Thursday, March 3, 2016

Microsoft Azure: Authentication and Authorization


Identity Management is one of the most important topic in cloud, especially in public cloud. This blog covers identity management for Microsoft Azure.

If you look at the customer that needs access to public cloud, there are three ways it can access cloud or we can say there are three types of customers: Large enterprise, small enterprise and someone working from home and accessing Azure.

lets start explaining each one of them
Large Enterprises: Integrating a Subscribers Own Identity Mechanism



uA large enterprise subscriber, authenticate with  own identity provider (step 1), in this case Active Directory Federation Services (ADFS).
uAfter successfully authenticating a user, ADFS issues a token. The client browser forwards the token to the Azure  federation provider that trusts tokens issued by customer’s ADFS (step 2) and,
u if necessary, performs a transformation on the Customers claims in the token into claims that  SAAS application recognizes (step 3) before returning a new token to the client browser.

uThe application trusts tokens issued by the Azure federation provider and uses the claims in the token to apply authorization rules (step 4). 


Small Enterprises:Providing an Identity Mechanism for Small Organizations
uA smaller company, authenticate with the Azure identity provider (step 1) because their own Active Directory can’t issue tokens that will be understood by the Azure federation provider.
uIf the Azure  identity provider can validate the credentials, it returns a token to the client browser that includes claims such as the user’s identity and the tenant’s identity. The client browser forwards the token to the Azure federation provider that trusts tokens issued by azure identity provider (step 2)
uIf necessary, performs a transformation on the Azure identity provider claims in the token into claims that SAAS Application recognizes (step 3) before returning a new token to the client browser.

uThe application trusts tokens issued by the Azure federation provider and uses the claims in the token to apply authorization rules (step 4).

 working from home and accessing Azure:Integrating with Social Identity Providers

ufederation provider is configured to trust tokens issued by a third-party identity provider, such as an identity provider that authenticates a Microsoft account or OpenID credentials. Ycompany plans to use Windows Azure Access Control to implement this scenario.
uWhen an individual user authenticates with his or her chosen identity provider (step 1), the identity provider returns a token to the client browser that includes claims such as the user’s identity.
uThe client browser forwards the token to the Azure federation provider that trusts tokens issued by the third-party provider (step 2) and
uIf necessary, performs a transformation on the claims in the token into claims that Azure application  recognizes (step 3) before returning a new token to the client browser.
uThe application trusts tokens issued by the federation provider and uses the claims in the token to apply authorization rules (step 4). When the user tries to access their surveys, the application will redirect them to their external identity provider for authentication.

Featured Post

Amazon Route 53

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service.Route 53  perform three main functions in any...