Presentation from TechEd North America 2009
Abstract:
Microsoft's identity services enable enterprises, organizations, and developers to easily adopt the services they need. In this session learn about how identity solutions can enable service adoption, including: enterprises connecting their identity directory to cloud services, ISV developers leveraging Microsoft building blocks to sell their service to organizations, and web developers adopting customized versions of Live ID for their applications. We'll cover the Microsoft Federation Gateway service, updates to Live ID, and a turnkey adoption mechanism using Active Directory and Codename “Geneva” Server.
3. Web ISVs Organizations
Developers • Federation for • Turnkey
• Customizable selling their federation for
identity UX applications to adopting services
• Single Sign On organizations (Online, Live, ISVs
• Access to • Easy on-boarding )
user data of new customers • Works with
existing identity
infrastructure
4. Agenda
Baseline understanding of Identity Services & Windows
Live ™ ID
Identity challenges from Cloud Services
Organizations
• Consuming federated identities -- Microsoft ® Federation Gateway
• Rapid on-boarding for organizations – Codename “Geneva” Server +
one-click federation
ISVs
• Become part of the federation ecosystem
• Consuming federated identities
• Rapid on-boarding for your customers and suppliers
Web Developers
• Consuming Windows Live IDs on your site
• Accessing user data on your site
5. Windows Live Identity Services
Core principles
Ease of use
Open and
Rich
Standards-
functionality
based
Security
is our top
priority!
Personal and Federation
Business ready
6. Identity Services - Many components
Identities • Authentication: users, applications, devices
Strong Authentication • Investing in 2FA such as Smartcard, StartKey
Attacker Resistant • User / IP reputation, Account abuse prevention
UI Customization • Windows Live ™ ID is fully customizable
Data Portability • Delegated auth: user permission to access data
Open Standards • SAML 2.0 / OpenID / OAuth
Federated
• Compatible with Microsoft ® Federation Gateway
Authentication
7.
8. Software and Service Topology
Cloud
Enterprise Windows Microsoft®
ISV Apps
Apps Live Online
Microsoft
Live
Azure™ Services Platform Online Dynamics®
Mesh CRM Online
Identity
Service
Browser
Org On-Premises
Active
Office
Directory®
Desktop
Apps Exchange ISV Apps SharePoint
9. Federated Ecosystem
Benefits of federated identity
Open participation based on industry standards
Linking service providers and service consumers
Access to more services and applications:
Microsoft cloud applications
Developers using Azure ™ Services Platform
Developers using other hosting platforms
Access to more customers:
500m+ Windows Live ID users
Other organizations using federated identity
Microsoft is offering solutions that greatly simplify the federation
scenarios
10. Software and Service Challenges
Security Challenges Adoption Challenges
Identity islands: IT Admin
User identity in AD on premise Re-work security practices
Software service and tools?
(Exchange Labs) is in cloud Re-train to manage identity
Partners & Customers federation?
Security zones: Users
Physical isolation for Re-train on a new user
on-premise software experience?
Service in cloud Developers
Data transport across Re-write existing applications?
security zones
11. Federation Rapid on-
Infrastructure boarding / tools
• Microsoft Federation • Codename “Geneva”
Gateway Server
• Standards-based • One-click federation
• Service adoption
scenarios
12. Scenario - Switching to Cloud Services
Cloud
Enterprise Windows Microsoft®
ISV App
Apps Live Online
Microsoft
Live
Dynamics®
Azure™ Services Platform Mesh CRM Online
Challenge: How to switch to cloud
Typical IT Requests: services without scrapping your
1) Outsource service to existing identity infrastructure?
cloud-based delivery
(e.g. Exchange)
2) Move application to Enterprise On-Premises
cloud hosting Active
Directory®
3) Use a new cloud-service
Exchange ISV App SharePoint
13. Software and Service Topology – Federated Identity
Cloud
Enterprise Windows Microsoft®
ISV Apps
Apps Live Online
Microsoft
Live
Live Microsoft Dynamics®
Azure™ Services Platform Mesh CRM Online
Identity Federation
Service Gateway
“Geneva”
Server Enterprise On-Premises
Browser
Active
Office Directory®
Employee Exchange ISV AppsSharePoint
Apps
14. Scenario - Collaborating with Other Organizations
Cloud
Enterprise Windows Microsoft®
ISV Apps
Apps Live Online
Microsoft
Live
Azure™ Services Platform Live Microsoft Dynamics®
Mesh CRM Online
Identity Federation
Service Gateway
“Geneva” “Geneva”
Server University Server
Org On-Premises
Active Active
Directory® Directory®
Exchange Exchange ISV AppsSharePoint
15. Scenario - Outreach to End User Customers
Cloud
Enterprise Windows Microsoft
ISV Apps
Apps Live Online
Microsoft
Live
Azure Services Platform Live Microsoft Dynamics
Mesh CRM Online
Identity Federation
Service Gateway
“Geneva”
Server Org On-Premises
Browser
Office Active
End User Directory
Apps
Exchange ISV Apps SharePoint
16. Solution: Microsoft Federation Gateway
Federation hub service enables
access to:
Microsoft services Service Service Service
Provider
Provider Provider
ISVs on Azure Platform
Other businesses
500+ million Live IDs
Federation
Hub
Manage one relationship to
connect to any combination
Hub and spoke model Customer Customer Customer
handles endpoint changes,
key rollovers, protocol changes
17. Federation Rapid on-
Infrastructure boarding / tools
• Microsoft Federation • Codename “Geneva”
Gateway Server
• Standards-based • One-click federation
• Service adoption
scenarios
18. Solution: Live Federation Tool for quot;Genevaquot; Server
Codename “Geneva” Server connects Active
Directory® to:
Microsoft Federation Gateway
Online/Live services, Windows Live ID & ISV services
Other standards-based federation hubs
Supports range of AD and network topologies:
Single server, Server farm, Proxy server, DMZ
Active Directory:
Single domain, Single forest, Multiple forests
Download tool for quick and easy connection setup to
Microsoft Federation Gateway
http://www.microsoft.com/Geneva
20. Connecting to Federation Gateway
One-click federation tool for quot;Genevaquot;
Connects Active Directory® to Federation Gateway
and Cloud services / applications
One-time federation setup – Trust-Provisioning
Assert domain ownership via SSL cert issued by a trusted Cert Authority
Registers organization's domain, sign-in endpoint, and token signing key
http://msdn.microsoft.com/en-us/library/dd164396.aspx
Microsoft Microsoft Cloud
Organization “Geneva” Federation
Server Applications
Gateway
Developer
Active
Services
Directory
Server Apps
21. Federation Gateway and quot;Genevaquot; Server
Accessing federated resources
from inside corporate network
22. Using Federation Gateway and
quot;Genevaquot; – Accessing Services
1. User clicks link -- taken to Codename 3. “Geneva” Server issues login token and
“Geneva” Server for authentication redirects to Federation Gateway
2. “Geneva” Server validates credentials with 4. Federation Gateway validates token
Active Directory and transforms claims
5. Federation Gateway issues service
token and redirects to service
Browser
6. User accesses service
Office
Desktop Apps
Microsoft Cloud
Enterprise “Geneva”
Federation
Server Applications
Gateway
Developer
Active
Services
Directory
23. Federation Gateway and quot;Genevaquot; Server
Accessing federated resources
from outside corporate network
24. Using Federation Gateway and
quot;Genevaquot; – Deployment Options
Active
Directory
“Geneva”
“Geneva”
Server
Server
Proxy
External
user
Internal
user
Enterprise DMZ
25. Benefit: Reduced Federation Costs
Federated Identity makes switching to Cloud Services easier:
Microsoft Federation Gateway for federation of both
enterprises and services
Codename “Geneva” Server extends AD into the Cloud –
a simple on-boarding process
Federation Gateway and “Geneva” Server provides:
Fewer federation relationships to configure
Helps protect corporate account security
No new user accounts needed
No extra passwords for users to forget!
26.
27. Connections - Federation Ecosystem
User Applications Relying Party (RP) Identity Providers (IdP)
Client SDK
Live ID
Windows
App
Microsoft
Web Site /
Online App
Federation
Gateway
Browser
Live ID Other federated
Identity Identity
Provider Providers
28. Federation Gateway: Integration Options
For businesses and universities:
Microsoft Services Connector, “Geneva” Server
Works for businesses without Active Directory too
Protocols: WS-* (WS-Trust, WS-Federation)
Tokens: SAML
For web applications / relying services:
Frameworks: .NET, “Geneva”, Live Framework
Protocols:
29. Consume Accessing user
identities and SSO data
• Web Authentication • Delegated
• Client SDK Authentication SDK
31. How Web Authentication Works
Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=91762
Relying Party Web Site
1 AdventureWorks.com
End User
with web 5
browser
4 2
3
Live ID WebAuth service
34. Sign-in Screen Customizable Theme
Elements cannot change.
Customize look and feel.
Font color
Background color
Button color
Task integration statement
User tile color
Live ID description color
Customizable Contents
Elements that can
Sign-up section
be customized.
Partner Logo
Task statement
Product description
Sign up section
Header background
37. Customizable Sign-in Screen
What was changed?
Partner Logo
Task statement
Product description
Sign up section
Header background
Font color
Background color
Button color
User tile color
Live ID
description color
41. Delegated Auth Protocol Overview
End User “Granting Consent” phase
with
browser
Consent UI
consent.live.com
Application
Provider “Using Consent” Phase (user can be offline)
(web site)
Resource
Provider (ex:
Windows
Live Contacts)
Live ID Delegation
Service
42. Web ISVs Organizations
Developers • Federation for • Turnkey
• Customizable selling their federation for
identity UX applications to adopting services
• Single sign On organizations (Online, Live, ISVs
• Access to user • Easy on-boarding )
data of new customers • Works with
existing identity
infrastructure
43.
44. Resources
www.microsoft.com/teched www.microsoft.com/learning
Sessions On-Demand & Community Microsoft Certification & Training Resources
http://microsoft.com/technet http://microsoft.com/msdn
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
Microsoft Certification and Training Resources
46. Federation Resources and Links
Microsoft Federation Gateway
Released in 2006, available today
Whitepaper: http://msdn.microsoft.com/en-us/library/cc287610.aspx
On-boarding documentation:
http://msdn.microsoft.com/en-us/library/dd164396.aspx
Codename “Geneva” Server
Beta 2 available today
http://www.microsoft.com/Geneva
Live Federation tool for Codename “Geneva” Server
http://www.microsoft.com/Geneva
47. Live ID Resources & Links
Windows Live ID Developer Center - http://dev.live.com/liveid
Windows Live ID Articles on MSDN - http://go.microsoft.com/fwlink/?LinkId=111111
Windows Live ID Documentation on MSDN - http://msdn2.microsoft.com/en-us/library/bb404787.aspx
Windows Live ID Developer Forum - http://go.microsoft.com/fwlink/?LinkID=78146
Windows Live ID Team Blog - http://winliveid.spaces.live.com
Windows Live ID Whitepapers
Introduction to Windows Live ID - http://msdn2.microsoft.com/en-us/library/bb288408.aspx
Understanding Windows Live Delegated Authentication - http://msdn2.microsoft.com/en-
us/library/cc287613.aspx
Windows Live ID Federation - http://msdn2.microsoft.com/en-us/library/cc287610.aspx
Windows Live ID Documentation and SDKs
Windows Live ID Web Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=91762
Web Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkID=91761
Windows Live ID Delegated Authentication SDK Docs http://go.microsoft.com/fwlink/?LinkID=107420
Delegated Authentication SDK Samples http://go.microsoft.com/fwlink/?LinkId=107419
Windows Live ID Client SDK download - http://go.microsoft.com/fwlink/?LinkId=86974
Delegated Authentication Resource Providers List -
http://go.microsoft.com/fwlink/?LinkID=108535
Windows Live ID Web Authentication app registration page http://lx.azure.microsoft.com
Windows Live Tools for Visual Studio - http://dev.live.com/tools/