Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 1
Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 2
Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 3
The last couple of weeks I have been testing a lot of federation scenarios for Windows Azure Pack. Out of the box Windows Azure Pack provides two authentication sites. A Windows Authentication site for the administration portal and a Tenant Authentication site based on a ASP.NET Membership provider for the tenant management portal. It is also possible to use Active Directory Federations Services (ADFS) for authentication with Windows Azure Pack.
Active Directory Federation Services
This opens the door to numerous interesting scenarios. I have tested Windows Azure Pack scenarios with the default ADFS Active Directory claims, federation to partner organizations, federation to Windows Azure ACS (that Shriram Natarajan also posted in an excellent blog a couple of days ago) and integrate ADFS with Windows Azure Multi-Factor Authentication.
If you ask an average person what password policy he or she is using for the online services they access the answer is quite scary. A single password for different entities. How many have been victim of phishing, identity theft or know someone who has been. And if we look at an average business and their security policies, well… it’s a mess usually. Unless you are disciplined with complex passwords, a simple username password does not cut it any more. Multi-factor Authentication can address these security issues by adding an additional layer of authentication. Besides the username and the password it is possible to validate the user by a phone call, a text message, a validation app, etc. In the past these functionalities where quite complex to implement, let alone integrate in to existing applications. Microsoft announced General Availability of Windows Azure Multi-Factor Authentication in September 2013. This service in Windows Azure Active Directory takes away the pain of setting up Multi-Factor Authentication yourself and allows for easy integration with existing applications by integrating on premises ADFS servers.
In this blog I’ll describes the steps to configure the tenant site in Windows Azure Pack to use ADFS for authentication and also add Multi-Factor Authentication by leveraging Windows Azure.
First lets have a look at the end result. A tenant opens the Windows Azure Pack tenant portal and is redirected to the ADFS, or even better the Web Application Proxy (Yep, WAP to WAP). The tenant enters his active directory credentials and is prompted to proceed with Multi-Factor Authentication. After proceeding the tenants is called within a couple of seconds on his mobile (you can configure other options as well). When asked, the tenant presses # in the call and he is instantly logged in to Windows Azure Pack. No matter if you show this to an IT pro, a customer or your boss, it will bring a smile to their face. Guaranteed!
Before we start clicking away we need to get some insight in the moving parts and the corresponding prerequisites.