Data
Reader small image

You're reading from  Cloud Identity Patterns and Strategies

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781801810845
Edition1st Edition
Concepts
Identity Management
Right arrow
Authors (2):
Giuseppe Di Federico
Giuseppe Di Federico
author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

Fabrizio Barcaroli
Fabrizio Barcaroli
author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

View More author details
Right arrow

Identity Providers in the Real World

In the last chapter, we saw the most popular trends that describe the challenges that any enterprise architect should be aware of when designing an application nowadays.

This chapter will provide a list of the most prominent Identity Providers (IDPs) that are part of the modern identity landscape. We are going to briefly describe their capabilities in terms of use cases and the target audience they cover.

The objective of this chapter is not only to review the most prominent IDPs one by one but also to enable you to understand, appreciate, and evaluate technical and non-technical considerations when it is time to choose a provider.

We will cover the following topics in this chapter:

  • The technical aspects
  • The non-technical aspects
  • Azure Active Directory (AAD)
  • Azure Active Directory Domain Services (AD DS)
  • Azure Active Directory B2C (AD B2C)
  • Active Directory Federation Services (AD FS)
  • Customer Identity from...

The technical aspects

There are many technical aspects in terms of the choice of which IDP to choose and it is not easy to scrutinize all of them.

We can definitely start with an initial distinction that connects the dots with the initial part of the book when we mentioned how the cloud era is affecting the identity landscape: one of the initial choices is whether to have a hosted IDP or a cloud IDP. By hosted IDP, we mean an IDP that needs to be installed and maintained by the enterprise on its server or in its data center. In this case, the enterprise is responsible from end to end and needs to have a dedicated team to take care of the entire stack. This is a legacy approach and companies tend to use SaaS IDPs in which the service doesn’t need to be installed or updated, as it is part of the purchased service by the specific cloud provider. We’re going to call these kinds of IDPs cloud-based, and there is a clear trend nowadays toward cloud-based IDPs.

Other...

The non-technical aspects

From an enterprise standpoint, choosing to adopt an IDP depends on many factors. Some of them are non-technical. As an example, regulatory compliance is usually a non-technical factor that can affect the choice of IDP.

An IDP’s adherence to clear business standards, rules, or regulations is represented by its regulatory compliance. There are several reasons why these rules should be implemented. Existing business procedures should be improved, company resources should be secured, customer and employee privacy should be protected, and national and international legal obligations should be met. Customers are more likely to trust a product when it conforms to these laws. They can be sure that the product will perform as expected by the industry and won’t cause them any unexpected trouble.

There are many rules and laws a specific enterprise wants to adhere to and they usually depend on the core business of the enterprise and its location.

...

Azure Active Directory (AAD)

When you encounter Microsoft’s AAD for the first time, the most common (and wrong) idea is to think of AAD as simply the cloud counterpart of AD DS. AAD and AD DS are two completely different technologies that can work together but provide different authentication services. AD DS is a service that comes with Windows Server; it provides an LDAP directory, Kerberos, and NTLM authentication (along with other enterprise features, such as group policy management). AAD, on the other hand, is a modern IDP that doesn’t really know what those protocols are because it implements different ones, such as OAuth 2.0, SAML, WS-Federation, and OpenID Connect.

This means that AAD can be considered a hub centered within Microsoft’s services, as shown in the following diagram:

Figure 7.2 – AAD overview

Any AAD object can be accessed through a REST API called Microsoft Graph, which allows you to create, update, and delete...

Azure Active Directory Domain Services (AD DS)

Even if AD DS is not an IDP that provides modern authentication capabilities, it is worth mentioning it because of its integration with AAD. AD DS is a managed service that relies on AAD identities to provide a managed AD DS installation (that is, managed Domain Controllers servers) in the cloud. It offers all the basic capabilities that AD DS offers by deploying a pair of Domain Controllers within a private network (an Azure Virtual Network) created through the Microsoft public cloud, Azure. As the non-managed counterpart service that can be deployed through Windows Server, AD DS provides Kerberos, LDAP, and NTLM authentication and simplifies all the lift-and-shift migration scenarios that involve tasks such as moving on-premises workloads (file servers) to Azure. AD DS does not provide the level of customization that a full installation of AD DS offers (the AD schema cannot be extended), but it has been designed for specific use cases...

Azure Active Directory B2C (AD B2C)

AD B2C is a separate Microsoft offering that provides a dedicated AAD tenant with additional capabilities tailored to specific use cases that mainly involve interaction with the customers of an organization. In other words, AD B2C is a Customer Identity and Access Management (CIAM) solution that enables an enterprise to effectively engage with its customers.

In the following diagram, we can see how AD B2C integrates with a heterogeneous group of external systems and acts as an identity orchestrator that can hide the complexity of where those systems are, which language they support, and what type of users they manage:

Figure 7.4 – AD B2C overview

AD B2C offers most of the core AAD features and adds the following capabilities on top of them:

  • User flows: A fully guided experience that allows us to create different flavors of flows that guide the interaction of a user with the AD B2C tenant during scenarios...

Active Directory Federation Services (AD FS)

Historically, AD FS has been Microsoft’s solution to federated authentication. AD FS tightly integrates with AD DS by acting as a sort of protocol translator that allows federated applications to use modern protocols, while, under the hood, actually authenticating the users against AD Domain Controllers through Windows authentication (Kerberos or NTLM) without the application being aware of where the user’s credentials are stored.

The infrastructure of AD FS is very simple and is made up of a pair of server roles: AD FS servers and AD FS proxy servers. The former are installed within a company’s internal network and provide their functionality, including single sign-on (SSO), to users connecting from within the organization premises or connected through a virtual private network (VPN). The latter are typically installed in a demilitarized zone (DMZ) network, which is logically separated from the internal network and...

Customer Identity from SAP Customer Data Cloud

Customer Identity is a CIAM solution from SAP Customer Data Cloud that enables organizations to engage with their customers and connect them with their web applications.

Customer Identity provides a comprehensive list of features that simplify the collection of user information and the overall management effort of maintaining an enterprise CIAM solution:

  • Registration and login options: There is a large number of built-in registration and login options, which include social login (such as Facebook, Twitter, Google, LinkedIn, Amazon, and Microsoft) and federated login using the SAML or OpenID Connect protocols. It is also possible to configure passwordless phone and push authentication and, to increase the security posture, risk-based authentication.
  • Screen-Sets: Screen-Sets are sets of screens that govern the user interaction with Customer Identity by defining a user-facing flow. Flows typically belong to the following types...

Okta (Auth0)

Unlike Microsoft, Google, and Amazon, Okta is a company that we can call IAM-born. The core business of Okta is identity management; 100% of their business relates to identity management and, as a consequence, all the effort of the company is focused in this direction. In March 2021, Auth0 was acquired by Okta, another company that is focused on identity and the ecosystem around it.

Okta built its customer experience on top of the following pillars:

  • Directories: The directory is the basic pillar of an enterprise that intends to adopt Okta. The directory is used to host resources, users, and groups. An Okta directory enables their customer to store an unlimited number of users, devices, and groups in a single and structured view. In the Okta language, a universal directory usually represents the main instance of the Okta IDP. Customers may use multiple directories if a company has multi-tenant ambitions.
  • Integrations: This pillar encompasses the ability of...

Summary

In this chapter, we reviewed the criteria for how a company should evaluate the IDP that they will choose. We discovered that there are not only technical factors at play in this choice but also regulation policies for specific businesses playing an important role. We reviewed all the technical aspects that should affect the choice of which IDP to use.

We also had the opportunity to describe, from a very high-level point of view, some of the IDPs that have a good standing on the market.

In the next chapter, we are going to move a step further and a level deeper: we are going to describe in detail how one of the most important IDPs works, look at its features, discuss the advantages and disadvantages of adopting it, and see the benefits an enterprise can obtain by leveraging features that are built on top of the OAuth protocol when choosing this IDP. We are going to have a closer look at AAD.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 11 of 15
Next Chapter
You have been reading a chapter from
Cloud Identity Patterns and Strategies
Published in: Dec 2022Publisher: PacktISBN-13: 9781801810845
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages