Download presentation
Presentation is loading. Please wait.
1
Microsoft Ignite 2015 3/20/2017 9:04 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Taking advantage of Identity capabilities in Azure Pack
Marc van Eijk, MVP Shriram Natarajan, Program Manager
3
Agenda Authentication & Identity Fundamentals
Microsoft Ignite 2015 3/20/2017 9:04 PM Agenda Authentication & Identity Fundamentals Integration with external Identity Systems About Tokens and Claims © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4
Authentication & Identity Fundamentals
5
Control Plane vs Data Plane
Control/ Management Plane Authentication Claims-based up to API Basic Auth to Resource Provider Data Plane Depends on the Resources Provider implementation Control / Mgmt Plane Portal Service Management API Resource Provider Resources (Websites, VM, etc..) Identity System Data Plane
6
Authentication Fundamentals
Claim / Token A statement that one subject makes about itself or another subject A Token is a collection of Claims Relying Party(RP) = Application The entity that relies on an Identity System to provide information about the user Federation Service = Security Token Service(STS) Accepts requests and issues security tokens contains claims Identity provider (IdP) / Claims Provider An issuer that validates user credentials like user name/password and certificates
7
WAP Authentication flows - Portal
Federation Service Identity Provider Token Login Page STEPS 1. User browses to portal without Claims Identity System 2. Portal redirects to Identity System User Browser 3. Identity System shows Login Page 4. User Enters Credentials Token 5. User is authenticated Relying Party 6. Token is issued to the user Windows Azure Pack Portal 7. User uses Token to access portal 8. Portal Grants access to Resources Token Admin API Tenant API Service Management API
8
WAP Authentication flows – Non-Portal
Token(T1) Admin and Tenant API Access Token(T1) STEPS Identity System 1. Client contacts the Identity System with Credentials 1.5. If there are multiple STSs, the Client traverses the chain and gets the token to the previous STS in the chain Token 2. Identity System validates Creds/token and issues token 3. Client uses the token to call the API Token Used during Custom Portal/Panel integration and Automation scenarios Custom Portal/ Automation Re-sign Service Management API Admin API Tenant API
9
WAP Authentication flows – Non-Portal
Tenant Public API Access User Browser STEPS Client 1. User uploads the Private Key (PFX)of the certificate to WAP 2. User provides the Public Key (CER) of the certificate to the client 3. Client uses the certificate to call the Tenant Public API Windows Azure Pack Portal Used during Tooling scenarios like PowerShell, VS etc.. Service Management Tenant API Service Management Tenant Public API Certificate Private Key Certificate Public Key
10
ADFS Configuration Configuring AD FS with WAP typically involves 4 steps ADFS Configuration Install-AdfsFarm –CertificateThumbprint <String> -FederationServiceName <String> -ServiceAccountCredential <PSCredential> -SQLConnectionString Configure the management portals to trust AD FS Set-MgmtSvcRelyingPartySettings –MetadataEndpoint -ConnectionString $ConnectionString -DisableCertificateValidation Configure the tenant authentication site to trust AD FS Set-MgmtSvcIdentityProviderSettings –Namespace AuthSite –MetadataEndpoint -ConnectionString $ConnectionString -DisableCertificateValidation -ConfigureTenant Configure AD FS to trust the management portals configure-adfs.ps1 ` –identityProviderMetadataEndpoint “<IdP endpoint>" ` -tenantRelyingPartyMetadataEndpoint “<tenant endpoint>" ` -adminRelyingPartyMetadataEndpoint “<Admin endpoint>" ` –allowSelfSignCertificates
11
ADFS Configuration Configure Tenant Portal as RP to AD FS
Configure Admin Portal as RP to AD FS
12
Federation explained A federated identity is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems. Source: Wikipedia AD FS STS 1 STS 2 Contoso Application Federation Chain
13
Federated Login ~= Boarding a plane
Security / Gate Agent Check-in Agent ?!? Ticketing Agent ?!? Plane Access Ticket Ticket Boarding pass Credit Card Boarding Pass Passenger WAP token WAP Token Contoso token Credentials Contoso Token ?!? Contoso ?!? Resources WAP STS WAP Portal Access
14
Merging Control Plane and Data Plane
Microsoft Ignite 2015 3/20/2017 9:04 PM Merging Control Plane and Data Plane If the Data Plane is tied to the same Active Directory as the Control Plane, then the same identities can be reused across both planes Eg. You can log in to your VM with the same credentials as your Portal. This also goes for Websites, SB and SQL Portal Control Plane Service Management API Resource Provider Data Plane Mention that authN happens with a Different Token but with the same identity Resources (Websites, VM, etc..) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
15
Integration with External Identity Systems
16
Setting up WAP with AD FS
Demo
17
About Tokens & Claims
18
Token Magic Capture tokens using Fiddler or other Request capturing software Alternatively, use the Get-MgmtSvcToken cmdlet to get a token Look at the request where the STS redirects back to the portal Base64 decode the ‘Bearer’ token in the request
19
Analyzing a JWT Token Demo
20
MFA fundamentals Mobile App Phone Call Text message
21
MFA fundamentals MFA is a feature of the Identity system
AD FS supports a variety of MFA providers that can be stood up in your Data center AAD supports a native MFA provider Windows Azure Pack receives a token as a part of the Token hand shake
22
Multi-Factor Authentication (MFA) with AD FS
Demo
23
Setting up WAP with AAD and MFA
Demo
24
Key Takeaways Identity Systems with Windows Azure Pack
AD FS and AAD integration with Windows Azure Pack Token Analysis
25
Resources If you’d like the decoded token to be shown in the Portal please add votes to the UserVoice Item at Windows Azure Pack Wiki Setting up Windows Azure Active Directory ACS to provide identities to Windows Azure Pack Federated Identities to Windows Azure Pack through AD FS (3-part blog series) Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication (3-part blog series on Identity Fundamentals in Windows Azure Pack – White paper
26
3/20/2017 9:04 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.