Download presentation
Presentation is loading. Please wait.
Published byNelson Sanders Modified over 6 years ago
1
Understand Hybrid Identity with Azure and Azure Stack
7/18/2018 6:55 PM BRK4011 Understand Hybrid Identity with Azure and Azure Stack Shriram Natarajan © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Hi, I’m Shri Program Manager I work on Identity, Authentication and Authorization, Azure Resource Manager, Hybrid Tools and Developer Experiences on Azure Stack Tweet to
3
Agenda Hybrid cloud use cases Identity Fundamentals
Authenticating with different Azure Clouds Multi Tenancy and Directory-based authentication
4
First things first…
5
Hybrid use cases: Azure and Azure Stack
Edge and disconnected solutions Cloud applications that meet every regulation Modern applications across cloud and on-premises
6
Hybrid App Development Sessions at Ignite
Session Title Speaker BRK3084 Microsoft Azure Stack hybrid apps and developer overview Bradley Bartz BRK3115 IaaS on Microsoft Azure Stack David Armour Scott Napolitan BRK4011 Microsoft Azure Stack identity, multi-tenancy, and role-based access control Shriram Natarajan BRK3099 Developing hybrid apps on Microsoft Azure Stack Ricardo Mendes BRK4015 DevOps on Microsoft Azure Stack Matthew McGlynn Anjay Ajodha © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
7
Have feedback on Azure Stack?
7/18/2018 6:55 PM Have feedback on Azure Stack? Want to provide your feedback direct to the engineering team? Join the Azure Stack customer research panel : © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
8
Identity Fundamentals
9
Identity Terminologies
Active Directory + Active Directory Federation Services (ADFS) Azure Active Directory Organizations / Directories / Directory Tenants Users and Groups Applications Service Principals
10
Azure Stack Identity Fundamentals
Works with AAD and AD FS OpenID Connect Protocol Authorization Code Flow Resource Owner flow Utilizes JSON Web Tokens (JWT) ADAL libraries for consistent hybrid Authentication Azure Tools for consistent hybrid resource management
11
Azure Stack with AAD – Single Tenanted
Azure Active Directory Admin Portal Admin ARM admindir.onmicrosoft.com Public Portal Public ARM Resource Providers Use cases: Enterprises, Dedicated Hosting
12
Azure Stack with AAD – Multi Tenanted
Azure Active Directory Admin Portal Admin ARM admindir.onmicrosoft.com Public Portal Public ARM Redmarker.onmicrosoft.com AD FS (on-prem) Resource Providers Fabrikam.com Use cases: CSP, Shared Hosting
13
Azure Stack with AD FS Use cases: Enterprises, Dedicated Hosting
Portal ARM and RPs Applications Stamp AD adfs.azurestack.local AD Graph Stamp ADFS Customer ADFS Customer AD adfs.corp.contoso.com Use cases: Enterprises, Dedicated Hosting
14
DEMO Azure Stack with AAD and AD FS configurations
15
Types of Identities Users Service Principals Standard User Identities
Authenticate through User ID/Password Example: / Used for Application authentication Automation Authenticate through Id/Secret combination Secret can either be a key or a certificate Example: bfb84395-b5bb-4a0a-9d25-fbb9f8d3186f / 3gDcSnk5MAdefGxyDZAJks2xhohTie/vpAQ/2o=
16
Role Based Access Control
17
DEMO Service Principal Creation, Authorization and Authentication
18
Directory based Authentication
19
Inviting Guest Users fabrikamClient.com contosoConsulting.com
Other Directories
20
Multi tenanted Applications
fabrikamClient.com contosoConsulting.com Other Directories
21
Inviting Guest Users fabrikamClient.com contosoConsulting.com
Other Directories
22
DEMO Authentication in a directory context
23
Cross-cloud Authentication
24
Information needed for Authentication
Identity System ARM Identity System’s URL (Authority) Specific to the installation of the cloud ARM’s App Identifier URL Credentials Common Across clouds for hybrid ARM’s URL ARM App ID URI Authority URL ARM URL
25
Token Exchange Protocol
Identity System ARM { iss: <Authority> aud: <ARM App ID URI> iat: <dateStamp> exp: <dateStamp>… } Signing Certificate Authority URL ARM URL ARM App ID URI + Credentials Token Token
26
One solution to rule them all !!! Endpoints API
27
https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01
ARM Endpoints API ARM URL Authority URL ARM App ID URI
28
https://<ARM_URL>/metadata/endpoints?api-version=2015-01-01
ARM Endpoints API ARM URL Authority URL ARM App ID URI
29
ARM Endpoints API - Summary
Unauthenticated Enumerates endpoints necessary for authentication Used by tools Azure PowerShell and Azure CLI SDKs and other tools to follow Works for both AAD and ADFS topologies Call the Endpoints API 1 2 Use data in the API to authenticate 3 Make an authenticated call to ARM
30
DEMO Endpoints API Setting Environment variables in PowerShell and CLI
31
Registration with Identity System
32
Azure Stack’s Registered Applications
~18 apps are registered with the Identity system Includes admin and tenant services Essential to allow these services to interact with directory ~9 propagated to new Directories during multi-tenancy setup MT setup cmdlet in tools repository uses this API If re-creating this functionality, exercise caution Custom implementations outside the context of tools repo are not supported
33
Application Registrations API
34
Capability differences AAD and AD FS topology
Scenario AAD Topology AD FS Topology Marketplace Syndication Yes ADAL support CLI, VS, PSH tools Create Service Principals with Certificates Applications can use Identity system for user sign-in Yes* * Apps must federate with Customer AD FS Create Service Principals through Portal No Create Service Principals with Secrets (Keys) Multi Tenancy Applications can interact with Graph Service
35
Summary Use Endpoints API to help with Authentication across clouds
Create Service Principals for application authentication RBAC to users and Service Principals Remember to authenticate to a specific directory
36
Please evaluate this session
Tech Ready 15 7/18/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37
7/18/2018 6:55 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.