Embed Size (px)
Citation preview
windows azure app fab security
steve plank“planky”
architectural evangelist, microsoft [email protected]
http://blogs.msdn.com/plankytronixx
agenda
• access control service and adfs 2.0• windows azure connect• domain-joining a windows azure instance
connecting to the outside world
adUsername:
Password:
OK Cancel
adfs2acs
googleyahoolive id
appfabriclabsctp
available
now
tick box ip config
security token service
• service that issues tokens– give it something
• user-id/password• x.509 cert• another security token
– get a security token back• saml• swt• “cookie”• custom
“something” security token
claims transformation
sts
title
dept
tel no.
buyer
engineering
01234 567 890
title
dept
tel no.
purchaser
engineering
+441234 567 890
£limit
if title == “buyer” AND department == “engineering”: purchaselimit = “£5m”
if title == “buyer” AND department == “stationary”: purchaselimit = “£50”
£5m
roles
• claims store: stores claims:– email, firstname, telno, etc… active directory
• identity provider (ip): authenticate, issues tokens– user-id/pww, x.509, smartcard…. adfs2, acs
• federation provider (fp):– token in; token out. claims transformation… acs
• relying party (rp):– app that consumes tokens
• trust:– links rp-ip, fp-ip etc.
windows azure
wif
plankytronixx.com
acs/adfs authentication flow
app fab acs
web app
adfs 2
ad dc
ctrl-alt-del
federationtrust
trust
for more info
• http://blogs.msdn.com/b/plankytronixx/archive/2011/01/11/video-how-windows-azure-app-fab-acs-and-adfs-2-0-work-together.aspx
• http://blogs.msdn.com/b/plankytronixx/archive/2010/11/05/primer-federated-identity-in-a-nutshell.aspx
agenda
• access control service and adfs 2.0• windows azure connect• domain-joining a windows azure instance
windows azure
what is it?• standard protocols:
• SSL, IPSec
• Example use cases:• azure app & on-premise sql
server• domain-joined azure
instances• remote admin &
troubleshooting
• simple setup
0
1
on-premise
availability
• ctp – now• sign-up http://windows.azure.com • components:– subscription (portal)– 1.4 sdk (download)– agents (download (from portal))
• release in h1 2011• support for vpn devices in future
windows azurewindows azure
virtual network
• point-to-point connections determined by network policy: windows azure portal
0
on-premise
ssl tunnel
IPv6, IPsec, point-to-pointconnection
firewall: outboundport 443 (ssl)
relay service1
connect agents
group b group cgroup a
grouping
role1 role2 role3
a quick word about remote desktop
• portal rdp goes via the internet
• on-premise to windows azure role goes direct
windows azure
on-premise
windows azure
portal
for more info
• http://blogs.msdn.com/b/plankytronixx/archive/2010/11/09/azure-connect-connecting-your-on-premise-and-windows-azure-networks-together.aspx
• http://blogs.msdn.com/b/plankytronixx/archive/2011/01/10/video-presentation-windows-azure-connect-from-scratch.aspx
agenda
• access control service and adfs 2.0• windows azure connect• domain-joining a windows azure instance
corporate AD
domain-joining an instance
• required info:– domain-name– ou– local admin accts– creds with permissions
for domain-join web /worker/vm role
on-premise domain controller/dns
.cscfg
agenda
• access control service and adfs 2.0• windows azure connect• domain-joining a windows azure instance
• blogs.msdn.com/plankytronixx
