17 minutes read

Windows Azure Active Directory Federation In Depth (Part 2)

In my last post I talked a little bit about the provisioning and federation processes for Office 365 and Windows Azure Active Directory (WAAD). This time around I want to talk a little bit about how the various pieces fit together when federating an on premise Active Directory environment with WAAD and Office 365. You can find lots of articles online that talk about how to configure everything, but I wanted to dig a little deeper and show you why everything is configured the way it is. Out of the box a Windows Azure Active Directory tenant manages users for…

1 minute read

Windows Azure Access Control Service Announcements

This seems to have made the rounds yesterday and today. The Windows Azure ACS team decided to extend the promotional period to December 20th 2012. In other words, free for the next year. Sweet! I can’t say it was on my Christmas wish list, but it certainly is a great little gift. Also, ACS v1 is being deprecated the same day. Curiously, that was on my wish list. ACS 1.0 will be officially taken offline on December 20, 2012. This 12 month period along with the ACS 1.0 Migration Tool allows customers with ACS 1.0 namespaces to proactively migrate to…

1 minute read

Guide to Claims-Based Identity Second Edition

It looks like the Guide to Claims-Based Identity and Access Control was released as a second addition! Take a look at the list of authors: Dominick Baier Vittorio Bertocci Keith Brown Scott Densmore Eugenio Pace Matias Woloski If you want a list of experts on security then look no further. These guys are some of the best in the industry and are my go-to for resources on Claims.

4 minutes read

Adding ADFS as an Identity Provider in ACS v2

Ever have one of those days where you swear that you’ve written something, but can’t find it?  I could have sworn that I wrote this article before.  Ah well. — It makes a lot of sense to use ACS to manage Identity Providers.  It also makes sense to use Active Directory for letting users sign in to your cloud application.  Therefore we would hope that ACS and ADFS play nicely together.  It turns out they do.  in a previous post I talked about federating ACS and ADFS, where ACS is an identity provider to ADFS.  Now lets reverse it.  We…

4 minutes read

Custom Management Accounts for Windows Azure Access Control Service

When you start working with Windows Azure in your spare time there are quite a few things that you miss. I knew that it was possible to manage Windows Azure with multiple accounts, but since I was the only one logging into my instance, I never bothered to look into it.  Well as it turns out, I needed to be able to manage Azure from a separate Live ID.  It’s pretty simple to do.  You get into your subscription, navigate to User Management under the Hosted Services tab, and then you add a new Co-Admin. Turns out that you can’t…

7 minutes read

Creating a Claims Provider Trust in ADFS 2

One of the cornerstones of ADFS is the concept of federation (one would hope anyway, given the name), which is defined as a user’s authentication process across applications, organizations, or companies.  Or simply put, my company Contoso is a partner with Fabrikam.  Fabrikam employees need access to one of my applications, so we create a federated trust between my application and their user store, so they can log into my application using their internal Active Directory.  In this case, via ADFS. So lets break this down into manageable bits.  First we have our application.  This application is a relying party…

7 minutes read

Windows Azure Access Control Services Federation with Facebook

Sometime in the last few years Facebook has gotten stupidly popular.  Given the massive user base, it actually makes a little bit of sense to take advantage of the fact that you can use them as an identity provider.  Everyone has a Facebook account (except… me), and you can get a fair bit of information out of it on the user. The problem though is that it uses OpenAuth, and I, of course, don’t like OpenAuth.  This makes it very unlikely for me to spend any amount time working with the protocol, and as such wouldn’t jump at the chance…

3 minutes read

Windows Azure ACS v2 Mix Announcement

Part of the Mix11 announcement was that ACS v2 was released to production.  It was actually released last Thursday but we were told to keep as quiet as possible so they could announce it at Mix.  Here is the marketing speak: The new ACS includes a plethora of new features that customers and partners have been asking with enthusiasm: single sign on from business and web identity providers, easy integration with our development tools, support for both enterprise-grade and web friendly protocols, out of the box integration with Facebook, Windows Live ID, Google and Yahoo, and many others. Those features…

1 minute read

Windows Azure Access Control Services v2 RTW

So how do you know when Windows Azure Access Control Services has upgraded to V2?  You get federation metadata… Or you follow the Windows Azure App Fabric team blog! I have been waiting MONTHS for this release, begging and pleading with Microsoft to get more information on when the big day would come.  Needless to say I am super excited! This version adds: Federation provider and Security Token Service (FINALLY!) Out of box federation with Active Directory Federation Services 2.0, Windows Live ID, Google, Yahoo, Facebook New authorization scenarios Delegation using OAuth 2.0 Improved developer experience New web-based management portal…

11 minutes read

Making the Internet Single Sign On Capable

Every couple of weeks I start up Autoruns to see what new stuff has added itself to Windows startup and what not (screw you Adobe – you as a software company make me want to swear endlessly).  Anyway, a few months ago around the time the latest version of Windows Live Messenger and it’s suite RTM’ed I poked around to see if anything new was added.  Turns out there was: A new credential provider was added! Interesting. Not only that, it turns out a couple Winsock providers were added too: I started poking around the DLL’s and noticed that they…