< Ibon LandaSoftware Development Team Leadilanda@plainconcepts.com@ibonilm

Gestión de identidad

Ibon Landa

Development Team Lead

Windows Azure MVP

ilanda@plainconcepts.com

http://www.devthinks.com

@ibonilm

http://spain.windowsazurebootcamp.org/

Omnipresencia de Windows Server ADKerberos, Secure Channel/Domain Join, Windows Integrated Auth and LDAP…

Windows Server Active

Directory

Intranet

Managed Access

Managed Identities

Integrated Business

Apps

Omnipresencia de Windows Server AD

Windows Server Active

Directory

Intranet

Managed Access

Managed Identities

Integrated Business

Apps

SAAS que compres

SAAS propias

Domain Controller in the Cloud

The Virtual Networkin Windows Azure

Gateway

SQL ServersIIS Servers

Site to Site VPN Tunnel

AD Authentication+

On-Premises Resources

Contoso.com Active DirectoryContoso Corp Network

IIS Servers

AD / DNS

SQL Servers

Exchange

S2S VPN Device

Contoso.com Active Directory

AD / DNS

AD Auth

Load BalancerPublic IP

Browser

Mobile app

Server app Web Service API

Web Service API

Web Application

Web Application

Anatomía típica de una aplicación web Web

application

Web service API

Account and

profile store

Clientes en diferentes dispositivos, lenguajes,

plataformas…

Servidor en diferentes plataformas, lenguajes..

Windows Azure Active DirectoryLas identidades gestionadas como una única identidad

Administración

Single Sign-on

Autorización de acceso a la información

Servicio de directorio multi-tenant

Windows Server Active

Directory

On-Premises

SAAS you build

SAAS you sell

Windows Azure Active

Directory

Other Microsoft Services

Office 365

3rd Party SAAS you

buy

DirSync

Cloud Application

Profile Store

Contoso.com Directory

ServicePrincipal

Role(Read)

AuthorizedUser

End User

Cloud Application

Profile Store

Contoso.com Directory

User AuthN

End User

ServicePrincipal

Role(Read)

t1

t1

Cloud Application

Profile Store

Contoso.com Directory

Delegated AuthN

Directory Graph

End User

ServicePrincipal

Role(Read)

t2

t2

Mobile Apps

Multi-factor Authentication

Text MessagesPhone Calls

Out-of-Band PushOne-Time-Passcode Out-of-Band Call

Out-of-Band TextOne-Time Passcode

Arquitectura

ISV/CSV Apps

Windows AzureActive Directory

Microsoft AppsCustom LOB Apps

Custom LOB Apps

ActiveAuthentication

El usuario se autentica en su dispostivio usando su usuario/contraseña

EL usuario debe autenticarse también usando su teléfono o dispositivo móvil antes de poder entrar

Las credenciales se comprueba contra Windows Azure AD. Después de solicita una segunda autenticación.

1

2

Protocolos

Protocol Purpose Details

REST/HTTP directory access

Create, Read, Update, Delete directory objects and relationships

Compatible with OData V3Authenticate with OAuth 2.0

OAuth 2.0 Service to service authenticationDelegated access

JWT token format

SAML 2.0 Web application authentication SAML 2.0 token formatUsed with Office 365 Services

WS-Federation 1.3 Web application authentication SAML 1.1 token formatUsed with Office 365 Services

http://spain.windowsazurebootcamp.org/

< Ibon LandaSoftware Development Team Leaderilanda@plainconcepts.com@ibonilm

Gestión de identidad