1 minute read

Ptr: Authentication Scenarios in Azure AD

Came across a great article on MSDN recently that outlines the various authentication scenarios in Azure AD. Azure Active Directory (Azure AD) simplifies authentication for developers by providing identity as a service, with support for industry-standard protocols such as OAuth 2.0 and OpenID Connect, as well as open source libraries for different platforms to help you start coding quickly. This document will help you understand the various scenarios Azure AD supports and will show you how to get started. The knowledge has been around for quite a while now, but it’s nice to see it all centralized into an easy…

2 minutes read

Covert Redirect in OAuth 2.0 and OpenID — or yeah, and?

Earlier today a news story broke claiming the sky is falling because OAuth 2.0 and OpenID are vulnerable to “Covert Redirect” attacks — or as the rest of the world calls them — open redirects. This class of vulnerability has been around for quite a while and frankly is already mentioned in the threat model for the protocols in question. The mitigation is very simple: make sure you trust the location you’re sending data to before you send the data. This is an implementation detail. A very important implementation detail, but an implementation detail nonetheless. For a more detailed look at…

42 minutes read

Windows Azure Pack Authentication Part 3 – Using a Third Party IdP

In the previous installments of this series we looked at how Windows Azure Pack authenticates users and how it’s configured out of the box for federation. This time around we’re going to look at how you can configure federation with a third party IdP. Microsoft designed Windows Azure Pack the right way. It supports federation with industry protocols out of the box. You can’t say that for many services, and you certainly can’t say that those services support it natively for all versions – more often than not you have to pay extra for it. Windows Azure Pack supports federation,…

20 minutes read

Windows Azure Pack Authentication Part 2

Last time we looked at how Windows Azure Pack authenticates users in the Admin Portal. In this post we are going to look at how authentication works in the Tenant Portal. Authentication in the Tenant Portal works exactly the same way authentication in the Admin Portal works. Detailed and informative explanation, right? Actually, with any luck you’ve read, and were more importantly, able to decipher my (probably overly complicated) explanations in the last post. The reason for that is because we’re going to go a bit deeper into the configuration of how authentication is configured.  If that’s actually the case then…

5 minutes read

Whitepaper: Active Directory from on-premises to the cloud

A new whitepaper was released last Friday (Jan 11/2013) that discusses all the various options for dealing with identity in cloud, on-premise, and hybrid environments: Active Directory from on-premises to the cloud. It takes a look at how Windows Azure Active Directory is making a play for cloud identity, as well as how it works with hybrid/on-premise scenarios. Here’s the overview: Identity management, provisioning, role management, and authentication are key services both on-premises and through the (hybrid) cloud. With the Bring Your Own Apps (BYOA) for the cloud and Software as a Service (SaaS) applications, the desire to better collaborate…

17 minutes read

Windows Azure Active Directory Federation In Depth (Part 2)

In my last post I talked a little bit about the provisioning and federation processes for Office 365 and Windows Azure Active Directory (WAAD). This time around I want to talk a little bit about how the various pieces fit together when federating an on premise Active Directory environment with WAAD and Office 365. You can find lots of articles online that talk about how to configure everything, but I wanted to dig a little deeper and show you why everything is configured the way it is. Out of the box a Windows Azure Active Directory tenant manages users for…

12 minutes read

Self-Serving Single Sign On

When I wrote Enough with the Pain of Passwords someone told me it was completely self-serving. Actually, it was. My day job is building a commercial Single Sign On product so I’m terribly biased toward people using it. I quite like my job, and I really like my product so I’m more than happy to get people to buy our stuff. This doesn’t actually change how I feel about passwords though. I hate passwords. In current form they are an archaic mechanism for authentication and that mechanism is more often than not flawed. Archaic is, I think, an appropriate word…

9 minutes read

Enough with the Pain of Passwords

Passwords suck. This is a well known fact. Of course, we have conditioned ourselves to using passwords in painful ways so we accept this fact and move on with our lives. Except, I can’t take it anymore. Every week it seems there’s another breach, and every week there’s yet another security guru spouting the need for better-stronger-more-secure passwords. If you create a “strong” password that meets xyz requirements then it will take 42.3 bajillion years to crack regardless of what hash algorithm the application is using. The problem with this though is that “strong” passwords are ridiculously hard to remember…

11 minutes read

Study of Commercially Deployed Single Sign On

Microsoft Research published a paper sometime last month analyzing Single Sign On services hosted by various commercial entities. Go Read it: Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. The paper had been sitting on my desk for a couple weeks (literally) before I had a chance to read through it. It actually made it’s rounds through the company before I had a chance to read it. In any case, I thought it would be good to post a link for people to read because it outlines some very…

0 minutes Less than a minute read

Windows Live and Windows 8

So. I guess I wasn’t the only one with this idea: http://www.syfuhs.net/post/2011/02/28/making-the-internet-single-sign-on-capable.aspx Sweet. Announced earlier today at the Build conference, Microsoft is creating a tighter integration between Windows 8 and Windows Live.  More details to come when I download the bits later tonight.