browser identity provider access control application

13
Identity and Securing Azure Services for SharePoint Speaker Name

Upload: estella-carson

Post on 29-Jan-2016

217 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Browser Identity Provider Access Control Application

Identity and Securing Azure Services for SharePoint

Speaker Name

Page 2: Browser Identity Provider Access Control Application

Essential claims programming modelClaims OM integrated with the .NET identity APISingle programming model for ASP.NET & WCFConfig drivenSingle programming model for on-premises & cloud

Tools for metadata-driven automatic app configurationWS-Federation, WS-Trust

Framework for custom STS developmentAnd more…

Page 3: Browser Identity Provider Access Control Application

What Can You Do with WIF?

Handle Application AuthenticationOutsource it via standard protocols

Cross-platform!

Federate with partnersAccept identities from multiple sourcesReuse existing accounts everywhere…

Handle Application AuthorizationTraditional RBACClaims based

Handle User Attributes“the end of provisioning”

Page 4: Browser Identity Provider Access Control Application

What is Windows Azure AppFabric Access Control?

ACS is used to authenticate and authorize usersThink of it as WIF in the cloud for youIntegration Single Sign On and centralized authorization into your web applicationsStandards-based identity providers

Enterprise directories (e.g. Active Directory Federation Server v2.0)Web identities (e.g. Windows Live ID, Google, Yahoo!, and Facebook)

V2 now available

Page 5: Browser Identity Provider Access Control Application

BrowserIdentity Provider

Access Control

Application

3. Login

5. Redirect to AC service

10. Validate Token

1. Request Resource

2. Redirect to Identity Provider4. Authenticate &

Issue Token

6. Send Token to ACS

7. Validate Token, Run Rules Engine, Issue Token8. Redirect to RP with ACS

Token9. Send ACS Token to Relying Party

11. Return resource representation

Access Control Website Sequence

Page 6: Browser Identity Provider Access Control Application

Access Control Features

Integrates with Windows Identity Foundation and toolingClaims-based access controlSupport for OAuth WRAP, WS-Trust, and WS-Federation protocolsSupport for the SAML 1.1, SAML 2.0, and Simple Web Token token formatsIntegrated and customizable Home Realm DiscoveryOData-based Management Service to ACS configuration

Page 7: Browser Identity Provider Access Control Application

Calling External Code

ServerACS 2.0

Silverlight(or)

InfoPath

SharePoint 2010 Windows Azure

JQuery

WCF Service

Page 8: Browser Identity Provider Access Control Application

Integration Pattern

Service Namespace

Web ServiceService Consumer

(SharePoint)

Step 0Secret Exchange

(Periodic Refresh)

2. Send Claims

4. Send Token(Output claims from 3)

3. Map Input claims to output claims

5. Send Message with Token

6. Claims checked in Apps

1. Access Control rules

Page 9: Browser Identity Provider Access Control Application

Cert Based Auth - Architecture

Page 10: Browser Identity Provider Access Control Application

Certificate based Authentication

demo

Page 11: Browser Identity Provider Access Control Application

Summary

Claims Based identity works both on-premises & in the cloudAccess Control Services simplifies the access control for Azure hosted resourcesAzure uses certificates (Management & Service Certificates) to identify a trust relationship

Page 13: Browser Identity Provider Access Control Application

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft

cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Confidential - NDA Only