Upload
ibon-landa
View
371
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
< Ibon LandaSoftware Development Team [email protected]@ibonilm
Gestión de identidad
Ibon Landa
Development Team Lead
Windows Azure MVP
http://www.devthinks.com
@ibonilm
http://spain.windowsazurebootcamp.org/
Omnipresencia de Windows Server ADKerberos, Secure Channel/Domain Join, Windows Integrated Auth and LDAP…
Windows Server Active
Directory
Intranet
Managed Access
Managed Identities
Integrated Business
Apps
Omnipresencia de Windows Server AD
Windows Server Active
Directory
Intranet
Managed Access
Managed Identities
Integrated Business
Apps
SAAS que compres
SAAS propias
Domain Controller in the Cloud
The Virtual Networkin Windows Azure
Gateway
SQL ServersIIS Servers
Site to Site VPN Tunnel
AD Authentication+
On-Premises Resources
Contoso.com Active DirectoryContoso Corp Network
IIS Servers
AD / DNS
SQL Servers
Exchange
S2S VPN Device
Contoso.com Active Directory
AD / DNS
AD Auth
Load BalancerPublic IP
Browser
Mobile app
Server app Web Service API
Web Service API
Web Application
Web Application
Anatomía típica de una aplicación web Web
application
Web service API
Account and
profile store
Clientes en diferentes dispositivos, lenguajes,
plataformas…
Servidor en diferentes plataformas, lenguajes..
Windows Azure Active DirectoryLas identidades gestionadas como una única identidad
Administración
Single Sign-on
Autorización de acceso a la información
Servicio de directorio multi-tenant
Windows Server Active
Directory
On-Premises
SAAS you build
SAAS you sell
Windows Azure Active
Directory
Other Microsoft Services
Office 365
3rd Party SAAS you
buy
DirSync
Cloud Application
Profile Store
Contoso.com Directory
ServicePrincipal
Role(Read)
AuthorizedUser
End User
Cloud Application
Profile Store
Contoso.com Directory
User AuthN
End User
ServicePrincipal
Role(Read)
t1
t1
Cloud Application
Profile Store
Contoso.com Directory
Delegated AuthN
Directory Graph
End User
ServicePrincipal
Role(Read)
t2
t2
Mobile Apps
Multi-factor Authentication
Text MessagesPhone Calls
Out-of-Band PushOne-Time-Passcode Out-of-Band Call
Out-of-Band TextOne-Time Passcode
Arquitectura
ISV/CSV Apps
Windows AzureActive Directory
Microsoft AppsCustom LOB Apps
Custom LOB Apps
ActiveAuthentication
El usuario se autentica en su dispostivio usando su usuario/contraseña
EL usuario debe autenticarse también usando su teléfono o dispositivo móvil antes de poder entrar
Las credenciales se comprueba contra Windows Azure AD. Después de solicita una segunda autenticación.
1
2
Protocolos
Protocol Purpose Details
REST/HTTP directory access
Create, Read, Update, Delete directory objects and relationships
Compatible with OData V3Authenticate with OAuth 2.0
OAuth 2.0 Service to service authenticationDelegated access
JWT token format
SAML 2.0 Web application authentication SAML 2.0 token formatUsed with Office 365 Services
WS-Federation 1.3 Web application authentication SAML 1.1 token formatUsed with Office 365 Services
http://spain.windowsazurebootcamp.org/
< Ibon LandaSoftware Development Team [email protected]@ibonilm
Gestión de identidad