http://mschnlnine.vo.llnwd.net/d1/inetpub/kevinremde/KROmniture.htmIt’s been over a year now since I posted my last in the series “So many questions. So little time.”
“August 20, 2012 to be exact.”
Yes indeed. And now that I’m again giving my IT Camp attendees the ability to submit their questions to me in writing, their questions become a really good source of content for the blog.
For example, at our Saint Louis IT Camp a couple of weeks ago, Ron asked:
“Azure can be locked down with certificates. Can that be incorporated with smart cards to further secure access?”
The short answer: Yes.
The longer answer. Absolutely, yes.
First, and quite simply, I know this to be true because this is how I authenticate every day into my Microsoft Full-time Employee-granted Windows Azure subscription. It’s the difference between a typical LiveID/Microsoft Account login and what is known as an “Organizational Account” login, similar to what businesses are enabling for single-signon in products such as Office 365. When I attempt to get into the Azure portal and I enter my Microsoft e-mail address, I’m redirected to a page that has this on it:
Notice that I can use my Smart Card (which is my employee badge) to authenticate.
Making this work requires using Active Directory and ADFS, where ADFS acts as the Security Token Service (STS), and Windows Azure is the Relying Party (RP).
.jpg "Remote Access by Devices testing as health")
“The RP requests a collection of claims routed by an application (for example, the Web browser) on the user device to one or more STSes. The user authenticates to the STS with whatever credential has been provided: password, smart card and so on.”
That drawing and quote come from an excellent explanation of how the parts relate to one another, written by Dan Griffin and Tom Jones. Read the full article here: Windows Azure: Authenticate Windows Azure with ADFS
Absolutely Full of I.T. 