190 likes | 354 Views
windows azure app fab security. steve plank “ planky ” architectural evangelist, microsoft uk splank@microsoft.com http:// blogs.msdn.com / plankytroni xx. agenda. a ccess control service and adfs 2.0 w indows azure connect domain-joining a windows azure instance.
E N D
windows azure app fab security steve plank “planky” architectural evangelist, microsoftuk splank@microsoft.com http://blogs.msdn.com/plankytronixx
agenda • access control service and adfs 2.0 • windows azure connect • domain-joining a windows azure instance
connecting to the outside world google appfabriclabs ctp available now yahoo Username: live id Password: facebook acs OK Cancel adfs2 ad
security token service • service that issues tokens • give it something • user-id/password • x.509 cert • another security token • get a security token back • saml • swt • “cookie” • custom “something” security token
claims transformation email email fred@abc.com fred@abc.com title title buyer purchaser dept dept engineering engineering sts tel no. tel no. 01234 567 890 +441234 567 890 £limit £5m if title == “buyer” AND department == “engineering”: purchaselimit = “£5m” if title == “buyer” AND department == “stationary”: purchaselimit = “£50”
roles • claims store: stores claims: • email, firstname, telno, etc… active directory • identity provider (ip): authenticate, issues tokens • user-id/pww, x.509, smartcard…. adfs2, acs • federation provider (fp): • token in; token out. claims transformation… acs • relying party (rp): • app that consumes tokens • trust: • links rp-ip, fp-ip etc.
acs/adfsauthentication flow plankytronixx.com windows azure ad dc app fab acs adfs 2 federation trust trust ctrl-alt-del wif web app
for more info • http://blogs.msdn.com/b/plankytronixx/archive/2011/01/11/video-how-windows-azure-app-fab-acs-and-adfs-2-0-work-together.aspx • http://blogs.msdn.com/b/plankytronixx/archive/2010/11/05/primer-federated-identity-in-a-nutshell.aspx
agenda • access control service and adfs 2.0 • windows azure connect • domain-joining a windows azure instance
what is it? standard protocols: • SSL, IPSec Example use cases: • azure app & on-premise sql server • domain-joined azure instances • remote admin & troubleshooting simple setup windows azure 0 1 on-premise
availability • ctp – now • sign-up http://windows.azure.com • components: • subscription (portal) • 1.4 sdk (download) • agents (download (from portal)) • release in h1 2011 • support for vpn devices in future
virtual network windows azure firewall: outbound port 443 (ssl) connect agents windows azure 0 ssl tunnel relay service 1 on-premise IPv6, IPsec, point-to-point connection point-to-point connections determined by network policy: windows azure portal
grouping role3 role1 role2 group a group b group c
a quick word about remote desktop windows azure windows azure • portal rdp goes via the internet • on-premise to windows azure role goes direct on-premise portal
for more info • http://blogs.msdn.com/b/plankytronixx/archive/2010/11/09/azure-connect-connecting-your-on-premise-and-windows-azure-networks-together.aspx • http://blogs.msdn.com/b/plankytronixx/archive/2011/01/10/video-presentation-windows-azure-connect-from-scratch.aspx
agenda • access control service and adfs 2.0 • windows azure connect • domain-joining a windows azure instance
domain-joining an instance • required info: • domain-name • ou • local admin accts • creds with permissions for domain-join corporate AD web /worker/vm role .cscfg on-premise domain controller/dns
agenda • access control service and adfs 2.0 • windows azure connect • domain-joining a windows azure instance • blogs.msdn.com/plankytronixx