Cloud IAP works by verifying a user’s identity and determining if that user should be allowed to access the application.
Is there anything like this on Microsoft Azure?
This medium article that talks about how to "drop the bastion in the clouds" may be a good starting point.
Related
I'm coming from Google Cloud Platform, and have been used to creating service agents, essentially user accounts to grant permissions/access that I specify to non human actors, so they can view/modify resources/attributes. I have been exploring Azure all evening and can't quite find something similar to that. Can anyone suggest Azure services or keywords I should do some reading on so I figure out how to implement similar identity and access in Azure?
You'll want to start off by looking at Azure Active Directory Service Principals and Application Registrations. These are the rough equivalent to Service Accounts. You'll also want to research Managed Service Identities, which are a way to simplify the use of Applications and Service Principals. You can start with this page and keep linking from there.
This medium article can give you a good comparison circa 2020.
I am trying to set IS4 as Identity Provider.
The first thing I tried was to create a federation trust between Azure AD and the domain where I hosted my IS4. once federated by using the "Get-MsolDomainFederationSettings" command in PowerShell I got values for the following parameters:
I have found the following "solution", that also comes with this documentation, but it is a paid solution, and I am looking for a free option.
Should I use standard protocols, e.g. OpenID Connect, WS-Federation or SAML2p, and how can this be configured?
Based on the question and clarifying comments here the answer as of today:
You cannot achieve the required target architecture as of today. Today the only officially supported federation for Azure AD is ADFS over WS-Federation protocol and Ping Federate as preview. There is an official documentation describing the federation options with Azure AD.
There have been some tests in the past, but there is nothing officially supported beside the two options mentioned.
Looking at SSO, you can however look at the other side of the things:
You have IdentityServer and already some applications registered for it
You want SSO for Azure (O365) users to this applications
You can achieve what you want in the following manner:
You continue using Identity Server for your apps
You configure an external provider for your Identity Server as described here
What you certainly cannot achieve is:
Making Azure (Azure AD) authenticate users over Identity Server (at least not in a supported way!)
Azure AD can only be used as an endpoint as per #astaykov.
It can be an STS but it cannot be a R-STS i.e. it cannot be an intermediate step.
The solution described above is a paid solution because it uses the RSK SAML stack.
However, you could follow the same steps using the Sustainsys .NET Core option which is free.
I'm developing an Windows Azure web application and I would like to understand if I should use Windows Azure Control Service (ACS) in my Architecture or not. So, my questions are:
Is the Windows Azure Control Service (ACS) a valid option to manage users?
I mean, should I consider it as an "Authentication System" for my application instead of implement my own database (using Membership for example)?
Well "valid" as in it works and is supported, yes! But I'd say the value is more as a way to map identities and claims presented from other identity providers - like Live, Google, etc. - to claims for your application to respond to.
You can certainly set up your own users via the ACS portal, but for a true membership system you want the user to be able to change passwords, profile information, etc. Much of that can be accomplished via the ACS Management REST API but I don't know of any higher level abstractions or framework that you might be able to leverage. It seems like it would be a LOT of work that isn't really a core part of your application.
Is it possible to use an Azure virtual machine as an Active Directory server with ADFS 2.0 and integrate it with ACS ?
Regards ,
James Roeiter
Having AD server (with RMS also) in cloud is an ask which I have heard time to time from Azure users and it sure is a great addition to have it running in Windows Azure or any cloud. Various organization's IT is asking the same as well however As of now with current Windows Azure it is not possible.
A few might suggest that using Windows Azure VM Role however, I would say that there are concern over that as well do to persistence and other issues so I would say it is not possible with Windows Azure VM Role as well and there are other issues related with Active Directory product as well to run in Cloud scenarios.
If I answer it directly, I would say as of now it is not supported and suggested scenario to have AD on Windows Azure and will not work due to various reasons.
You can now install AD on Azure in a persistent state. Its still preview but I have just got an standalone AD on a separate network on Azure. I haven't finished wiring up ADFS and ACS but given a little time to get my head around it and I will be there.
Why would you like to put your AD server in Azure? If it just for testing - you can. However the current state of Windows Azure only allows you to have a VM Role, which is Stateless. That means, you may prepare your VM with the AD, all configured for ACS and fill up with users. However you can't rely on any changes to be persisted (including password changed, user edits). VM Role is stateless, which means you will lose your changes once the role is recycled or rebooted, or healed.
So the final answer for the current Windows Azure offering would be - don't do that now, unless you want to just play around and see if it works.
** EDIT **
I am not an AD expert, what I managed to do and have an "in-house-virtualized" lab is to have ADFS on VM integrated with ACS. Another VM running Windows 7, which is domain joined to my AD. Then a web deployed application which leverage ACS with ADFS integration. Everything works fine.
As for storing AD data on external persistent storage - I don't know if it is possible, and how to configure that (already told you I am not AD expert). But if you know how to configure the storage for AD, and if you can store it in an SQL Azure, it is worth to give it a try.
And, finally, as Sandrino mentioned read the provided link to ZDNet's blog post, which has information you might find helpful.
I am building a multi-tenant application in Azure and planning to use Claims (WIF). I do not have ADFS hosted for issuing tokens to the users of my applications.
What options do I have? Is there any commercial offering available?
Thanks & Regards,
Ajay
Azure provides it own token issure in AppFabric Access Control . Check Michele L. Bustamante 's Access Control in the Cloud: Windows Azure AppFabric's ACS for a very well written intro. There's also a demo video at Channel9 on using AC and a client's ADFS to control access to an Azure service, in this case Dallas.
You can now try ACS labs (early version of the service): http://acs.codeplex.com
It now supports WS-Federation.
my old post-->
AppFabric Access Control can currently only be used for REST endpoints (WRAP, SWT). If you Windows Azure app is a web site, you probably need an STS that supports WS-Federation.
You can build your own (and deploy it on Windows Azure) or you can rely on an STS hosted somewhere else.
To build your own I suggest looking athe starter sts