Richard Conwayby Richard Conway, UK Windows Azure User Group

Following an event that we at UKWAUG ran on Monday 8th July I spoke about how Windows Azure Active Directory can be used to scale identity in the cloud and why and how you should be using it.

For the last 6 months we’ve been helping a startup build a scalable mobile payments platform. It’s been a very interesting affair for me in agility and I also had the opportunity to compare notes at some great hackathons, run by Microsoft, on how big business approach the same problems and cycles in development.

Firstly the startup we’ve been working for is CloudZync (http://www.cloudzync.me). Their premise is fairly simple, they want to bring mobile payments to small merchants that offer branded loyalty schemes and deals to their customers as well as take payments electronically. Although the company has aspirations to work with much bigger businesses I think they have got the appreciation of scale in business. All too often “startups” receive more funding based on the quality and the blue chip nature of their customer base. I think the scale out approach works better though at first until you can afford to scale up!

As a result many of the problems we faced with this project involve scale. Any good programmer will nowadays defer as many parts of a system to services or frameworks which already do what they need to. Every additional line of a code is a potential bug so if you can defer this then you save time and maintenance headaches.

With Windows Azure, nowadays, the trend is precisely what I’ve written above. For a quick deployment of Database-as-a-Service I can deploy Windows Azure SQL Database. This allows me avoid managing a pair of clustered servers so that I can avoid thinking about scalability (WASD isn’t perfect but it’s great to consume and not worry about management). I can do the same with the Service Bus (Messaging-as-a-Service), Windows Azure Websites (Websites-as-a-Service), Mobile Services (Mobile-Delivery-as-a-Service), BizTalk, HDInsight, etc. I think you get the point! This is now how we can approach every cloud project, as the consumption of a set of services provided by Microsoft.

In this article I’m going to refer to Windows Azure Active Directorywhich can also be called Identity-as-a-Service and describe some technical innovations which make this a very cloudy and as such scalable identity service.

When we began designing the CloudZync architecture WAAD (Windows Azure Active Directory) was very much in its infancy. In fact my blog posts and github projects were one of the first reference points outside of the team itself to describe how to interface with the Directory. We knew that we needed to design CloudZync to scale for potentially tens of thousands of merchants so we decided that the best course of action was offload the problem onto Microsoft.

The first versions of WAAD were as would expect. More like developer toolkits! The latest version is fantastic. It provides a full management interface within the portal (not everything has been moved across from the preview portal yet).

As in the case of the Elastacloud WAAD we can drill into the WAAD to see users and what their roles are. Shortly we’ll be able to see security group membership (I hope!) and will have a very consolidated graphical view what our directory is.

So how does it work? To give an example I’ll use the example of CloudZync. When we started the project we had two requirements:

1. Give access to ZyncWallet merchant terminal to small merchants with a handful of shops and only a phone or tablet

2. Give access to large merchants that already have entrenched identity systems spanning their corporation

At first the two would seem at odds with each other but actually WAAD was designed with this in mind. WAAD enables a “Directory Sync” between on premise Active Directories and itself which means that we can enable secure synchronization from the Active Directory of a user such as LIDL (I have no idea whether they are running and AD! This is just an example). When users are in the system they can be grouped together through security groups which allow permission sets to be processed by the system. In case of our application we identify organisations through a custom group membership and then add additional groups to enable Administrators within those groups. As groups scale in the same way as Users, the sky is the limit!

As the directory scales there needs to be thought into how to scale with it. You always find a point in any project where the tools you have for management appear to be insufficient for what you need to do. The WAAD team has provided the Graph API in order to get programmers to build their own management tools. This means that tomorrow I could write a WPF or Windows 8 application to manage all of my users and groups. As the interface is OData and REST over HTTPS you can potentially write WAAD clients from anywhere device or desktop. It supports some complex queries and filters which can be used to bring back group memberships and organizational data for users.

The above shows an image of graphexplorer (http://graphexplorer.cloudapp.net), a tool provided by the WAAD team. It will allow me to login using my organisational account and run queries against the WAAD. It supports the filter like syntax of OData and the response is brought back in JSON. As such something like this:

https://graph.windows.net/elastacloud.com/users

will returns all of the users that are members of our directory. Whereas if I issues this query I can just get my own details:

https://graph.windows.net/elastacloud.com/users/richard@elastacloud.com

The tools available to manage the WAAD go beyond the portal and graph as MSOL CmdLets have been provided if you prefer script tasks through Powershell. This can be used to manage all aspects of the directory without writing a single line of code.

I won’t go through any more features here as now that WAAD is in GA there is a wealth material online and the team are active bloggers to boot! I will however, describe MFA (Multi Factor Authentication). This is a new feature which can be seen in the Windows Azure Portal under Active Directory. It enables the user manage a second way to authenticate the WAAD. It’s a tokenless method of authentication so as well as providing a username and password you will have to provide a one-time pad in the form a 6 digit number which can be entered along with your standard credentials in order to authenticate to the WAAD.

We will shortly be trialing MFA as part of an enrollment process with merchants. Since the access token is sent to the mobile of the user it ties the device to the enrollment process (callback, SMS or notification). We could extend this if we wanted to in order to allow the device to be tied to every authentication. The pricing model is on the Windows Azure website and it mean an inherent cost if we wanted to expose two factor authentication on every login!

I attended two fantastic week long hackathons organized by Microsoft DPE and supported them with talks on Windows Azure and Windows Azure Mobile Services. These events called Digital Wallet Foundry brought a number of banks and established payments platform providers with teams together to enable delivery of solutions. After the events I had the opportunity to present to one of the banks on a number of areas of community development and technology. I realised at this point how much harder it will be for larger corporations to compete with smaller startups unless they find a viable route to the cloud. True agility now is systemic and permeates deployment, provisioning, utilization of external services as well as development. The bank in question would want to do the same things that we’ve managed to do with CloudZync with limited resources but can’t make a decision to embrace the cloud and the new service based, multi-tenanted provisioning model it represents. My assessment and advice is to every startup or BizSpark member is to embrace true agility in the cloud.

Useful links:

http://www.cloudzync.me

http://azurecoder.azurewebsites.net/tag/waad/

http://blogs.technet.com/b/ad/

http://www.windowsazure.com/en-us/services/identity/

http://www.ukwaug.net

Richard Conway is one of the founders of the UK Windows Azure Users Group. He is a Microsoft MVP for Windows Azure and can be followed @azurecoder. He works for Elastacloud which is a wholly Windows Azure consultancy focusing on distributed computing in the cloud, most notably Big Data and Big Compute workloads. He is the author of the popular open source component Fluent Management (http://nuget.org/packages/Elastacloud.AzureManagement.Fluent) which can be used to manage VMs, Cloud Services, Storage, SQL, Websites and Mobile Services in Windows Azure.