Microsoft Ignite 2015 3/20/2017 9:04 PM © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Taking advantage of Identity capabilities in Azure Pack Marc van Eijk, MVP Shriram Natarajan, Program Manager

Agenda Authentication & Identity Fundamentals Microsoft Ignite 2015 3/20/2017 9:04 PM Agenda Authentication & Identity Fundamentals Integration with external Identity Systems About Tokens and Claims © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Authentication & Identity Fundamentals

Control Plane vs Data Plane Control/ Management Plane Authentication Claims-based up to API Basic Auth to Resource Provider Data Plane Depends on the Resources Provider implementation Control / Mgmt Plane Portal Service Management API Resource Provider Resources (Websites, VM, etc..) Identity System Data Plane

Authentication Fundamentals Claim / Token A statement that one subject makes about itself or another subject A Token is a collection of Claims Relying Party(RP) = Application The entity that relies on an Identity System to provide information about the user Federation Service = Security Token Service(STS) Accepts requests and issues security tokens contains claims Identity provider (IdP) / Claims Provider An issuer that validates user credentials like user name/password and certificates

WAP Authentication flows - Portal Federation Service Identity Provider Token Login Page STEPS 1. User browses to portal without Claims Identity System 2. Portal redirects to Identity System User Browser 3. Identity System shows Login Page 4. User Enters Credentials Token 5. User is authenticated Relying Party 6. Token is issued to the user Windows Azure Pack Portal 7. User uses Token to access portal 8. Portal Grants access to Resources Token Admin API Tenant API Service Management API

WAP Authentication flows – Non-Portal Token(T1) Admin and Tenant API Access Token(T1) STEPS Identity System 1. Client contacts the Identity System with Credentials 1.5. If there are multiple STSs, the Client traverses the chain and gets the token to the previous STS in the chain Token 2. Identity System validates Creds/token and issues token 3. Client uses the token to call the API Token Used during Custom Portal/Panel integration and Automation scenarios Custom Portal/ Automation Re-sign Service Management API Admin API Tenant API

WAP Authentication flows – Non-Portal Tenant Public API Access User Browser STEPS Client 1. User uploads the Private Key (PFX)of the certificate to WAP 2. User provides the Public Key (CER) of the certificate to the client 3. Client uses the certificate to call the Tenant Public API Windows Azure Pack Portal Used during Tooling scenarios like PowerShell, VS etc.. Service Management Tenant API Service Management Tenant Public API Certificate Private Key Certificate Public Key

ADFS Configuration Configuring AD FS with WAP typically involves 4 steps ADFS Configuration Install-AdfsFarm –CertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SQLConnectionString Configure the management portals to trust AD FS Set-MgmtSvcRelyingPartySettings –Namespace @(AdminSite”,”TenantSite”) –MetadataEndpoint https://$fdqn/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $ConnectionString -DisableCertificateValidation Configure the tenant authentication site to trust AD FS Set-MgmtSvcIdentityProviderSettings –Namespace AuthSite –MetadataEndpoint https://$fdqn/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $ConnectionString -DisableCertificateValidation -ConfigureTenant Configure AD FS to trust the management portals configure-adfs.ps1 ` –identityProviderMetadataEndpoint “<IdP endpoint>" ` -tenantRelyingPartyMetadataEndpoint  “<tenant endpoint>" ` -adminRelyingPartyMetadataEndpoint “<Admin endpoint>" ` –allowSelfSignCertificates

ADFS Configuration Configure Tenant Portal as RP to AD FS Configure Admin Portal as RP to AD FS

Federation explained A federated identity is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Source: Wikipedia http://en.wikipedia.org/wiki/Federated_identity AD FS STS 1 STS 2 Contoso Application Federation Chain

Federated Login ~= Boarding a plane Security / Gate Agent Check-in Agent ?!? Ticketing Agent ?!?  Plane Access Ticket Ticket Boarding pass Credit Card Boarding Pass Passenger WAP token WAP Token Contoso token Credentials Contoso Token User@contoso.com ?!? Contoso ?!? Resources WAP STS  WAP Portal Access

Merging Control Plane and Data Plane Microsoft Ignite 2015 3/20/2017 9:04 PM Merging Control Plane and Data Plane If the Data Plane is tied to the same Active Directory as the Control Plane, then the same identities can be reused across both planes Eg. You can log in to your VM with the same credentials as your Portal. This also goes for Websites, SB and SQL Portal Control Plane Service Management API Resource Provider Data Plane Mention that authN happens with a Different Token but with the same identity Resources (Websites, VM, etc..) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Integration with External Identity Systems

Setting up WAP with AD FS Demo

About Tokens & Claims

Token Magic Capture tokens using Fiddler or other Request capturing software Alternatively, use the Get-MgmtSvcToken cmdlet to get a token Look at the request where the STS redirects back to the portal Base64 decode the ‘Bearer’ token in the request

Analyzing a JWT Token Demo

MFA fundamentals Mobile App Phone Call Text message

MFA fundamentals MFA is a feature of the Identity system AD FS supports a variety of MFA providers that can be stood up in your Data center AAD supports a native MFA provider Windows Azure Pack receives a token as a part of the Token hand shake

Multi-Factor Authentication (MFA) with AD FS Demo

Setting up WAP with AAD and MFA Demo

Key Takeaways Identity Systems with Windows Azure Pack AD FS and AAD integration with Windows Azure Pack Token Analysis

Resources If you’d like the decoded token to be shown in the Portal please add votes to the UserVoice Item at http://aka.ms/showclaims Windows Azure Pack Wiki Setting up Windows Azure Active Directory ACS to provide identities to Windows Azure Pack Federated Identities to Windows Azure Pack through AD FS (3-part blog series) Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication (3-part blog series on http://www.hyper-v.nu) Identity Fundamentals in Windows Azure Pack – White paper

3/20/2017 9:04 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.