Outsourcing Federation: The Azure Access Control Service
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Alternative Title |
| |
| Title of Series | ||
| Number of Parts | 110 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/51013 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
NDC Oslo 201266 / 110
1
2
3
5
7
9
11
12
15
19
20
23
24
27
28
29
31
32
33
35
36
37
38
39
41
43
46
47
51
52
56
59
60
61
62
63
65
67
70
71
74
75
77
79
80
81
83
87
91
92
93
94
95
96
97
98
100
103
106
108
110
00:00
ZugriffskontrolleService (economics)Point cloudSoftware developerMobile WebClient (computing)CodeVideo gameInformationCombinational logicStaff (military)TelecommunicationType theoryBus (computing)Level (video gaming)AverageDrop (liquid)Flow separationConnected spaceGroup actionPrice indexPower (physics)Slide ruleCore dumpLocal ringTerm (mathematics)Virtual machineNumberEmailLink (knot theory)Revision controlServer (computing)InternetworkingDirectory serviceAbstractionPredictabilityInformation securityPoint (geometry)CuboidSet (mathematics)Communications protocolCartesian coordinate systemWeb browserIntranetGoogolAddress spaceSource codeSign (mathematics)Client (computing)Point cloudView (database)Different (Kate Ryan album)AuthorizationElectronic program guideArmMultiplication signSpacetimeService (economics)Identity managementGame controllerCloud computingMobile WebFacebookMobile app1 (number)WindowForm (programming)Bound stateAuthenticationWebsiteOracleStack (abstract data type)Cache (computing)Web 2.0Computer animation
06:18
Identity managementMobile WebPoint cloudService (economics)Client (computing)Software developerScalabilityLogicBuildingInformation securityGateway (telecommunications)Token ringProduct (business)AbstractionKolmogorov complexityEuclidean vectorPhysical systemState transition systemCodeVideo gameData managementData centerCombinational logicSoftwareType theoryProduct (business)Level (video gaming)WindowUser interfaceFlow separationMereologyMultiplicationPhysical systemSlide ruleNumberToken ringQuicksortRevision controlWeightDirectory serviceInstance (computer science)Information securityPoint (geometry)CuboidAuthenticationCommunications protocolCartesian coordinate systemInternet service providerRepetitionClient (computing)Point cloudView (database)Different (Kate Ryan album)AuthorizationSingle-precision floating-point formatMultiplication signService (economics)Service-oriented architectureIdentity managementWeb applicationPattern languageGame controllerMobile WebFacebookMobile appLogicSoftware testingCASE <Informatik>Hand fanOpen setArithmetic progressionGoogolArmParticle systemConcentricSoftware developer1 (number)Computer animation
12:35
State transition systemOnline helpSoftware developerRing (mathematics)Mach's principleZugriffskontrolleService (economics)BlogSpacetimeGroup actionKey (cryptography)Identity managementData managementWindowState of matterBitPrice indexSystem callInstance (computer science)NamespacePoint (geometry)Cartesian coordinate systemCalculation.NET FrameworkMultiplication signService (economics)Demo (music)Game controllerData centerDebuggerGoodness of fitServer (computing)AuthenticationDirect numerical simulationUniform resource locatorComputer animation
15:33
Software developerView (database)Ring (mathematics)Template (C++)AuthenticationCartesian coordinate systemFreewareService (economics)INTEGRALStandard deviationGame controllerUser interfaceMereologyConfiguration spaceMetadataComputer file.NET FrameworkHookingSoftware development kitMenu (computing)System callRevision controlUtility softwareChaos (cosmogony)Process (computing)Point (geometry)Replication (computing)Identity managementComputer animation
16:46
Software developerVisualization (computer graphics)Menu (computing)Configuration spaceRevision controlUtility softwareInternetworkingCartesian coordinate systemLatent heatBackupComputer file.NET FrameworkUniform resource locatorService (economics)Web 2.0Identity managementGame controllerDefault (computer science)Rational numberWave packetPower (physics)MappingComputer animation
18:26
Software developerExecution unitRevision controlEnterprise resource planningGamma functionMathematicsRevision controlString (computer science)Sheaf (mathematics)Physical systemSubsetToken ringConfiguration spaceServer (computing)Error messageAuthenticationCartesian coordinate systemModule (mathematics)MetadataWindows RegistryEndliche ModelltheorieUniform resource locatorPublic key certificateService (economics)Web 2.0Identity managementGame controllerLetterpress printingStudent's t-testComputer animationSource code
20:42
Ring (mathematics)Software developerMathematicsDuality (mathematics)Execution unitVacuumProcess (computing)Video gameFormal languageInformationConnected spaceConfiguration spaceRevision controlServer (computing)Process (computing)Error messageInformation securityAuthenticationWeb pageCartesian coordinate systemSpring (hydrology)Web browserFile formatTouchscreenHTTP cookieRule of inferenceRight angleDemo (music)Identity managementString (computer science)WindowInternet service providerMarkup languageMultiplication signUniform resource locatorMobile appComputer animation
23:01
Software developerRule of inferenceInclusion mapInfinityRule of inferenceVideo gameCartesian coordinate systemService (economics)Game controllerHidden Markov modelWeb browserComputer animation
23:57
Software developerVideo gameComputer clusterAuthenticationWeb pageNumberCASE <Informatik>Internet service providerIdentity managementDefault (computer science)1 (number)Source codeComputer animation
24:50
Software developerRule of inferenceNormed vector spaceSimultaneous localization and mappingWindowVideo gameDatabaseInformationOrder (biology)Type theoryArithmetic meanAxiom of choiceFundamental theorem of algebraLocal ringEmailCartesian coordinate systemInternet service providerGoogolAddress spaceKey (cryptography)Different (Kate Ryan album)IdentifiabilityMultiplication signRule of inferenceSpacetimeService (economics)Demo (music)Identity managementDefault (computer science)FacebookMathematicsBitToken ringAuthenticationStability theoryIntrusion detection systemWeb 2.0Computer animation
27:42
Software developerComputer wormSanitary sewerServer (computing)Identity managementVacuumSynchronizationPhysical systemWeightView (database)Application service providerMessage passingPrice indexGoogolCartesian coordinate systemInternet service providerIdentity managementDefault (computer science)Hand fanGoogolVideo gameInformationCategory of beingSubject indexingComputer configurationBitInternetworkingCASE <Informatik>Directory servicePoint (geometry)Control flowSet (mathematics)Sign (mathematics)Point cloudSingle sign-onParticle systemIdentifiabilityMultiplication signGame controllerType theoryAxiom of choiceDebuggerEmailState transition systemCommunications protocolMetadataStability theoryAddress spaceTexture mappingLoginComputer animation
31:08
Software developerSimulationServer (computing)Identity managementSign (mathematics)PasswordBitTemplate (C++)Cartesian coordinate systemTexture mappingService (economics)FacebookLink (knot theory)Token ringState transition systemComputer animation
31:59
Software developerExecution unitFacebookTelecommunicationUser interfaceDirectory serviceInternet service providerPoint cloudDomain nameSingle sign-onService (economics)Identity managementComputer clusterComputer simulationQuantum stateInterface (computing)Computer animationSource code
33:17
Lemma (mathematics)Limit (category theory)Server (computing)Identity managementSign (mathematics)PasswordSoftware developerInfinityTrailSign (mathematics)Single sign-onPrice indexCartesian coordinate systemMultiplication signService (economics)WindowToken ringAuthenticationLogicType theoryGroup actionMereologyEmailInternetworkingDirectory serviceInternet service providerWeb browserAddress spacePoint cloudSelectivity (electronic)Domain nameTouchscreenAuditory maskingRight angleIdentity managementComputer clusterRing (mathematics)Addressing modeComputer animation
36:16
Software developerUser interfaceDisintegrationWeb pageDemo (music)INTEGRALComputer configurationLocal ringRevision controlWeb pageCartesian coordinate systemInternet service providerSource codeComputer fileSelectivity (electronic)TouchscreenLoginRight angleIdentity managementGame controllerThomas BayesComputer animation
37:45
Software developerWindowStructural loadTraverse (surveying)AreaWeb pageCartesian coordinate systemInternet service providerPoint cloudIdentity managementFacebookMetadataSelectivity (electronic)LoginUniform resource locatorComputer animation
38:37
Software developerView (database)FacebookPhysical systemFacebookWeb pageLoginDatabaseInformationProfil (magazine)Category of beingPhysical systemNumberRevision controlInternetworkingCASE <Informatik>Metropolitan area networkPoint (geometry)AuthenticationCartesian coordinate systemInternet service providerGoogolSign (mathematics)WhiteboardEndliche ModelltheorieAuthorizationPrincipal idealElement (mathematics)Multiplication signRight angleService (economics)FrustrationWindowConfiguration spaceReal numberField (computer science)IntranetView (database)Selectivity (electronic)Domain name.NET FrameworkTouchscreenWeb 2.0Identity managementGame controllerComputer animation
43:03
Software developerOrder (biology)Type theoryBuildingWindowLogic gateFlow separationAxiom of choiceMereologyPhysical systemAreaProcess (computing)Information securityPoint (geometry)Data storage deviceCAN busWeb pageCartesian coordinate systemInteractive televisionWeb browserStability theoryGoogolAddress spaceSign (mathematics)MetreClient (computing)Event horizonPasswordDisk read-and-write headComputing platformLoginMultiplication signGraphics tabletRight angleService (economics)Pattern languageGame controllerTwitterMobile appString (computer science)Query languageoutputInternet service providerUniform resource locatorWeb 2.0Identity managementComputer animation
46:07
Software developerMomentumPoint (geometry)AuthenticationWeb browserClient (computing)PasswordService (economics)TwitterMobile appCountingFunction (mathematics)Group actionSampling (statistics)Cartesian coordinate systemInternet service providerRoot systemDifferent (Kate Ryan album)Rule of inferenceGame controllerPhysical systemAuthorizationComputer animation
47:35
Physical systemProcess (computing)Transformation (genetics)Rule of inferenceGroup actionSoftware developerType theoryType theoryoutputCartesian coordinate systemDirection (geometry)Customer relationship managementDisk read-and-write headDifferent (Kate Ryan album)Rule of inferenceMappingDemo (music)Message passingComputer animation
48:46
Software developerComputer wormRing (mathematics)Convex hullSimultaneous localization and mappingInformation managementComputer clusterEmailOperator (mathematics)outputCartesian coordinate systemGoogolAddress spaceMultiplication signRule of inference2 (number)Type theoryGroup actionSampling (statistics)Mobile appComputer animationSource code
50:12
Software developerExecution unitLogicType theoryGroup actionOperator (mathematics)Cartesian coordinate systemRule of inferenceGame controllerData managementChainVirtual machineComputer animation
52:55
State transition systemPoint cloudSoftware developerAlgorithmDatabaseSoftwareLibrary (computing)Type theoryPhysical systemSampling (statistics)Operator (mathematics)Point (geometry)Cartesian coordinate systemInternet service providerPlastikkarteSign (mathematics)Client (computing)WebsiteDifferent (Kate Ryan album)Wrapper (data mining)Element (mathematics)Rule of inferenceService (economics)Identity managementComputer clusterRepetitionComputer animation
54:53
Software developerComputer wormVacuumImplementationINTEGRALArithmetic meanRevision controlGoodness of fitCommunications protocolCartesian coordinate systemInternet service providerStatement (computer science)AuthorizationRule of inferenceStandard deviationService (economics)Service-oriented architectureInterface (computing)Identity managementGodParticle systemComputer animation
56:01
Software developerDatabase transactionData managementArithmetic meanGroup actionDatabase transactionCommunications protocolRule of inferenceFreewareService (economics)Game controllerSystem callComputer animation
57:08
Software developerComputer iconLocal ringInternetworkingInternet service providerSingle sign-onIdentity managementAbsolute valuePoint cloudComputer configurationDirectory serviceRoutingCartesian coordinate systemService (economics)Computer clusterGame theoryGoodness of fitComputer animation
58:56
Gateway (telecommunications)State transition systemPoint cloudScalabilityToken ringCommunications protocolFile formatRule of inferenceForceData modelService (economics)Software developerProduct (business)Moment (mathematics)Directory serviceCartesian coordinate systemPoint cloudBit rateComputer animation
Transcript: English(auto-generated)
00:01
Okay, hi welcome so security and cloud computing in the same talk seems to be a very niche topic Well, that's fine the smaller we are as a group the more we can you know Talk about very specific things if you have questions, you know
00:22
You can give me a sign all the time and I will try to answer them So here in this box Are some books so I've worked with Microsoft last year on a book called the guide to claim space identity and access control and
00:40
These things don't exist as printed versions. They only exist as PDF. So Microsoft was kind enough to send me 103 copies. So if you want one just take one After the talk first come first serve and there are also More at the pocan wood weakling booth. So if you're interested in that, you know, have fun
01:03
So My name is Dominic and you know all the usual marketing blurb the really Important piece of information here is my email address. So if you have any questions, write me an email I'm I'm really happy to help you and You see this little link
01:22
Link that is basically the link to my slides and to the source code I'm showing you and you know everything basically for all the talks I did this week at at NDC Okay, cool so We want to talk about the Azure access control service, and I just had to
01:42
To change the title by the time I submitted the target was called the Azure app fabric access control service now They dropped the app fabric brand and it's now just the access control service and just Azure service bus and just asher caching and You also heard that tonight is basically this meet event. So they will
02:06
Release a whole bunch of new features today on Azure and there's also the Microsoft surprise If you looked at the NDC poster, which is also today, so if I would make any predictions, it's the same thing
02:21
But yeah, so basically Today there will be a release of a bunch of new features that many people have asked for one I guess one of the biggest ones is Persistent virtual machines so you can just go to the website now say I want to have a Windows Server 2008 click and You get a virtual machine provisioned and you can run your code in there and you can do that with Linux as well now
02:43
So they support Ubuntu and SUSE and so on so pretty interesting news The the whole thing that was used to be called app fabric is works at a different abstraction level So it's basically like higher level services that you can use in your applications
03:00
There you know The the core hosting stuff in Azure is more for things like running in the cloud all of these app fabric services Like the Azure access control service They are just services running in the cloud and you can use them either From on-premise or from the cloud or wherever you want. So I won't run any code in the cloud
03:22
It's all running on my local app laptop, but I still can use the access control service So that's not a prerequisite. It's more like we all know that hybrid applications are Reality, so I guess no one can simply just move the whole application to the cloud and be happy we will always have a combination of on-premise and
03:41
Local and cloud stuff and the access control service is one thing that can tie these things together from a security point of view So we'll have a look at that So Which problem does Microsoft try to solve with the access control service? Why would you pay money for that? No, because ultimately this thing costs money and I'll show you later how much
04:07
So the whole idea is that They want to help with a problem that is very common these days and that is authentication and authorization Now when you're building an application or a service you have to
04:21
Answer a number of questions to yourself when it comes to security So for example, where will this service be hosted? Is it internal? Is it external? Is it in the cloud? When it's internal you already have an existing security system like your Active Directory for example, which you can just use now As soon as this application lives outside the bounds of your intranet you can't use Active Directory anymore
04:45
Yeah, like at a hoster or in the cloud. So you need something different. Yeah, and The next thing is what type of application is that or what type of service are you writing? What are your clients are they, you know internal clients like employees are they customers?
05:01
Yeah, what what type of life form are they carbon or silicone? Yeah, is it like a like a machine to machine communication or a human to machine communication, for example, and Obviously again this all plays in employees are typically things that exist in your local domain Whereas if this service lives externally, how can you make the connection between them?
05:24
Yeah, what types of devices do you have to support? Yeah, is it desktop mobile web? Because every device has its own or preferred way of how to do authentication They support different protocols. Yeah, for example for a desktop application. It is okay to use soap
05:41
It isn't okay to use soap in a mobile application because mobile stacks don't have soap support typically Web applications, you know run in the browser. So they also have a different set of requirements the next thing is What what type of security systems do you have to support? So is it like a typical?
06:04
Intranet style application where you have like your directory service Like IBM novel or oracle or Microsoft or whatever Or is it more like, you know the cool new stuff you want to have web identities like Facebook and Google and life
06:22
ID and Microsoft of course That is life idea. What if I get are you who for example or others or is it even both? Right, so I have a number of customers these days that build Different versions or different schools of the same Applications of example, they have like the the small business version where people can log on with a Google account or with a Facebook account
06:46
Yeah, it's like installed on a single system you authenticate with Google you use the services then they have like the intranet version that is more Optimized for Active Directory and they have the cloud version of the same software and that is typically a combination of both
07:03
So they want to support customers coming with Active Directory accounts and customers coming with Google accounts depending on you know What type of deal they have with you? so If you can answer every single question with just one single answer
07:23
Yeah, like if it's totally clear for you You only need Active Directory. It will run internally. It will only do desktop clients then maybe the access control service isn't all that important or Interesting for you because the sweet spot with the access control service starts when you have multiple requirements
07:42
Okay, so you need to support Active Directory and Google you need to support internal and external users you need to support Mobile and desktop clients for example Yeah, this is where it starts to get interesting to look into a product like access control service
08:01
So what would be the possible solutions to that problem if you have to implement something like that and Obviously the one thing we are all developers, right so we can make everything happen So you can build it all yourself. Yeah, you can write an application that understands Windows integrated authentication at the same time have code for doing open ID for doing W's trust and W's
08:26
Federation and SAML tokens and JSON DEP tokens and so on you you could you could write all that code and you would end up with a Enormously complex application that from a security point of view Maybe it's also very hard to test if this thing really does what you want. Yeah
08:44
Obviously when we have more than one application, we need to replicate that code for every application Yeah, so this is maybe the one that I wouldn't recommend at all. Yeah A very typical pattern these days to solve these kind of problems is to build something or to to use something called a
09:00
Security token service and the idea is that your app the application itself Doesn't need to know anything about these security requirements or authentication requirements And there's a separate piece of software called a security token service which implements all these protocols Yeah, brokers the trust between your business partners and customers and the various identity providers
09:21
You wanna you want to employ and your application just uses that service and is shielded from all the details meaning if you First of all, that means that you can write a piece of software which only does authentication and you have an application which
09:41
Concentrates on business logic, so it's much much easier to maintain the two parts The next thing is when you have more than one application, they can just reuse that service Yeah, this is one service and you don't have to replicate that code again So so these are the two do-it-yourself solutions now and obviously I wouldn't recommend solution 1 I
10:04
Did for a number of customers solution 2 and the thing we are talking about today is solution 3 basically using a third-party product and that is the Azure access control service it is a Special in a way that it doesn't come as a box product It's you you you won't get a DVD or download, but it's a service running in the cloud
10:25
Which has a web interface which has a rest interface? So you can integrate with your own management and it has and that's the most important thing I guess it has a service level agreement. Yeah, so Let Microsoft sort out a security and if it if it goes wrong we have someone to blame. Yeah, at least not us
10:46
Let them sort out manageability let them sort out availability let them sort out scalability. Okay, I Don't care. Well, I Trust Microsoft to do all these things in a correct way for us and that is really
11:01
The biggest question you have to ask yourself. It's always trust versus control, right? If you're writing the stuff yourself, you can control everything if you're doing it at in the cloud You have to trust the provider. There is no control anymore in the cloud Okay, so that is basically the big question you have to ask yourself. Which way do I want to go?
11:22
So since this is a talk about ACS we'll look at ACS So what is the access control service? So it's basically a service Built by Microsoft run running in Microsoft's data center That is a security token service. Okay
11:40
Basically what you do is you provision your own copy of that or your own instance of that token service you go to a portal You can basically provision that thing you can specify where should it run should it run in? Europe or in America or in Asia and in which region should it run?
12:00
And then you start configuring this thing. So It has support for various protocols So for example, it supports WS trust which is the authentication protocol for soap based services It supports WS Federation, which is the authentication protocol for web applications It supports open ID, which is the thing that Google Facebook and friends do and it supports rep and OAuth which are
12:22
upcoming emerging protocols around doing Delegated authorization. So these things are implemented for you and Are ready to use Yeah, so I guess that's it for the slides for now and we just do it so
12:42
Basically what you do is if you want to Try this out. You need you need an account to Windows Azure You go to windows.azure.com you end up at this portal Which sometimes takes a bit to load? That is by the way
13:03
And they it is able to right-click but if it would be able to right-click I would see silver light Yeah, and that is by the way another thing they're gonna announce today They will throw away the silver light front end and turn it into HTML 5 So you go to access control service Access control and then we see so-called namespaces and basically namespaces are the instances I just talked about
13:34
Yeah, so you can Go to new namespace Yeah, and basically what you specify here is the name now like my
13:45
ACS and I guess this is not available No, this is already taken. Yeah and then you can specify the Geographical region you want to have this thing running So typically you want to choose something that is closest to either you or to the users your customers your partner
14:04
Wherever you want to deploy this thing There's also another service in Azure called the Azure traffic manager. And the idea of that is that you can have multiple Replicated deployments one running in Asia one running in Europe one running in America and you have one DNS entry point
14:22
Which and and that DNS server runs at Microsoft again and they can calculate Where the user is coming from and based on that calculation they give him the nearest data center to talk to Yeah Funny story behind that. What do you think is the closest one to Norway?
14:45
Should be north right? So north is north is Amsterdam and west is Dublin Okay, so typically I choose I choose west good. We don't do that because it takes a little bit of time
15:00
I already created one. Yeah, it's called MDC demo and now this is my my Instance and you can see basically you get a URL and you see demo dot access control dot windows dot net now This is your instance of this access control service And then what you typically do is you start adding but the first thing is just start adding applications to it
15:25
Okay, so, you know, you can already register applications that should use that authentication service So I have an application here. It's pretty much Well, it's a plain MBC free template application and
15:42
I want to make basically I want to turn this into a service that uses ACS for authentication How do we do that So if you look at the web interface of ACS there's a thing called application integration and
16:02
Here you can see there's a thing called the WS Federation metadata And this is basically an XML document containing all the details about access control service. That's the standard a standard Document it contains all these endpoints. I talked about earlier. Yeah, these application service endpoints and so on and there's a tool that ships with
16:25
The so-called WIF SDK or is also part of dotnet 4.5 which can pass that XML and Modify your configuration file in your application to make to just do all the stuff you need to Access to basically hook up your application with the access control service
16:44
So let's do that So that that is basically found in administrative tools And then there's a thing called the Windows Identity Foundation Federation utility in the next version of dotnet Or more exactly in the next version of Visual Studio. This is built into Visual Studio
17:02
Basically, you have like a comma a menu item called identity in access control So what this thing wants to know is Where is your web config so I can modify it and a good is good advice from my from my side Make a backup copy first of it Okay And the other thing is your application needs to have a name right a name that basically
17:26
Can be used to associate this application with something we register in the access control service later on So that is by default at least the the physical URL of your application It doesn't have to be but it makes things easier to get started
17:40
And by the way, if you're doing any work with these technologies They always want a trailing slash if you forget the trailing slash you'll be you'll regret it You run into errors, okay This Isn't the buck really if you look up the HTTP specification that is really like how you specify a resource on the internet
18:04
Yeah, it's just that most web servers, you know allow you to omit it Okay, what else do we need we need the path to our web config file that's here
18:23
So and then we say where is the path to this Federation document and that's here. So
18:41
That's it We now look at web config. I'll quickly walk you through some changes. So First of all here in the system web server section. There is now a module
19:01
Called the WS Federation authentication module this is basically the module that implements the authentication handshake between your local application and this access control service and There's also a new configuration section called Microsoft identity model that's here and Here basically What you hear specify is
19:22
Whenever you need authentication, yeah Go to this URL this here HTTPS X control blah blah slash W Federation and this is basically the thing that will do authentication for you After you're done, you're coming back to my application I will send you a token and you can use that token to authenticate the user
19:42
Yeah, and how do we establish trust between these two so we don't Accept arbitrary tokens that is done Here in this section called the issuer name registry and that basically says Okay When this token come is coming back from access control service
20:01
We make sure that the certificate that was used to sign the token has this thumbprint Well, why are they using that? That thumbprint thing well because that makes it easy for you You don't have to deploy anything on your local server You just need to know that string and you can get that from ACS or you can get it from the metadata
20:23
And that's all you need to establish trust between the two Good So if I would run that He would try to authenticate with ACS and we would get an error message because I haven't configured anything yet. Okay, so let's do that
20:43
Close that down close that down. Well, the first thing we do is we we add an application So this has a name and we see demo app This has a realm and and the realm is basically the thing that we have configured here
21:01
in config Yeah, this the realm thing that is how we can make the connection between our application and the configuration entry in ACS So we just Copy that here. This is the return URL So when basically you can specify when you are done with your work Where should we redirect you back and that is by typically the same URL as as your realm
21:27
And this here is the error URL. So let's say something went wrong during the authentication process Where should I send you error information to know and that that is basically like a page in your application
21:42
And what they do is they send you a JSON encoded string which basically contains the error messages And then you can do your error your own error handling inside of your application Which is much nicer as some weird error screen on some other server, right? Then you can specify the token format that is typically SAML 2.0
22:02
for security assertion markup language And We can specify which identity providers we want to support and if you do nothing at all like extra configuration you will get support for Windows Live ID Just save that
22:21
Okay. Now that should be enough Let's try it So let's run it again and we get another error and this time Basically the error says hey, okay Somehow authentication did succeed, but you didn't specify any rules so far so
22:44
Just because you can log on using a live ID because I have a live ID doesn't mean Automatically that you get access to the application. So we also have to specify some rules. Yeah And you know what I should Yeah, I should use a different browser so I don't have any cookies. Yeah
23:06
Okay, so let's specify a rule. Let's just do a very simple one I will explain later what's going on okay, and now Let's see if it's working
23:26
Hmm. Something has happened So if you watch the browser bar closely you have seen we went from our application to X control service from X control service to live ID from live ID back to X control service and then back to our applications. Yeah that what there was a
23:44
Flicker if you like let's do this live.com Just to show that to you more specifically Sign out and do it again. Now. I'm at the life ID sign-in page and I enter my credentials
24:23
I'm authenticated. So that means basically without having to do well We will extend that but what you get by default is you can offload your authentication to life ID
24:40
Okay, so you don't have to do that yourself anymore Well, not everybody likes life idea and you know that maybe not your business case So that there are a number of things that you can enable. So if you go to identity providers here, you can add new ones So and there are basically two type two fundamental types of identity providers that you can add
25:02
One is more like the corporate space. Yeah, like WS Federation these things A DFS the Active Directory Federation service So more like corporate customer type of scenarios and we can have these, you know This is web identities as I like to call them. It's Google Facebook Yahoo, and so on. Yeah, so
25:26
Let's add a Google account for example, so we give that a name and Say which application should use that okay, and if we go to rules now And say add a rule
25:44
Add a rule You can see now we can choose Okay There are rules per identity provider and you can see that a different identity providers life ID for example Support different types of claims they can send you via the token service Yeah, so you see that life ID for example only supports a thing called the name identifier
26:03
So they don't expose the email address of the of the user or they don't expose the name of the user They just give you a stable identifier meaning Every time this same user comes back to your application. It will have the same ID Okay, and different users will have different IDs meaning that you can now use that that ID to hang off data in your local
26:25
Application database and you can make sure when this guy comes back you can recognize him. Okay You see that Google is a little bit more lax here they give you information like email address name and name identifier But still you should be careful the only real
26:41
Stable identifier is always the so-called name identifier because I can't change the email of my Google account the email address Yeah, so you shouldn't Use the email address as your primary key for example in your database because people can't change that Okay, but the name identifier is always stable Okay, so let's just say I
27:04
wanna support any type of authentic of claim And go back to my demo Okay, and now what ACS is doing by default again is it gives the user a choice
27:27
So are you do you want to log in with a life ID or do you want to log in with a Google account? No, and then I can click Google And then Google says hey, are you really sure you wanna you want to do that?
27:41
and allow and You see by default it picks it up and I'm I'm authenticated by Google now in my in that application Okay We can also add another one, let's add like a WS Federation identity provider
28:07
So In that case again, they want to know like maybe that that's the corporate the corporate identity provider things like that and Again, they want to have this Federation metadata document. So we have an
28:22
STS out there That is the think texture STS to the thing we're using internally for our for our logins and single sign-on and this also has this Federation metadata document or similar to one to the one you've just seen in in ACS so we can provide the URL to that click Save and
28:53
Again, if we run that next time the user will be presented with that choice as well
29:01
so Now we have these options So basically now you can write an application where your users can either sign in using your corporate Active Directory infrastructure Or a Google account or a life ID and that is regardless whether where the application is running So it could be running in the internet. It could be running at a hoster. It could be running in the cloud It doesn't matter anymore because these protocols take care of bridging the gap
29:25
So again, let's let's take Google just because it gives me the most information and let me show you how you how you can access that actually so let's go to our home controller here and Put a breakpoint in our index and run it in the debugger
29:45
Okay, Google. So when I go to watch let's make it bigger There's the user Property on the controller. Yeah, and this is of type claims principle and
30:05
I can drill into the identity and You see there's a thing called the claims collection It has four claims basically, that is what Google is sending you via ACS so you can see there's the name identifier that is a
30:25
Google stable identifier. So as I said, this is the thing that The same users will always get when they come back Then there's the email address of the user and there's the name of the user and there's another claim Basically telling you via which identity provider the user were where we're coming to your application. Okay?
30:45
So basically from here from this user property you would get all the information about the user Make sense Any questions on that? Okay So let's switch to another application which makes it a little bit easier to show on show what's going on
31:05
Close that down Go here. So, you know same template just a little bit more features. So when I click on this claims thing here, I
31:22
Again get this dialogue and now I can also show you our corporate STS so let's say I want to log into this application using my own think texture account For example, I can click this link then ACS goes to our think texture token service. I can log in
31:40
Using whatever account I like then Our token service creates a token sent to ACS and ACS sends it back to the application and now the user is logged in via this corporate account Or as I said he can log in using you know Facebook for example
32:08
If that's what he likes to do they also support other Other identity providers But not via the web interface that it doesn't API for that how you can add them
32:26
Yeah, and you see Who was it? Yes by basically using active directory Federation services
32:43
So you have active directory that is your active directory and then you add ADFS to it And that basically now does the token communication to ACS So you can do basically a single sign-on with your domain account to the cloud
33:05
Yeah Yeah, I mean, you know To simulate that yeah, let's do this Let's do that again Basically, what what you're asking for is it's like a single sign-on. Yeah, so let's go to claims again go to
33:25
This guy and this time I will say basically enable single sign-on This is much like Windows authentication that did I did I now have an active authentication session with that token service Yeah, so I log in
33:41
Okay, when I close that and come back, you know some hours later and log into the application choose the same one I'm sending As soon as you have more than one identity provider ACS will show you just the screen in between
34:02
But there are ways to get around that. Yeah, so if you only add active directory to it Yeah, then you won't see that screen. Then you have to write some application logic for that
34:23
Yeah, because you know, the browser is is is a dumb device right he can't know where you're coming from No ACS can't ACS live somewhere in the cloud. They don't know anything about your domain, right? They first have to ask you where where do you want to go?
34:41
Where you're coming from? Yeah, I mean, yeah, that is a general problem. Yeah. I mean another thing you can do Is To say to the user type in your email address and based on the domain part We figure out where you're coming from and then we redirect it to the right provider
35:02
Where is the group policy running? Yeah, but Tell who tell who
35:20
so They're very simple ACS doesn't know anything about the user until he has authenticated. Yeah, what you can do in your IP sub mask or if he's coming or if he has a Windows account, yeah, we can bypass that screen Right, but if your application is running in the cloud as well, it can't detect if you have a Windows account
35:47
Right, I've seen people doing it based on IP subnets, for example So when you're coming from that IP subnet you are in the internet Otherwise, I will have to have to show you that that selection screen, but there's basically no way around that. Yeah
36:04
Okay, so But Tying into that to to your question Is that you're right this this here this screen is not the nicest way in the world
36:22
To let a user choose an identity. Yeah There were many questions to Microsoft saying why can't we customize that screen Why can't we upload a CSS or an HTML or whatever and you just show our version of that screen and
36:41
Do you see a problem there? Would you? Would you like it that someone creates a login screen and makes it look like the eBay login page? Yeah, so Microsoft can't allow that yeah They can't allow you to do it to have full control over that screen because otherwise you could do all kinds of spoofing
37:02
Attempts. Yeah, like I like have a screen that looks like your bank for example, and so on and it's running it It's running at Microsoft. So it must be secure right so they don't do that. They give you another option. So When you go to application integration here You can go to login pages and you say hey, I want to have a login page for
37:22
this application here and then They give you an HTML page that you can embed into your local application and can trigger that that Identity provider selection locally. So when I open that the local HTML file. Well looks like this
37:40
yeah, and if I Go to page source You can see basically You can now Customize this page to whatever you want Okay, so that could for example be a page where you can do a pre selection based on some criteria Yeah, but it certainly won't be the Windows account because this isn't available in the cloud
38:06
If you look closer, there's also a URL here it's Slash v2 slash metadata slash identity providers JS And that is a JSON feed that contains all of these identity providers that you have configured for this application
38:21
So what you can also do is you can just totally load that thing yourself Pass it and show it in any way you want in your application. So one example would be this would be more like the the JavaScript style With jQuery so we can say login
38:40
And then have something like this for example, and we choose our Facebook account for example, and then we can log in Another approach I did for another customer is basically that on the login page if we go to To controllers account controller
39:04
Sign in we basically pass that JSON feed ourselves and then pass it as a model to our view and then the view can display that information in any way he wants to so if I run that and say sign in
39:28
You see that looks like this now Yeah, and again you can do a pre selection or you can you can hide whatever you want based on some criteria and again I can just click that and I'm logged in
39:44
Yeah Now very very very important. Yeah Now you are offloading authentication to some third party. Okay, that means
40:01
In dotnet we have this principle this property called is authenticated I guess you all know that so what do you think? What is principle at it is this property says is authenticated when the user comes back from ACS into your application Will he be authenticated or not?
40:24
Well, obviously he is yeah, you used a third-party service to authenticate a user so now he is authenticated that doesn't necessarily mean that he's a Legal user of your application, right? That just means he has a Google account
40:40
That's all it that's all it says yeah, so I have a number of customers Which played around with that stuff and you know, the authorization element in that config so people like to do something like this in system web Authorization deny Users equals question mark. What does that mean? The user must be authenticated
41:03
Yeah, and he and he is authenticated just not by you know, but by Google or by someone else so They didn't realize that because coming from the old intranet style of world that really meant you have a Windows account Yeah, you were you were able to log on to the domain So they just build an application and realize wow, we just built, you know a free to use
41:26
service for all Google users So be careful with that. Yeah, so There's a good reason why authentication and authorization are two different things. Yeah, so here Well, first of all, this authorization element doesn't make any sense anymore anyways Yeah, but your authorization shouldn't be based on the fact that this guy is authenticated
41:43
it should be based on the fact that he is somehow registered with your application and then you can flip a switch in a Database and then he is a legal user of your application So when we go to here that that's exactly what's happening here. So after I authenticated with Google, I
42:01
Make a look up in my application say hey, this is the guy Dominic from Google is he already registered and if that's not the case, he is forced to go to this screen first and when he then creates an account and you can use those claims coming from the identity provider to pre-populate these fields and then you can register and from that point on
42:23
You know, I have access to the real application Yeah, so that's up to you really, but I just assume that you Want to have real I mean it depends Yeah Some services decide to not do that at all to make it as easy as possible to onboard you and then give you
42:41
The chance to fill out a profile later on but most of the times you really want to know who the user is And and to remember him when he comes back Okay, what else can I show you Another nice thing that what you can do with this provider feed I just showed you
43:03
The for example, I have another customer that has built An Application based on ACS and part of it is that application and part of it is a desktop application so now there's a there's kind of a
43:22
Separation between the web and the desktop So so his question was now can I write a WPF client and the user logs in with his Google account to this? WPF client and we can use that Google token to authenticate with the back-end services. Yeah, and The first time I am I read about it how that stuff really works I was kind of shocked
43:42
But we I think we just have to get used to that Yeah, so if you're building these types of scenarios either desktop applications mobile applications like native mobile applications or if you look at all these Windows 8 metro stuff or the iPad stuff on the iOS and The way to handle that is that you have to embed the browser control into your application
44:05
Yeah And then you do basically invoke the browser go to Google's login page type in your password at Google where it belongs to If you think about it Then this thing returns a token to you into your local application You've cached that token and from that point on you can use the token to access your back-end services
44:21
Which is much much better than storing the user's password on that device, right? I mean When I got this thing new, how often did I have to type in my password? Yeah, and where is it stored? Do I do I really trust all these applications to store my password securely? So with this with this new approach
44:42
The password is only stored at Google or at your identity provider and what you get back is a token And the token can be revoked by the end user So if I click sign in here, what I'm doing is I'm pulling this JSON feed again giving the user a choice How he wants to log in let's take Google again
45:00
Now I have a token that is in my that is stored in my client application and Then I can call some service and what the service does is it just returns to the claims back to the client Okay, and this can be done on any platform
45:21
So basically There Was several techniques how this works one is that you just hooked the on Navigating to event in the browser and when they navigate back to a special URL that that is known to your application You just grab the token from either the query string or the post body and then store it locally in your application
45:41
That that pattern is so popular that it's built into win Win RT and also the iPad now that there are system API is to open a browser and make that interaction between the the app and the idea then the provider
46:01
And for example Maybe you you've already seen that yeah, for example, this here is it is a Twitter client. Yeah, so Twitter doesn't provide any authentication endpoints anymore, so when I wanna Add my Twitter account here. Yeah, I say add account And this is a browser and then I click that then I enter my username and password here and
46:24
I say authorize app and get back a token and from that point on the Client app uses the token to access the Twitter services Okay So let's go back to the ACS portal. Let's see. What else do we have?
46:40
So we have for example rules, so I quickly skip that But basically here You can specify Let's go Let's go one step back here You can specify rules So basically a rule is is is a way how to transform a claim coming from some provider
47:04
To an output claim that goes into your application. Yeah, and that can be used to do like raw Authorization already so you can put different users into groups For example, and then based on that group you can do authorization in your application. So let's go back to access control
47:21
I can show you a slide in between while this is running Yeah, so basically that the rule system is quite simple it's basically an if-then rule, yeah, so
47:46
You can for example say that there are so-called pass-through rules and you can say something like If Alice is coming in the name Alice then pass that through to my application yeah, or if the if there is a
48:02
Department claim coming in pass that through to my application or just pass them all through That's what I just did in the demo. Yeah, then you can also do a Transformation rules basically saying okay when there is a claim coming in of type Department and the value is sales then turn that into a role named customer management
48:21
Okay and in your application What you do is you just check for the role customer management and when other people coming into your application You can just write a rule that maps different types of no input claims into these role claims and your application It is nicely shielded between you and all your external partners. For example
48:42
Yeah, so you can have a nice a nice indirection here So let's quickly do that Let's go to Let's see Which one are we using here?
49:06
Let's go to rule groups sample app rules So let's say add a new rule Let's say for example
49:22
If a user from Google is coming in with the email address, as I said, you shouldn't do rules based on email addresses I'm just doing it now If a user is coming in with an email address of that, well Sorry, of this
49:42
then create Create a role claim of type operator, for example, sorry Operator Okay, and you can also add a second input claim so you can have if and then
50:03
rules Let's save that So if I now go back to my application here and log in via Google
50:24
Yeah, here it is. Yeah, here's my operator my operator Role so I could now have some application logic that you know works on that role claim You can do also other stuff and that that is called rule chaining. So you could have another rule saying
50:44
If there is a role claim of type operator Then create another claim of action for example action. So this guy is
51:10
Allowed to shut down machine Okay, and let's add another one
51:25
operator He is also allowed at printer, whatever. I'm gonna run that
51:53
You see now that I should have the allowed to shut down machine One
52:01
The other one I had a typo somewhere. I guess let's have a look
52:28
Okay, so that basically means this is very easy now and that you can write a rule add someone to a role in ACS And this role will expand to other claims in your application now that makes it very easy to do role based access control
52:43
good, so Yeah yes, there's a Let me show you the picture again You see that there's a management API The this guy here. So there's there's a rest
53:01
Service basically and there's also a wrapper client library shipped as a sample from Microsoft That allows you to do that all programmatically So yes, for example a very common scenario would be that you want to onboard a new customer programmatically So he goes to your website and does some details your credit card stuff and so on and they say okay
53:20
Please provision me and then you use the rest API to create an identity provider create rule sets for him and all these things Automatically. Yeah Yes No ACS is not not not an identity provider, but No, no, no this has nothing to do with that ACS is not an identity provider
53:43
It doesn't deal with accounts. It just delegates to other identity providers So yes, you could totally have your own identity provider, which wraps a membership database and plug that into ACS Yeah, but there's nothing built in because there is specifically they don't want to deal with credentials They are just procuring between different other credential providers
54:07
No, no, okay. No, no, no, no you can't No, no you can't No, it's just a claim just something that your application can look at. Yeah, it's just a simple rule
54:21
Yeah, so so maybe you maybe you have an application like a software as a service type Whereas someone signs up and there's okay who in your company should be the operator so who can add other users for the company and then he types in his name and then then you just create a Rule programmatically and from that point on this guy can add other users to your system. For example
54:42
Yeah, so it's it's really just a name value pair that gets generated by ACS that your application can use No Okay Any more questions? Good what? Haven't I showed you?
55:02
Basically when we go back to application integration The same thing that I just showed you is also available for soap based services So they have WS trust support so you can do the same thing over soap based services. They also have An implementation of OAuth, but it's revision 13 and I think we are now by revision
55:22
I don't know 26 or something OAuth is an emerging standard for doing authorization Yeah, that's it so basically the same thing I just showed you is also available for soap and that's really it So the mission statement is very clear of ACS. It's a broker between identity providers
55:42
Giving you the freedom or the well, how should I say that? Meaning you don't have to implement all these protocols meaning you don't have to implement this interface to create rules and these things Yeah, and and maybe the last thing you should know is
56:02
The pricing So first of all, it's free till December 2012 so if you want to play around with that it's it's free till December and then they After that, they have a so-called transaction based pricing meaning every HTTP request you're making into ACS maybe for accessing a token maybe for creating a new rule maybe for you know
56:25
doing a management call is called one transaction and you get 100 100,000 transactions for $1.99, which is really really cheap Okay, so that's almost a no-brainer if you want to play around with these different protocols
56:41
You can easily calculate how much it will cost you to implement it yourself But maybe you can't because that's hard to calculate but it will be a lot more. Yeah, so give it a try The SLA also guarantees 99.9 percent uptime, which is still a few hours a year. So be aware of that
57:00
Yeah, luckily, we don't have a leap here very soon Yeah, any questions, that's that's the X control service quite a quite a simple service. Yeah. Yeah
57:29
Yes, absolutely. So again Let's run this again So now think of does this that this thing is running in the cloud. Yeah, and I'm I'm a I'm a local user
57:46
So when I go here, I can choose my local identity provider running in my local internet Yeah, and if I choose that I have to typically have a single sign-on session with that already If it's active directory that's built in as a feature, right? So I click that I click that
58:10
And here we are, okay Yep. Yeah, so for example
58:30
There are several ways of doing that yeah, but the easiest one Yeah, you've just seen that there were more tricky things like maybe your multi-tenant application They have different, you know subdomain name for example based on the subdomain name
58:41
You could route them to a different one and so on. So yeah, there are plenty of options. Yeah Okay, any more questions anything? Good then We can wrap that up as I said, it's basically a token service as a service if you want Yeah, and by the way, maybe you have heard that announcement just a week ago
59:06
What Microsoft is and has announced is a product called the Azure active directory so basically, it's an active directory running in the cloud and there you get your Users in the cloud again, okay, and obviously ACS works together with that product
59:22
So you basically can establish trust with an cloud hosted AD with some applications for example Yeah, but the details are not very clear at the moment. They just made an announcement. Maybe we are hearing more tonight About that new product and yeah besides that take a book if you want to and enjoy the rest of conference. Thank you