530 likes | 666 Views
Extending Identity to the Cloud. Paul Loonen Architect, Avanade Belgium. About me …. Paul Loonen Architect at Avanade Co-founder of the winsec.be community Microsoft Certified Master – Win2k8 Directory Forefront Identity Management MVP
E N D
Extending Identity to the Cloud Paul Loonen Architect, Avanade Belgium
About me … • Paul Loonen • Architect at Avanade • Co-founder of the winsec.be community • Microsoft Certified Master – Win2k8 Directory • Forefront Identity Management MVP • More than 20 years in IT, of which more than 10 years in IAM • paul.loonen@avanade.com
Agenda • Identity Challenges in the Cloud • What is Windows Azure? • Identity and the Cloud • Active Directory Federation Services • Azure Appfabric Access Control Service • Forefront Identity Manager 2010 • Cloud IAM Roadmap
Dealing with Identity today • We are very good at building secure castles • On-premise directories, systems and applications • Complex and secure infrastructure • User identities locked and controlled within the „walls” • Users learned how to live with unavoidable • Multiple credentials • Additional authentication and access control measurements • Tokens, cards, certificates …
What does our Infrastructure look like today? • Our systems right now • Secured, locked and sealed in on-premise infrastructure • Multiple identity sources • Multiple access information sources and control systems • We know whobuilds, deploys and manages them
Identity challenges in the Cloud • End User Password Fatigue • Failure-Prone Manual Provisioning and De-Provisioning Process • Compliance Visibility: Who Has Access to What? • Siloed User Directories for Each Application • Managing Access across an Explosion of Browsers and Devices • Keeping Application Integrations Up to Date • Different Administration Models for Different Applications • Sub-Optimal Utilization, and Lack of Insight into Best Practices Source: Okta
John from sales is terminated. • He has multiple identities in the enterprise • Some identities are not de-provisioned correctly • Moderate Risk • John from sales is terminated. • He has multiple identities in the enterprise and some of them are off premise. • Some identities are not de-provisioned correctly • High Risk The Problem - Trust boundaries have moved
Cloud computing • Characteristics • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity • Measured service • Service models • Software as a service • Platform as a service • Infrastructure as a service • Deployment models • Private cloud • Community cloud • Public cloud • Hybrid cloud “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” Source: The NIST Definition of Cloud Computing, Version 15, 2009.10.07, Peter Mell and Tim Grance http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
Your Own Data Center Someone Else’s Data Center Use (services, information, etc.) Build (applications, data, etc.) Host (software, database, etc.)
Private Cloud Public Cloud Service Delivery Models Software(as-a-service) Platform(as-a-service) Infrastructure(as-a-service) Community Dedicated Hybrid Cloud Cloud Deployment Models
Service delivery models (On-Premise) Infrastructure (as a Service) Platform (as a Service) Software (as a Service) You manage Applications Applications Applications Applications You manage Data Data Data Data Managed by vendor Runtime Runtime Runtime Runtime You manage Managed by vendor Middleware Middleware Middleware Middleware Managed by vendor O/S O/S O/S O/S Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking
What is Windows Azure? • A cloud computing platform (as-a-service) • on-demand application platform capabilities • geo-distributed Microsoft data centers • automated, model-driven services provisioning and management • You manage code, data, content, policies, service models, etc. • not servers (unless you want to) • Microsoft manages the platform • application containers and services, distributed storage systems • service lifecycle, data replication and synchronization • server operating system, patching, monitoring, management • physical infrastructure, virtualization networking • security • “fabric controller” (automated, distributed service management system)
How this may be interesting to you • Not managing and interacting with server OS • less work for you • don’t have to care it is “Windows Server” (you can if you want to) • but have to live with some limits and constraints • Some level of control • process isolation (runs inside your own VM/guest OS) • service and data geo-location • allocated capacity, scale on-demand • full spectrum of application architectures and programming models • You can run anything that runs on Windows
Anatomy of a Windows Azure instance Storage – distributed storage systems that are highly consistent, reliable, and scalable. Compute – instance types: Web Role & Worker Role. Windows Azure applications are built with web role instances, worker role instances, or a combination of both. HTTP/HTTPS Each instance runs on its own VM (virtual machine) and local transient storage; replicated as needed Guest VM Guest VM Guest VM Host VM Maintenance OS, Hardware-optimized hypervisor The Fabric Controller communicates with every server within the Fabric. It manages Windows Azure, monitors every application, decides where new applications should run – optimizing hardware utilization.
Where does Identity fit? User Web Browser Mobile Browser Silverlight Application WPF Application Jobs (Worker Role) Web Svc (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) Private Cloud ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) Public Services Enterprise Application ASP.NET (Web Role) ASP.NET (Web Role) ASP.NET (Web Role) Application Service Enterprise Web Svc Data Service Table Storage Service Blob Storage Service Queue Service Enterprise Data Storage Service Enterprise Identity Identity Service User Data Application Data Reference Data Service Bus Access Control Service Workflow Service
Introducing Claims-based Identity • Abstraction layer over identity and access control mechanisms • Unified access control model based on claims • Simplified and standardized way to access identity and access control information • New infrastructure to enable these scenarios
How It Works - Basics Who’sthat? Susana Active Directory ADFSv2 (STS) RP-STS (STS) Susana, PM, FABRIKAM Let me in Prove your identity! Whoam I ? Susana, PM Susana, PM Susana, PM, FABRIKAM It’s me Service (RP) Who? Service provider (cloud) Identity provider (on-premise)
Meet The Actors – Microsoft’s Identity Components Public Cloud AppFabric Access Control Services OAUTH WS-Trust, SAML Private Cloud AD Federation Services SAML Claims based applications Partners AD Certificate Services AD Rights Management Services User On-Premise
AD FS 2.0 Components AD FS 2.0 • AD FS 2.0 Configuration Database: • Windows Internal Database, or • SQL Server • AD FS 2.0 Proxy: • Perimeter Network Client Proxy for Token Requests • Supports Transport Layer Mutual Auth SSL • Exposes Separate WSDL Management APIs and UX AD FS 2.0Proxy • AD FS 2.0 Attribute Stores: • Active Directory (AD DS) • Active Directory Lightweight Directory Services (AD LDS) • SQL Database • AD FS 2.0 Clients: • Web Browsers • WS-* Aware Clients (WCF, CardSpace 2.0 RC, etc.) • AD FS 2.0: • Security Token Service for SOAP & Browser Clients • Policy and Service Management Internet Client Metadata Proxy Token Issuance Proxy Intranet Client Metadata Token Issuance Attribute Stores Configuration Database
Typical Cross-Org Deployment Online Services in the Cloud AD FS 2.0 AD FS 2.0 trust trust 1. Authenticate 3. Send claims /Get claims 2. Get Claims Application WIF Smart Client or Browser WCF ASP.Net 4. Send claims
Claims • Identity providers need to know what claims to send • Relying parties need to know what claims to expect to receive • Agreement must largely take place out of band, though metadata allows us to simplify • In AD FS 2.0: • The expected claims are codified into acceptance rules • The claims to send are codified into issuance rules • Input claims • Acceptance Rules • Issuance Rules • Output Claims Authz
Rules Processing with a Transform Rule Set • Rules determine what goes into output claim set • Not all claims are output • Use rule chaining to construct complex claims • Output of Rule 1 can be used as the input to Rule 2 • Temporary claims can be used for complex constructs • Rules can pull data from attribute stores • Complex mapping should be left to a SQL database
Attribute Stores • SQL • Select queries may be specified in rules (no UI) • Connection string stored in the clear • LDAP • Filters may be specified in rules (no UI) • Connection string stored in the clear
Custom Attribute Stores • Allow custom code to be plugged in for retrieving attributes • Process • .NET assembly is created by developer • Developer gives admin assembly, class reference, and connection string format • IT Pro copies assembly to each machine and places in the GAC • IT Pro adds custom attribute store using UI/PowerShell and inputting the class reference provided • IT Pro authors rules by passing claims to the attribute store in the expected connection string format
Access Control Contoso’s datacenter Mobile workforce • How will I control access to the service? • How will I onboard partners or customers to this solution? Can they use existing method of authentication? CRM Website or Web Service Enterprise partner Database Small vendor
Access Control Service OAuth Web or Rich Application Standard Protocols and “Big Players” Provides claims-based access control for web services • Usable from any platform (for real) • Integrates with AD FS v2 • Many identity providers, one code base WS-* Standard Protocols Access Control Service Open ID Google, Yahoo Facebook
Windows Azure Appfabric Access Control Service • provides an easy way to provide identity and access control to web applications and services • Hosts an STS in the cloud for you • integrates with standards-based identity providers • Active Directory • Windows Live ID, Google, Yahoo! and Facebook. • Supports all relevant “standards” • WS-Federation, WS-Trust, OpenID, Oauth, … • enables authorization decisions to be pulled out of the application and into a set of declarative rules that can transform incoming security claims into claims that applications understand.
How it works 6. Map input claims to output claims based on access control rules 1. Define access control rules for a customer 2. Establish trust (certificate or key exchange) Identity Provider Contoso’s ACS Service Namespace 7. Return Access Token (output claims from 6) 9.Token Validated 0. Establish trust (certificate or key exchange) 4. Return the token 5. Request Access Token (Claims) 3. Request a token Contoso Web Service Contoso’s partner 8. Send Message w/ Access Token
Managing our Enterprise Identities to the Cloud • Enterprise AD is easily extended to the cloud • ADFSv2 • Access is managed through claims • Need a method to (automatically) populate claims: • Identity Claims – e.g. “paul.loonen@avanade.com” • Group Claims – e.g. “Avanade FTE” • Custom Claims – e.g. age:18
Identity Management • Policy-based identity lifecycle management system • Built-in workflow for identity management • Automatically synchronize all user information to different directories across the enterprise • Automates the process of on-boarding users ActiveDirectory LotusDomino • Workflow LDAP • User Enrollment • HR System • FIM SQLServer • Approval Oracle DB • Manager User provisioned FIM CM
Group Management • Self-service group and distribution list management with the FIM 2010 Web portal • Office integration allows users to manage group membership from within Microsoft Office Outlook for maximum productivity • Automatically add users to either group based on their employee type at the time they are provisioned to Active Directory • Group and distribution list management, including dynamic membership calculation in these groups and distribution lists based on user’s attributes
Group Management • Integrates with Exchange and Outlook • Manages distribution and security groups Self-service group management Criteria-based group membership Integrated approval
Example: Contoso and Melissa the sales person • Contoso is interested in adopting a new cloud app as their CRM for their sales department. • Melissa is a new hire for the sales department. • The IT department has decided to adopt Identity and Access management and leverage their Microsoft investment.
Example: From AD Group to Cloud Authentication • WS-* and SAML Claims FIM Platform FIM Sync • AD FS 2.0 2 Action Workflow Delegation& Permissions AuthN Workflow AuthZ Workflow
Getting your Identities to the cloud. AD Federation Services On Premise
1. Understand your organization’s IAM needs Business Processes Onboarding, SSO, Promotions, Changes, Termination Governance (Security Policy) User Groups Full-Time Employees, Contractors, Partners, Vendors, Customers LOB Apps Active Directory, Exchange, SQL, Oracle, PeopleSoft, SAP, Financials
2. Leverage your AD Investment • Make Active Directory the center of your Identity Roadmap. • Line of Business Apps should be aligning with LDAP, Kerberos or Claims-Based Authentication • Supplement your platforms with SSO solutions that leverage AD. • App Architecture should integrate WIF
3. Optimize your AD Metadata • How good is it? • How much information do you have today? • How much information do you need to make it work for well in premises/on the cloud(*)? • How can I leverage AD Groups for claims-based authentication (*) Keep in mind that Federated Services need information about the user in order to make decisions
4. Use FIM 2010 Capabilities to Implement Policy and Business Logic • FIM Portal: The central place to manage your enterprise identities • Policies: To define your business logic • Workflows: To automate and make the policies repeatable and auditable. • Group Management: Security group lifecycle management.
5. On Premise is Stable – To the Cloud! • Start gathering information about your cloud provider and their supported authentication methods. Claims-based or SAML-compatible. • Find out what attributes are required by your cloud app. Beware of privacy concerns. • Configure AD FS to use the claims rules based on attributes identified and establish trust. • Design and implement the infrastructure to support the service.
Concluding Partner Windows Integrated/Kerberos • WS-* and SAML Claims Self Service MS Online Directory Synchronization • Workflow • AD FS 2.0 Claims-Aware Applications • SharePoint Profiles and Access • FIM 2010 • SAP and other apps • Identity directories • HR System Phone Title Department Manager Group • Claims-Aware • Applications • Exchange GAL & DL Role Client List • ADDS SQL Server