Identity Management is one of the most important topic in cloud, especially in public cloud. This blog covers identity management for Microsoft Azure.
If you look at the customer that needs access to public cloud, there are three ways it can access cloud or we can say there are three types of customers: Large enterprise, small enterprise and someone working from home and accessing Azure.
lets start explaining each one of them
Large Enterprises: Integrating a Subscribers Own Identity Mechanism
uA large enterprise subscriber, authenticate with own
identity provider (step 1), in this case Active Directory Federation Services
(ADFS).
uAfter successfully authenticating a user, ADFS issues a token. The client
browser forwards the token to the Azure federation
provider that trusts tokens issued by customer’s
ADFS (step 2) and,
u if necessary, performs a transformation on the Customers claims in the token into claims
that SAAS
application recognizes (step
3) before returning a new token to the client browser.
uThe application trusts tokens issued by the Azure federation provider and uses the
claims in the token to apply authorization rules (step 4).
Small Enterprises:Providing an Identity Mechanism for Small Organizations
uA smaller company, authenticate with the Azure identity
provider (step 1) because their own Active Directory can’t issue tokens that
will be understood by the Azure
federation provider.
uIf the Azure identity
provider can validate the credentials, it returns a token to the client browser
that includes claims such as the user’s identity and the tenant’s identity. The
client browser forwards the token to the Azure
federation provider that trusts
tokens issued by azure
identity provider (step 2)
uIf necessary, performs a transformation on the Azure identity provider claims in the
token into claims that SAAS
Application recognizes (step
3) before returning a new token to the client browser.
uThe application trusts tokens issued by the Azure federation provider and uses the
claims in the token to apply authorization rules (step 4).
working from home and accessing Azure:Integrating
with Social Identity Providers
ufederation provider is configured
to trust tokens issued by a third-party identity provider, such as an identity
provider that authenticates a Microsoft account or OpenID credentials. Ycompany plans to use Windows Azure Access Control
to implement this scenario.
uWhen an individual user
authenticates with his or her chosen identity provider (step 1), the identity
provider returns a token to the client browser that includes claims such as the
user’s identity.
uThe client browser forwards the token to the Azure federation
provider that trusts tokens issued by the third-party provider (step 2) and
uIf necessary, performs a transformation on the claims in the token into
claims that Azure
application recognizes (step 3) before
returning a new token to the client browser.
uThe application trusts tokens issued by the federation provider and uses the claims in the
token to apply authorization rules (step 4). When the user tries to access
their surveys, the application will redirect them to their external identity
provider for authentication.
