developing and deploying identity-enabled applications for the cloud
DESCRIPTION
Joint session by WInsec.be and Azug.be on ADFS, federation and claims based authentication in the cloud.TRANSCRIPT
1
Developing and deploying Identity-enabled applications for the cloud
2
This session
meets
Developing and deploying Identity-enabled applications for the cloud
3
Winsec.bethanks his sponsors for their continued
support
4
Azug thanks his sponsors
6
Developing and deploying Identity-enabled applications for the cloud
7
Your Presenters for Today
Maarten@maartenballiauw / about.me/maarten.balliauwCo-founder of AZUGMVP: Windows AzureBlogs at http://blog.maartenballiauw.be
Paul@ploonen / [email protected] of winsec.beMVP: Microsoft Forefront Identity ManagerMCM DirectoryCurrent hobby: Architect@AvanadeBlog @ http://be-id.blogspot.com
8
Agenda
Presenting the problem (a.k.a. “The Scenario”)How federation saves the dayHow ADFS solves federationHow to connect an app to ADFSHow Windows Azure adds extra sauce to federationQ&A
9
Introducing the Problem
10
Introducing AD FS v2
11
Some vocabularySTS Secure Token Service
IP Identity Provider
RP Relying Party
Claim Assertion
WIF Windows Identity Foundation
SAML Security Assertion Markup Language
AD FS Active Directory Federation Services
12
Federation benefitsBenefits of SSO
reduce administrative overheadreduce security vulnerabilities as a result of lost or stolen passwordsimprove user productivity
Intra-Enterprise: provide SSO for all your web sites and applications
Inter-Enterprise:provide SSO experiences for your users to access apps in other organizationsprovide SSO experience for users from external organizations to access your apps
Easily externalize authentication & authorizationRich claims rules processing engineManagement & Configuration Tools
13
AD F
S 2.
0 M
ajor
Com
pone
nts
Attrib
ute
Stor
es
What is AD FS 2.0?
Active Directory
MS SQL
Federation Server Federation Server Proxy
Claims Engine
Management Snap-in
WIF
Windows Server 2008 SP2, 2008 R2
.NET 3.5 SP1 IIS 7
Windows Internal DB
Website
Web Service
Oth
er C
laim
s Pr
ovid
ers
CA
IBM
SUN
WIF
Other STS
Rely
ing
Parti
es
Browser Apps
Smart Clients
Web Services
AD FS 2.0 provides access and single sign-on for on-premises and cloud-based applications in the enterprise, across organizations, and on the Web
14
Why consider AD FS 2.0?
Building a production-ready STS is hard.The Visual Studio STS templates are just starters for trivial dev scenarios.Lots of configuration to manage, UI's to present in real world STS!
15
Identity Provider Relying Party
Typical Traffic Flow
Internal Client
ResourceFederation Server
AccountFederation Server
Web Server
Active Directory
FederationTrust
16
Scenario 1 – Intra OrganizationADFS STSClaims-aware app Active Directory
Browse app
Not authenticated
Redirected to STS Authenticate
User
Query for user attributesReturn Security Token
Return pageand cookie
Send Token
ST
ST
App trusts STS
17
Process token
Home realm discovery
ST
ST
Redirected to partner STS requesting ST for partner user
Return ST for consumption by your STS
Return new ST
ST
Scenario 2 – Inter OrganizationYour
ADFS STSYour
Claims-aware app
ActiveDirectory
Partner user
PartnerADFS STS & IP
Redirected to your STS
ST
Authenticate
Send Token
Return pageand cookie
Browse app
Not authenticated
Redirect to your STS
18
Installing AD FS v2
Requires Windows Server 2008 / 2008 R2Requires IIS 7, .NET 3.5 SP1, WIFSee deployment guide for required hot fixes and updates
Issue and install server certificates for HTTPSThink about implications for partner organisationCross certification when few partners, otherwise, buy required certs
Download and install ADFS 2.0Simple Wizard
New / farm member / Proxy – SSL cert – Names
19
AuthN, Attribute Stores
AD FS v2 can only use Active Directory as an identity store for authentication
ADFSv1 could also use AD LDS / ADAMAD FS v2 can extract attributes from AD DS and from SQL Server
SQL and LDAP stores are directly supportedAdditional stores can be added through custom extensions
IAttributeStore (see: http://msdn.microsoft.com/en-us/library/ee895358.aspx) Register your custom store using Add-ADFSAttributeStore
Add-ADFSAttributeStore -TypeQualifiedName "CustomAttributeStores.FileAttributeStore,CustomAttributeStores" -Configuration @{"FileName"="c:\temp\data.txt"} -Name FileAttributeStore
Þ issue(store = "FileAttributeStore", types =
( "http://schemas.microsoft.com/ws/2008/06/identity/claims/name", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = "Age=33;EmpName,Role");
20
Setting up your STS
Demo
21
Installation Sequence
22
AD FS 2.0 deployment options1. Single server configuration2. AD FS 2.0 server farm and load-balancer3. AD FS 2.0 proxy server (offsite users)
Enterprise DMZ
AD FS 2.0 ServerProxy
External userInternal
user
ActiveDirectory
AD FS 2.0 Server
AD FS 2.0 Server
AD FS 2.0 ServerProxy
23
Configuring your AD FS Server
Or: %ProgramFiles%\Active Directory Federation Services 2.0\FsConfigWizard.exeManually: FsConfig.exe { StandAlone | CreateSQLFarm | JoinFarm | JoinSQLFarm |
GenerateSQLScripts} [deployment specific parameters]
24
FSConfigWizard
25
Implementing ADFS in your infra
Configure the RP to trust AD FS
Configure AD FS to trust RP
• Issuance Transform rules
• Issuance Authorization rules
Configure Rules
26
Configuring your federation server
Identity ProviderRelying PartyClaims
Demo
27
Configuring the RP Trust
28
Claim RulesRule templates simplify the creation of rulesExamples of rules are:
Permit / deny user based on incoming claim valueTransform the incoming claim valuePass through / filter an incoming claim
Multiple claim rules can be specified and are processed in top to bottom order
Results from previously processed claims can be used as the input for subsequent rules
29
Creating Rules
On IdPOn RP
On RP
30
Creating Rules
A claim rule consists of two parts, condition and issuance statement
Condition
Issuance Statement
32
Further Customizations
Custom Style SheetHome realm discoveryLogon PageAuthentication…
33
What Else?
HardeningSCW profiles are on the box
SizingPowerShellIn Win8 becomes a server role again (v2.1)
34
Windows Identity Foundation
35
Windows Identity Foundation
Your one and only partner for .NET identity developmentAdds claims-based authentication to your application in no timeMy advise: forget custom user stores
And if you need them: WIF-ify (?) them
36
Connecting an app to an STS
Demo
37
Where things get cloudy...
Windows Azure AppFabricAccess Control Service
ACS
38
Windows Azure AppFabric ACS
An STS in the cloudPluggable with identity providers
Windows Live IDFacebookGoogleYahoo!Any ADFS
or better: any WS-federation passive endpointAny OAuth2 provider
39
Why ACS?
40
Let’s step back...
No, we’re not the USFederation across organizations does not happen often todaySo why would I use ACS anyway?
Dev, test, accept, prod are different RP’s!2 apps with all these environments is 8 RP’s!Imagine 10 apps... Or a hundred...
41
ACS advantages
A scalable STSWith one or more identity providersWith one or more relying partiesWith one or more rule groupsIntegrates with WIFIntegrates with ADFSInstant win!
42
ACS
Service Identities
ADFS2 . WS-Trust
ADFS2 . WS-Federation
WS-Trust
OAuth WRAP/2.0
WS-Federation
SAMLSWT
SAML
SWT
Your ApplicationACSIdentityProviders
Brow
ser-
base
dRi
chCl
ient
Serv
er 2
Ser
ver
43
Connecting an app to ACS
Demo
44
Connecting ACS to ADFS
Demo
45
Using ACS at its full extent
ACS as an identity service bus
Demo
46
Conclusion
47
Conclusion
It is possible to do SSO over security boundariesIt is possible to integrate multiple apps with multiple identity providersADFS and ACS form a nice coupleStandards based solution
48
Some Resources
AD FS v2 on TechNet and MSDNAD FS v2 content on TechNet WikiClaims-Based Identity BlogWindows Azure AppFabric Access Control Service
WIF and ACS Content Map on Technet WikiVittorio’s Bloghttp://identityserver.codeplex.com
49
Q&A
Winsec.bethanks his sponsors for their continued
support
51
Azug thanks his sponsors