As a cloud solution provider, Ad Coelum Technology is committed to embracing the very latest security protocols and technologies to ensure end users receive a secure, yet non-pervasive authentication experience. We will be working closely with Microsoft to ensure that our Azure-based solutions are compatible with all key Microsoft cloud offerings (such as Office 365, Lync, SharePoint, Windows Live, SkyDrive etc.) as well as other key technology platforms such as iOS and Android on the client-side.
In order to achieve this goal, we will be using an approach known as claims-based authentication, whereby the identity of a particular user is verified by a claims provider known as a secure token service (STS). Windows Azure Active Directory (AD) provides a powerful STS known as Access Control Services (ACS) which can be used in conjunction with both cloud identity providers (e.g. Google, Facebook, Windows Live ID and Yahoo) and critically - corporate active directories. Using a synchronisation mechanism between traditional on-premise Windows Server AD and Windows Azure AD in the cloud, existing investment in on-premise security infrastructure can be leveraged for hybrid and cloud-based scenarios.
Claims Based Authentication with Windows Azure Active Directory |
The ability to manage the identity of our clients, their customers and their partners through an STS capable of managing many different identity providers is a very powerful proposition. This approach makes collaboration with a wide variety of internal and external users much simpler at the solution architecture level. Let's go through the above diagram step-by-step to discuss how claims-based authentication works in practice...
- An end user requests a resource (i.e. a browser page request, web service request etc.) from our matter management solution running in Windows Azure.
- As the user is not yet authenticated, they are redirected to Windows Azure AD which has been configured as the STS for the solution. The user is presented with a list of potential identity providers which are offered by the STS in relation to our solution
- If the end user is external to the firm they may well be selecting a consumer identity provider such as Google or Windows Live. For internal users this is more likely to be active directory. Note: In both cases the user would need to have previously registered with the matter management solution (either through automatic active directory synchronisation, or in the case of an external user, an approval process to link their identity claim to a contact within the matter management solution). This has been omitted from the diagram which illustrates the authentication process only, not initial registration.
- The user enters their credentials into the selected IP login page and a security token is issued if authentication is successful.
- The IP redirects the user back to Windows Azure AD along with the security token.
- Windows Azure AD validates the security token and runs it through a rules engine managed by Windows Azure Access Control Services (ACS). This engine transforms the output claims into the format expected by our solution.
- ACS then redirects the user to our application where the ACS token is used to validate the users identity on all subsequent requests (until the token expires).
Although this seven step process may sound convoluted, steps 2 through 6 have not even touched our matter management solution. The user has also only seen two screens, one to select an IP, another to enter their login details.
In effect, we as an Independent Software Vendor, have outsourced the authentication process. By adopting Windows Azure AD as our trusted provider we will be dramatically reducing the amount of custom authentication logic within our solutions, which allows us to reduce risk from a non-functional perspective and focus more time and resources on delivering functional requirements. That's not to say we are being complacent when it comes to security. As a cloud provider we make security our number one concern and by choosing Windows Azure AD/ACS we are able to leverage a powerful, secure, standards-based solution backed by the investment and support of a multi-billion dollar corporation.
Our mission is to make lawyers more productive through enjoyable technology. The decision to adopt claims-based authentication and Windows Azure AD enables a less obstructive authentication experience using reusable tokens which can be shared by different solutions to reduce user disruption.
Windows Azure Active Directory is currently at the developer preview stage and we will be working alongside Microsoft to incorporate this ground breaking new technology into our solutions over the coming months.
Sure is interesting to see how electronic discovery technology continues to evolve over the years!
ReplyDelete