Talking end-to-end identity management for the cloud (AuthN/AuthZ)
This weekend, I had the chance to hang out at a .NET users group here in Southern California where I found myself spending part of the evening explaining how Active Directory Federation Services (AD FS) and ForeFront Identity Manager 2010 (FIM 2010) complement each other in the grand scheme of things we all refer to as “identity.”
Thinking this might be worthy of a blog post, I thought I’d share the discussion.
AD FS provides Web SSO for on-premise and internet browser based applications. FIM 2010 provides enterprise identity management in the form of provisioning, synchronization, and workflow. Both are products of the Microsoft ForeFront Security Suite.
Not yet getting into anything heavily technical, let’s look at the immediate value both technologies bring to the table.
- Externalized authentication to a single service (brokered authentication)
- Automated data exchange (the process of managing the identity – provisioning/deprovisioning of accounts). This is can also encompass the process for authorization (AuthZ).
When talking AuthN and AuthZ, these are different concepts but related. AuthN tells us who you are and AuthZ tells us what you are allowed to do. These topics can get pretty deep because there can be overlap between products in terms of the way authorization can be handled. For now, I’m just looking to explain how an operational process for managing the identities can be created using these two technologies.
In future posts, I’ll go more into AuthZ in terms of RBAC via FIM 2010 and ABAC via claims in Windows Identity Foundation.
The overall procedural concept is fairly easy…users should be able to authenticate once and access many (only what they are authorized to) without having to re-enter credentials; however as IdM professionals we need to ensure the end-to-end process is facilitated in a very secure manner.
Considering both the entire lifecycle of the user and the end-to-end authentication and authorization process is key in delivering either an SSO or provisioning based solution.
AD FS 2.0 Authentication Break-down
A. Once a user logs into their corporate network, AD FS can securely process an authentication request to target applications (on-premise or cloud-based). No individual passwords are necessary and no additional logins are required. The technical break-down of the process is:
1. Client (requestor) initiates RST from IP-STS.
2. STS authenticates the requestor and issues token with claims from various attribute stores. Claims provide authorization data for applications. The STS digitally signs the message for transport.
3. The token is returned to the client browser in which they will be redirected to the URI of the destination application.
4. RP-STS validates the authenticity of the token by the digital signature and then consumes the token and claims; therefore allowing the user into the application.
FIM 2010 Data Exchange (User Management) Break-down
B. It is very common for applications to require some kind of data exchange. This is especially typical for SaaS type applications. Here, FIM 2010 is extended to handle these data exchanges and to manage identities outside the firewall by automating the creation and management of identities into these target systems that reside in the cloud. Note: No passwords are synchronized across the internet.
5. FIM will automate the process of user creation, deletion, and modification processes through either a secured flat-file data exchange or through an XMA that interfaces public APIs provided by the SaaS vendor; therefore reducing administrative overhead and insuring consistency throughout all applications; locally or internet hosted.
With the ability to write custom workflows in FIM 2010, we can now develop better processes to determine weather users should even get an account provisioned in the cloud. And of course, the most important is to control the revocation of accounts in the cloud. Feel free to comment if I have missed something or have a question on the architecture.
Microsoft Application Architecture Guide 2.0
This is great reading for anyone working with the Microsoft stack. As the worlds of IT Pro and Developer come together, this material covers everything from development technologies, platforms, and design patterns.
This guide provides design-level guidance for the architecture and design of applications built on the .NET Framework. It focuses on the most common types of applications, partitioning application functionality into layers, components, and services, and walks through their key design characteristics. This guide is a collaborative effort between patterns & practices, product teams, and industry experts.
Patterns & Practices Application Architecture Guide 2.0 (download)
When WSS doesn’t want to play nice during the FIM RTM upgrade
Customers might be running legacy FIM RC bits in a development environment and will need to upgrade them to the RTM builds to continue development. There really isn’t any upgrade path other than uninstall/reinstalling the bits and re-attaching to the existing databases. In my case, I was upgrading from RC1 Update 2 to RTM and hit an issue because the WSS solutions were not retracted correctly when doing the initial uninstall. The initial error was pretty cryptic; however you can verify the solutions still exist in the portal using STSADM.exe. (stsadm.exe –o enumsolutions).
You can try manually deleting the solutions using STSADM.exe; however it did not work for me because there are many references to each component within the WSS Config database which causes the installer to fail when trying to deploying the new WSS solutions.
Basically, you get errors when the installer attempts to do INSERTS into the WSS Config DB. Windows will report this as a Windows event error stating corruption in the WSS Config DB or something around the object ID of an resource already existing.
Because the FIM Service and FIM Sync Engine upgrade successfully, the configuration is safe and there isn’t anything wrong with doing a complete un-install/re-install of WSS. From there, the upgrade to RTM can be completed.
