multi-factor authentication for your clouds
TRANSCRIPT
Windows Azure Pack - Authentication for your Clouds
Alexandre VerkinderenInovativ BESCCDM MVP@AlexVerkinderen
Christopher KeyaertInovativ BESCCDM MVP@KeyaertC
What is this all about?
- Introduction- Out of the box Authentication process- Microsoft Azure Active Directory
- Introduction to MAAD- Azure Active Directory Synchronization Services- Multi-factor authentication
- Active Directory Federation Service- ADFS with external identity providers- Conclusion
Windows Azure Pack – CloudOS vision
Empower people-centric IT
Enable modern business apps
Unlock insights on any data
Transform
the datacenter
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook, Twitter,
…
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook, Twitter,
…
Default Authentication Process
- Users have to be provisioned manually- Users are not synced from another repository- WAP is using a .Net Repository -> Stored in the
SQL
=> Your tenants/users have to use and maintain an extra set of credentials
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook, Twitter,
…
Microsoft Azure Active Directory
- Identity and access management in the cloud- Your organization’s cloud directory- Used by
o Windows Azureo Office 365o Windows Intune
- Can be integrated with on-premises AD- Integration with cloud applications
o Single sign-on experience App hosted in cloud Users authenticate with corporate credentials
Authentication Process1 - User connects to a
SaaS Application
2 - User authenticates to Azure AD
3 - Azure AD returns a token
4 - Token is sent to the SaaS application
5 - Application validates token
Synchronization
- Synchronize users from On-Premise to Online- User Management is done on-prem- Password Synchronization
o A digest of the Windows Active Directory password hash is used for the transmission between the on-premises AD and Azure Active Directory.
o The digest of the password hash cannot be used to access resources in the customer's on-premises environment.
- Users have 1 set of credentials across on-prem and onlineo But 2 accounts
AAD Sync Services tool reached RTM
- ADD Sync Services is now RTMo Self Service Password Reset write back to Windows ADo Multi-forest identity synchronizationo Download:
http://www.microsoft.com/en-us/download/details.aspx?id=44225
o Documentation: http://msdn.microsoft.com/en-us/library/azure/dn790204.aspx
- DirSync / AAD Sync / FIM Tools Feature Comparison : http://msdn.microsoft.com/en-us/library/azure/dn798669.aspx
Azure Active Directory and WAP
User connects to a SaaS Application
User authenticates to Azure
Azure AD returns a token
Token is sent to the SaaS application
Application validates token
User connects to to Windows Azure Pack Portal
User is redirected to Azure AD Authentication Portal
User authenticates with Username and Password
Azure Authentication redirects to Windows Azure Pack Portal
User is authenticated in Windows Azure Pack Portal
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook, Twitter,
…
Multi-Factor Authentication
- Could be enable in Azure Active Directory- Authentication Process
o Text Message (SMS)o Automated Phone Callo Multi-Factor Authentication Apps (IOS, Android and WP)
- Two billing optionso Per Usero Per Authentication
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook, Twitter,
…
Active Directory Federation Service
- Authenticate users on third party systemso Another Company’s extraneto Service hosted by a cloud provider
- Federate identity management between partner organizations
- Claims based authorization- User Authentication
o Form-base authenticationo Windows Integrated Authentication
ADFS, on premise AD and WAP
User connects to a SaaS Application
User authenticates to ADFS - AD
ADFS returns a token
Token is sent to the SaaS application
Application validates token
User connects to to Windows Azure Pack Portal
User is redirected to ADFS Authentication Portal
User authenticates with on premise Username and Password
ADFS Authentication Portal redirects to WAP Portal
User is authenticated in Windows Azure Pack Portal
Windows Azure Pack - Authentication
- WAP => .Net Repository- WAP => Microsoft Azure Active Directory- WAP => MAAD with Multi-Factor Authentication- WAP => ADFS -> On premise Active Directory- WAP => ADFS -> Azure ACS -> Facebook,
Google, Twitter, …
ADFS Authentication with external Identity Providers- New Claims Providers -Trusto On-prem ADFS trusts External ADFSo On-prem ADFS trusts Azure Access Control Service
Azure Active Directory Google / MS Live / Facebook / …. Accounts
₋ “Design Interface” customizationhttp://technet.microsoft.com/en-us/library/dn280950.aspx
Windows Azure Pack - Authentication
- WAP gives you a lot of flexibilities- Don’t keep the OOB Authentication process, go
foro Microsoft Azure Active Directoryo Active Directory Federation Serviceo Multi-Factor Authentication
‒ Try Microsoft Azure – 90 days free trial with 150€/monthhttp://azure.microsoft.com/en-us/pricing/free-trial/
- WAP is available at no additional costhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack/
Feedback
- Session feedback- SCU session planner
http://planning.systemcenteruniverse.ch- SCU WP app
- Overall Conference feedback- Link sent by email after the conference
- Remember: we will donate for every feedback we receive!
Our Other Sessions- PowerBI for System Center ( Kurt Van Hoecke & Alexandre Verkinderen)
- 18/09 09h15, Room: Sidney- Speedlab: Deploy a System Center 2012 Environment (Alexandre
Verkinderen & Christopher Keyaert)- 19/09 09h15, Room: Singapore
- Savision BSM in the private Cloud (Alexandre Verkinderen)- 19/09 12h00, Room: Miami