System Certificate Store

11 Windows Azure (1/2) Compute: Storage Management
Standard .NET 3.5 environment Web, WCF and worker roles Can P/Invoke Physical machine inaccessible, immutable Storage Table & blob storage Management Manage roles, scale, storage, certificates, etc

12 Windows Azure (2/2) Visual Studio integration Multi-staged deployment
Templates DevFabric: on-premises simulation environment Multi-staged deployment Staging Production

13 Canonical Scenario & Infrastructure

14 Scenarios & Tricks

15 Browser Based SSO STS

16 SSO: On-Premises STS and Windows Azure Web App
Tech Ed North America 2010 1/16/2019 5:46 PM SSO: On-Premises STS and Windows Azure Web App Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Hosted Service Packaging
Application Package Yourapp.cspkg: Contains all your app Configuration Settings ServiceConfiguration.cscfg: Roles and such If you need something not in the standard image, package it with the app Set Copy Local=true for microsoft.identityModel.dll FullTrust is required Want to change anything in your app? Redeploy Make your app parametric, drive it from the outside

18 Endpoints & Environments
WIF assumes URI==Application In Windows Azure that doesn’t work URI changes per environment: DevFabric: :xxx/ Staging: {GUID}.cloudapp.net/ Production: yourapp.cloudapp.net/ The load balancer influences the physical URI yourapp.cloudapp.net:20000/

19 Endpoints Strategies On the RP On the STS
Use multiple named <identityModel/service> sections If your STS handles it, use wreply Get the application address from request.Headers["Host"] On the STS If you can, handle wreply Otherwise, treat every deployment as a separate RP

20 Certificates in Windows Azure
Certificate + private key: Needed for SSL, Decryption, Signature Certificate alone: “Needed” for STS signature checking In Windows Azure you don’t have direct access to the certificate store Upload PFX in a common area The cscfg decides which certificates are available to which roles The fabric will deploy those “just in time” in the role You can’t add trusted roots

21 Certificates Strategies
For SSL, Decryption, Signature Upload the necessary PFX(es) More about this in the Sessions slides For STS signature checking Often the certificate bits will arrive with the message All you need is to record the thumbprint in the IssuerNameRegistry… …and set certificateValidationMode="None“ If that’s not the case, generate a key-less PFX and upload

22 Session WIF typical session is implemented via cookies
The default protection method is DPAPI Doesn’t work if you can hit multiple instances Easy solution in Windows Azure Inject a SessionSecurityTokenHandler with your own transforms list Encrypt & sign the cookie via RsaXXXTransform and service certificate You could use the machine key as well

23 WCF Service STS

24 WIF and WCF Services on Windows Azure
Tech Ed North America 2010 1/16/2019 5:46 PM WIF and WCF Services on Windows Azure Vittorio Bertocci Sr. Architect Evangelist Microsoft Corporation DEMO © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25 WCF and Sessions Similar approach to what we’ve seen for the passive case Trickier: Craft the binding for allowing cookie mode Write custom SessionSecurityTokenHandler Usual RsaXXXTransform Validation must abstract away node port numbers in the URI Inject custom SessionSecurityTokenHandler behaviorExtension-> IServiceBehavior -> SessionSecurityTokenHandler

26 WCF Metadata in Windows Azure
Default mechanism puts in the WSDL URIs with node ports Not addressable outside, SvcUtil fails KB solves the issue, but needs to be explicitly activated Add to the service behavior <useRequestHeadersForMetadataAddress> <defaultPorts> <add scheme="http" port="8000" /> <add scheme="https" port="8443" /> </defaultPorts> </useRequestHeadersForMetadataAddress> Manually update ports when deploying to the cloud

27 Tracing WIF tracing works ~ like WCF tracing
Can use the Service Trace Viewer tool Surprise! No direct access to the VM file system One Solution Write a custom XmlWriterTraceListener which dumps the traces in Windows Azure storage Use WebRole.OnStart for hooking the listener to the storage

28 Custom Passive STS STS

29 WSFederation Metadata Generation
RPs use STS metadata for Discovering issuing endpoints Signing certificate(s) Offered claims URIs need to Reflect the environment Handle the node port number issue One solution: explicitly generate the metadata via HTTP WCF service UrlRewrite for hiding the svc implementation detail

30 More Endpoint Issues Turn off address filtering via [ServiceBehavior(AddressFilterMode = AddressFilterMode.Any)] On the client, override the endpoint reference

31 RP Management You need to maintain a list of RPs
A good STS serves tokens only to known RPs Encrypting tokens for one RP requires knowing the RP certificate You don’t want to redeploy a cspkg every time you add or delete an RP Solution: keep the RPs in a Windows Azure table Use management APIs for maintaining the list

32 Summary Claims Based identity works both on-premises & in the cloud
The app code is isolated from the deployment environment Resources are handled differently in Windows Azure and on-premises WIF needs few nudges for operating in the cloud Endpoints Certificates Sessions File system vs storage

33 Resources WIF Home page Forum Team Blog Downloadable Training Kit
Forum Team Blog Downloadable Training Kit Online Training Course on Channel9 Channel9 Show on Identity My blog

34 Resources Learning Required Slide www.microsoft.com/teched
Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide Resources Learning Sessions On-Demand & Community Microsoft Certification & Training Resources Resources for IT Professionals Resources for Developers © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35 Required Slide Speakers, please list the Breakout Sessions, Interactive Sessions, Labs and Demo Stations that are related to your session. Tech Ed North America 2010 1/16/2019 5:46 PM Related Content SIA303 | Identity and Access Management: Windows Identity Foundation and Windows Azure SIA201 | Understanding Claims-Based Applications: An Overview of Active Directory Federation Services (AD FS) 2.0 and Windows Identity Foundation SIA326 | Identity and Access Management: Single Sign-on Across Organizations and the Cloud - Active Directory Federation Services 2.0 Architecture Drilldown Demo Station: Identity and Access Management – SIA Stations 5 & 6 © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Download WIF SDK & the Identity Training Kit!

37 Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide Complete an evaluation on CommNet and enter to win! © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38 Tech Ed North America 2010 1/16/2019 5:46 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39 Required Slide Tech Ed North America 2010 1/16/2019 5:46 PM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Tech Ed North America 2010 1/16/2019 5:46 PM Required Slide"

Similar presentations

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Identity & Access Control in the Cloud Name Title Organization.

Identity & Access Control in the Cloud Name Title Organization.
Deployment Internals: Mastering Windows Deployment Services

Deployment Internals: Mastering Windows Deployment Services
6/2/2018 3:37 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

6/2/2018 3:37 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
6/13/2018 1:23 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

6/13/2018 1:23 AM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
Microsoft Ignite /31/ :08 AM

Microsoft Ignite /31/ :08 AM
9/11/2018 5:53 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

9/11/2018 5:53 PM © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
MDOP: Advanced Group Policy Management 4.0

MDOP: Advanced Group Policy Management 4.0
Tech·Ed North America /14/2018 7:13 PM

Tech·Ed North America /14/2018 7:13 PM
Excel Services Deployment and Administration

Excel Services Deployment and Administration
Windows Store for Business

Windows Store for Business
Build 2015 9/21/2018 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /21/2018 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
Overview of Social Computing in Microsoft SharePoint 2010

Overview of Social Computing in Microsoft SharePoint 2010
Integrating Microsoft SharePoint 2010 with Windows Azure

Integrating Microsoft SharePoint 2010 with Windows Azure
Implementing RESTful Services Using the Microsoft .NET Framework

Implementing RESTful Services Using the Microsoft .NET Framework
Windows PowerShell Remoting: Definitely NOT Just for Servers

Windows PowerShell Remoting: Definitely NOT Just for Servers
Azure Active Directory

Azure Active Directory
Sysinternals Tutorials

Sysinternals Tutorials
Tech·Ed North America /19/ :44 PM

Tech·Ed North America /19/ :44 PM

Similar presentations

Ads by Google