Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite /20/2017 9:04 PM

Published by籴名 桑 Modified over 7 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite /20/2017 9:04 PM"— Presentation transcript:

1 Microsoft Ignite 2015 3/20/2017 9:04 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Taking advantage of Identity capabilities in Azure Pack
Marc van Eijk, MVP Shriram Natarajan, Program Manager

3 Agenda Authentication & Identity Fundamentals
Microsoft Ignite 2015 3/20/2017 9:04 PM Agenda Authentication & Identity Fundamentals Integration with external Identity Systems About Tokens and Claims © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Authentication & Identity Fundamentals

5 Control Plane vs Data Plane
Control/ Management Plane Authentication Claims-based up to API Basic Auth to Resource Provider Data Plane Depends on the Resources Provider implementation Control / Mgmt Plane Portal Service Management API Resource Provider Resources (Websites, VM, etc..) Identity System Data Plane

6 Authentication Fundamentals
Claim / Token A statement that one subject makes about itself or another subject A Token is a collection of Claims Relying Party(RP) = Application The entity that relies on an Identity System to provide information about the user Federation Service = Security Token Service(STS) Accepts requests and issues security tokens contains claims Identity provider (IdP) / Claims Provider An issuer that validates user credentials like user name/password and certificates

7 WAP Authentication flows - Portal
Federation Service Identity Provider Token Login Page STEPS 1. User browses to portal without Claims Identity System 2. Portal redirects to Identity System User Browser 3. Identity System shows Login Page 4. User Enters Credentials Token 5. User is authenticated Relying Party 6. Token is issued to the user Windows Azure Pack Portal 7. User uses Token to access portal 8. Portal Grants access to Resources Token Admin API Tenant API Service Management API

8 WAP Authentication flows – Non-Portal
Token(T1) Admin and Tenant API Access Token(T1) STEPS Identity System 1. Client contacts the Identity System with Credentials 1.5. If there are multiple STSs, the Client traverses the chain and gets the token to the previous STS in the chain Token 2. Identity System validates Creds/token and issues token 3. Client uses the token to call the API Token Used during Custom Portal/Panel integration and Automation scenarios Custom Portal/ Automation Re-sign Service Management API Admin API Tenant API

9 WAP Authentication flows – Non-Portal
Tenant Public API Access User Browser STEPS Client 1. User uploads the Private Key (PFX)of the certificate to WAP 2. User provides the Public Key (CER) of the certificate to the client 3. Client uses the certificate to call the Tenant Public API Windows Azure Pack Portal Used during Tooling scenarios like PowerShell, VS etc.. Service Management Tenant API Service Management Tenant Public API Certificate Private Key Certificate Public Key

10 ADFS Configuration Configuring AD FS with WAP typically involves 4 steps ADFS Configuration Install-AdfsFarm –CertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SQLConnectionString Configure the management portals to trust AD FS Set-MgmtSvcRelyingPartySettings –MetadataEndpoint -ConnectionString $ConnectionString -DisableCertificateValidation Configure the tenant authentication site to trust AD FS Set-MgmtSvcIdentityProviderSettings –Namespace AuthSite –MetadataEndpoint -ConnectionString $ConnectionString -DisableCertificateValidation -ConfigureTenant Configure AD FS to trust the management portals configure-adfs.ps1 ` –identityProviderMetadataEndpoint “<IdP endpoint>" ` -tenantRelyingPartyMetadataEndpoint  “<tenant endpoint>" ` -adminRelyingPartyMetadataEndpoint “<Admin endpoint>" ` –allowSelfSignCertificates

11 ADFS Configuration Configure Tenant Portal as RP to AD FS
Configure Admin Portal as RP to AD FS

12 Federation explained A federated identity is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Source: Wikipedia AD FS STS 1 STS 2 Contoso Application Federation Chain

13 Federated Login ~= Boarding a plane
Security / Gate Agent Check-in Agent ?!? Ticketing Agent ?!? Plane Access Ticket Ticket Boarding pass Credit Card Boarding Pass Passenger WAP token WAP Token Contoso token Credentials Contoso Token ?!? Contoso ?!? Resources WAP STS WAP Portal Access

14 Merging Control Plane and Data Plane
Microsoft Ignite 2015 3/20/2017 9:04 PM Merging Control Plane and Data Plane If the Data Plane is tied to the same Active Directory as the Control Plane, then the same identities can be reused across both planes Eg. You can log in to your VM with the same credentials as your Portal. This also goes for Websites, SB and SQL Portal Control Plane Service Management API Resource Provider Data Plane Mention that authN happens with a Different Token but with the same identity Resources (Websites, VM, etc..) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Integration with External Identity Systems

16 Setting up WAP with AD FS
Demo

17 About Tokens & Claims

18 Token Magic Capture tokens using Fiddler or other Request capturing software Alternatively, use the Get-MgmtSvcToken cmdlet to get a token Look at the request where the STS redirects back to the portal Base64 decode the ‘Bearer’ token in the request

19 Analyzing a JWT Token Demo

20 MFA fundamentals Mobile App Phone Call Text message

21 MFA fundamentals MFA is a feature of the Identity system
AD FS supports a variety of MFA providers that can be stood up in your Data center AAD supports a native MFA provider Windows Azure Pack receives a token as a part of the Token hand shake

22 Multi-Factor Authentication (MFA) with AD FS
Demo

23 Setting up WAP with AAD and MFA
Demo

24 Key Takeaways Identity Systems with Windows Azure Pack
AD FS and AAD integration with Windows Azure Pack Token Analysis

25 Resources If you’d like the decoded token to be shown in the Portal please add votes to the UserVoice Item at Windows Azure Pack Wiki Setting up Windows Azure Active Directory ACS to provide identities to Windows Azure Pack Federated Identities to Windows Azure Pack through AD FS (3-part blog series) Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication (3-part blog series on Identity Fundamentals in Windows Azure Pack – White paper

26 3/20/2017 9:04 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite /20/2017 9:04 PM"

Similar presentations

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Mirek Sztajno SQL Server Security PM

Mirek Sztajno SQL Server Security PM
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
A deep dive into Azure AD B2C

A deep dive into Azure AD B2C
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Implementing and Managing Azure Multi-factor Authentication

Implementing and Managing Azure Multi-factor Authentication
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Throw away your DMZ Azure Active Directory Application Proxy deep-dive

Throw away your DMZ Azure Active Directory Application Proxy deep-dive
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Azure Active Directory - Business 2 Consumer

Azure Active Directory - Business 2 Consumer

Similar presentations

Ads by Google