View
952
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
How AD has been re-engineered to extend to the
Cloud
Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France
How AD has been re-engineered to extend to the
Cloud
Philippe Beraud, @philberdArchitect | Office of CTO | Microsoft France
A Brief HistoryA Brief History
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"• Concept of security and administrative domains/realms
• Collection of resources tightly integrated under a single and closed administration
• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos
2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects
BUT still in the same "administrative domain"
• Declaration of these objects in various repositories while having the need for a unified management
Over the years, there main models have emerged and coexist
1. Identity model of the "firewall age"• Concept of security and administrative domains/realms
• Collection of resources tightly integrated under a single and closed administration
• Age of organization’s directory services and NOS but also the beginning of meta-directories and other virtual directories to manage multiple identities silos
2. Identity model against the age of the Internet• Consideration of suppliers, customers, and partners as a different category of objects
BUT still in the same "administrative domain"
• Declaration of these objects in various repositories while having the need for a unified management
A Brief History (cont’d)A Brief History (cont’d)
Over the years, there main model have emerged and coexist
3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration
with suppliers and partners as well as the interaction with customers
• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
Over the years, there main model have emerged and coexist
3. First generation of the identity ecosystem model• Concept of the so-called extended enterprise for collaboration
with suppliers and partners as well as the interaction with customers
• Age of Web SSO, of identity federation with a HUGE step crossed BUT ALSO a lot of complexities, of burdens, etc.
About Windows Server Active Directory (AD)
About Windows Server Active Directory (AD)
Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models
• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service
• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Domain Services (AD LDS)
• With complementary services
• Active Directory Federation Services (AD FS)
• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• Forefront Identity Management (FIM)
Windows Server Active Directory (AD) represents an illustration of products and technologies that sustain these three models
• AD is an on-premises LDAP v3 (RFC 4510 compliant) Directory Service
• Active Directory Domain Services (AD DS)
• Active Directory Lightweight Domain Services (AD LDS)
• With complementary services
• Active Directory Federation Services (AD FS)
• Active Directory Certificate Services (AD CS)
• Active Directory Rights Management Services (AD RMS)
• Forefront Identity Management (FIM)
Towards a New Identity ModelTowards a New Identity Model
Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE
• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device
• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.
• Seamless federation and synchronization with on-premises directory services
• Multi-factor authentication
• Replace the today complexity at the application level by an IdMaaS feature
• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost
• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
Identity (and Access) Management as a Service (IdMaaS)• Commodities accessible to EVERYONE
• "Organization-owned" identity provider for applications wherever they run, whatever they are on any platform, on any device
• Central "hub" to provision/de-provision/manage users and their common devices• Consolidation with the on-premises environment, the SaaS/multi-tenant applications, etc.
• Seamless federation and synchronization with on-premises directory services
• Multi-factor authentication
• Replace the today complexity at the application level by an IdMaaS feature
• Combine the most advanced capabilities with operations externalization to achieve a reduction in risk, effort and cost
• Control or even reduce costs by taking full advantage of the efficiency of the Cloud and automation
Windows Azure Active DirectoryWindows Azure Active Directory
Projecting Identities in the Cloud withProjecting Identities in the Cloud with
Windows Azure Active Directory (AAD)Windows Azure Active Directory (AAD)
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost
AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows
Azure Portal
Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
AAD is NOT on-premises Windows Server AD in the Cloud
AAD is an enterprise-class IdMaaS cloud-based solution• AAD offers a large set of features at NO cost
AAD is the Directory Service for Microsoft’s Online services• Office 365, Dynamics CRM Online, Windows Intune, and now the Windows
Azure Portal
Microsoft Account (Live ID) is yet ANOTHER identity infrastructure
AAD Design Principles (cont’d)AAD Design Principles (cont’d)
Such a Cloud-based service requires specific capabilities• Optimization of availability, consistent performances, scalability, geo-redundancy, etc.
but NOT only
AAD is a multi-tenant environment• "Organization-owned“ tenant - The customer organization owns the data of their
directory, NOT Microsoft
AAD relies on a schema• For the semi-structured information on entities and their relationships
AAD does not allow for custom schema
AAD will however provide the ability for attribute extensions, links to (external) resources, etc.
• As per Windows Azure Graph Store capabilities (Preview)
Such a Cloud-based service requires specific capabilities• Optimization of availability, consistent performances, scalability, geo-redundancy, etc.
but NOT only
AAD is a multi-tenant environment• "Organization-owned“ tenant - The customer organization owns the data of their
directory, NOT Microsoft
AAD relies on a schema• For the semi-structured information on entities and their relationships
AAD does not allow for custom schema
AAD will however provide the ability for attribute extensions, links to (external) resources, etc.
• As per Windows Azure Graph Store capabilities (Preview)
AAD Design Principles (cont’d)AAD Design Principles (cont’d)
AAD aims at maximizing the reach in terms of platforms and devices
• AAD uses http/web/REST-based modern protocols for identity and access management
AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed
objects and their relationships
• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData
• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization
• Operations are scoped to individual tenant context
AAD aims at maximizing the reach in terms of platforms and devices
• AAD uses http/web/REST-based modern protocols for identity and access management
AAD provides RESTful interface for CRUD operations• Directory Graph API provides a programmatic access to directory typed
objects and their relationships
• GET, POST, PATCH, DELETE are used to create, read, update, and delete• Response supports JSON, XML, standard HTTP status codes• Compatible with OASIS OData
• Directory Graph API supports OAuth 2.0 for authentication role-based assignment for apps and user authorization
• Operations are scoped to individual tenant context
Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net
Graph Explorer browser based query toolhttp://graphexplorer.cloudapp.net
Demo 1Demo 1
AAD Design Principles (cont’d)AAD Design Principles (cont’d)
AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP:
• LDAP – network communications protocol (389/636)
• AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos
http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx
• LDAP – object data model with inheritance
• AAD supports the Graph Entity Data model with inheritance
http://msdn.microsoft.com/en-us/library/ee382825.aspx
• LDAP – layout (namespace) is hierarchical (i.e. ou=)
• AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment
http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx
• LDAP – distribution model aka replication
• AAD is a manage service with geo-redundancy
AAD is not AD or LDAP in the cloud BUT there are four aspects to LDAP:
• LDAP – network communications protocol (389/636)
• AAD supports a RESTful-based Directory Graph API over HTTP/S (and PowerShell) (w/OAuth2) instead of LDAP or Kerberos
http://msdn.microsoft.com/en-us/library/windowsazure/hh974476.aspx
• LDAP – object data model with inheritance
• AAD supports the Graph Entity Data model with inheritance
http://msdn.microsoft.com/en-us/library/ee382825.aspx
• LDAP – layout (namespace) is hierarchical (i.e. ou=)
• AAD is a flat name space, that includes groups and abstract containers, in a multi-tenant environment
http://msdn.microsoft.com/en-us/library/ee382835(v=vs.110).aspx
• LDAP – distribution model aka replication
• AAD is a manage service with geo-redundancy
AAD Key ScenariosAAD Key Scenarios
Many applications, one identity repository.
Manage access to
cloud applications.
Monitor and protect access to enterprise applications.
Personalized access to my applications.
SaaS apps
Many applications, one identity repositoryMany applications, one identity repository
Preintegrated popular SaaS apps.
Easily add custom cloud-based apps. Facilitate developers with identity management.
Connect and sync Windows Server Active Directory (or other (LDAP) identity infrastructure) with an AAD tenant.
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Consumer identity providers
SaaS apps LOB & custom apps
Identities and applications in one place.
One identity repository for the best UXOne identity repository for the best UX
Demo 2Demo 2
Deliver a seamless user authentication experienceDeliver a seamless user authentication experience
User attributes are synchronized including the password hash, authentication is completed against AAD
Directory synchronizatio
n
On-premises Identity provider
Directory synchronization with password hash sync
User attributes are synchronized, authentication is passed back through federation and completed against the on-premises identity federation infrastructure
Cloud Authentication
Federated Authentication
Multi-Factor Authentication can be configured through Windows Azure
Multi-Factor Authentication can be configured through the integration with Windows Azure or thanks to other capability
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Windows Server Active Directory(or other (LDAP)
identity infrastructure)
Synchronize the identities with LDAP-based directoriesSynchronize the identities with LDAP-based directories
The FIM 2010 R2 synchronization engine can be leveraged• AAD Connector available on Microsoft Connect
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect
• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS
• LDAP referrals between servers (RFC 4511/4.1.10) are not supported
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
• OpenLDAP Extensible Management Agent (XMA) available on Source Forge
http://openldap-xma.sourceforge.net/
The FIM 2010 R2 synchronization engine can be leveraged• AAD Connector available on Microsoft Connect
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
• Generic LDAP v3 (RFC 4510 compliant) Connector Beta available on Microsoft Connect
• Certain operations, such as delta import, are not specified in the IETF RFCs. Supported Directories for Delta import and Password : Open LDAP, Novell NDS
• LDAP referrals between servers (RFC 4511/4.1.10) are not supported
https://connect.microsoft.com/site433/FIM%20Sync%20Connectors
• OpenLDAP Extensible Management Agent (XMA) available on Source Forge
http://openldap-xma.sourceforge.net/
Manage access to many cloud applicationsManage access to many cloud applications
SaaS appsCentralized access administration for preintegrated SaaS apps and other Cloud-based apps.
Secure business processes with advanced access management capabilities.
Comprehensive identity and access management console.
Your cloud apps ready when you are.
IT professional
SaaS apps
Windows Azure Management PortalWindows Azure Management Portal
Demo 3Demo 3
Application Access Enhancements
for Windows Azure Active Directory
Application Access Enhancements
for Windows Azure Active Directory
Demo 4Demo 4
Granting Access for a SaaS multi-tenant appsGranting Access for a SaaS multi-tenant apps
Demo 5Demo 5
Monitor and protect access to enterprise appsMonitor and protect access to enterprise apps
Security reporting that tracks inconsistent access patterns.
Built-in security features.
Ensure secure access and visibility on usage patterns for SaaS and cloud-hosted LOB applications.
Step up to Multi-Factor authentication.
X X X X X
X X X X X
X X X X X
Windows Azure Multi-Factor AuthenticationWindows Azure Multi-Factor Authentication
Demo 6Demo 6
Personalized access to my applicationsPersonalized access to my applications
Single Sign On experience for all SaaS applications.
Use Access Panel from all devices with your existing credentials.
All assigned SaaS apps in one web page: The Access Panel.
Users can easily access the SaaS apps they need, using their existing credentials.
User Access PanelUser Access Panel
Demo 7Demo 7
Identities everywhere, accessing everything
Identities everywhere, accessing everything
Consumer identity providers
PCs and devices
Windows Server Active Directory (or other (LDAP)
identity infrastructure)
Microsoft apps
3rd party clouds/hosting
ISV/CSV apps
Custom LOB apps
Many applications, one identity repository.
Manage access to
cloud applications.
Monitor and protect access to enterprise applications.
Personalized access to my applications.
• IdMaaS directory on Windows Azure.
• Connect/ synchronize on-premises directories with Windows Azure.
• Provide IdMto new apps (ACS, Graph API, SDKs).
• Manage Users.• Add Cloud-
based applications for SSO.
• Build-in security.
• Secure tools for synchronization (DirSync, AAD connector).
• Block user access.
•SaaS apps
Many applications, one identity repository.
Manage access to
cloud applications.
Monitor and protect access to enterprise applications.
Personalized access to my applications.
SaaS apps
• IdMaaS directory on Windows Azure.
• Connect/ synchronize on-premises directories with Windows Azure.
• Provide IdMto new apps (ACS, Graph API, SDKs).
• Manage Users.• Add Cloud-
based applications for SSO.
• Build-in security.
• Secure tools for synchronization (DirSync, AAD connector, etc.).
• Block user access.
• Multi-factor authentication.
•
• Preintegrated popular SaaS applications (Preview).
• Add preintegrated SaaS apps from the gallery for SSO (Preview).
• Add/Remove users to top preintegrated SaaS apps (Preview).
• Security reports (Preview).
• Single screen with assigned SaaS apps for every user: Access Panel (Preview).
• Single Sign on for SaaS apps from Access Panel (Preview).
In GA since April, 2013In GA since April, 2013
Sign-up for your free AAD tenant and trial Windows Azure account
• https://account.windowsazure.com/organization
Sign-up for your free AAD tenant and trial Windows Azure account
• https://account.windowsazure.com/organization
To Go BeyondTo Go Beyond
Places to start• http://www.windowsazure.com/en-us/solutions/identity/
• http://channel9.msdn.com/search?term=directory
Microsoft TechNet Documentation• http://go.microsoft.com/fwlink/p/?linkid=290967
Microsoft MSDN Documentation• http://go.microsoft.com/fwlink/p/?linkid=290966
Microsoft Active Directory Team Blog• http://blogs.msdn.com/b/active_directory_team_blog
Windows Azure Active Directory Graph Team Blog• http://blogs.msdn.com/aadgraphteam
Places to start• http://www.windowsazure.com/en-us/solutions/identity/
• http://channel9.msdn.com/search?term=directory
Microsoft TechNet Documentation• http://go.microsoft.com/fwlink/p/?linkid=290967
Microsoft MSDN Documentation• http://go.microsoft.com/fwlink/p/?linkid=290966
Microsoft Active Directory Team Blog• http://blogs.msdn.com/b/active_directory_team_blog
Windows Azure Active Directory Graph Team Blog• http://blogs.msdn.com/aadgraphteam
Whitepapers and Step-by-step GuidesWhitepapers and Step-by-step Guides
Available on the Microsoft Download Center
Office 365 Single Sign-On with AD FS 2.0
Office 365 Single Sign-On with Shibboleth 2.0
Active Directory from the on-premises to the Cloud
Office 365 Adapter: Deploying Office 365 Single Sign-On using Windows Azure
Additional ResourcesAdditional Resources
Windows Azure Trust Center
• A single location where are aggregated information on security, privacy, and compliance
http://www.windowsazure.com/en-us/support/trust-center/
Windows Azure Trust Center
• A single location where are aggregated information on security, privacy, and compliance
http://www.windowsazure.com/en-us/support/trust-center/
Additional Resources (cont’d) Additional Resources (cont’d)
http://www.microsoft.com/openness
http://msopentech.com
http://www.microsoft.com/openness
http://msopentech.com
Thank you!Thank you!