building secure cloud applications for the enterprise

Building Secure Cloud Applications for the

EnterpriseMicrosoftAzure

Azure Web Site

Visual Studio 2013

Azure Active Directory

Azure SDK

Introductions…

•About me• Rick Rainey• Independent Consultant, Trainer, Writer, Speaker

•Contact information• rick@cloudalloc.com• @RickRaineyTx• http://rickrainey.com• LinkedIn: www.linkedin.com/rickrain

Agenda

• Introduction to Azure Active Directory•Developing for Azure Active Directory• Claims-Based Identity• .NET Framework Classes and Client Libraries • Visual Studio 2013

An Introduction to Azure Active DirectoryWhat is it?

What Azure Active Directory is not

Contoso

Contoso

Windows Server Active Directory

Virtual Machines running Windows Server Active Directory

Microsoft

Azure

What Azure Active Directory is

Contoso

Fabrikam

Northwind

Microsoft

Azure

Azure Active Directory

A multi-tenant service providing identity and access management capabilities for the cloud.

Azure Active Directory for an Enterprise (example)

Contoso

Contoso

Windows Server Active Directory

Microsoft

AzureAzure Active Directory

Contoso Paystub App

Contoso Benefits App

Other LOB App

Extend an on-premises Server Directory to Azure AD.

Protect access to cloud applications.

Grant access to SaaS applications.

DEMO

Azure Active Directory• A lap around Azure AD using the

Azure Management Portal

Developing for Azure Active Directory

Azure AD’s Application Endpoints

• WS-Federation• https://login.windows.net/<tenant id>/wsfed

• SAML-P• https://login.windows.net/<tenant id>/saml2

• Azure AD Graph API• https://graph.windows.net/<tenant id>

• OAuth 2.0 Token• https://login.windows.net/<tenant id>/oauth2/token

• OAuth 2.0 Authorization• https://login.windows.net/<tenant id>/oauth2/authorize

Accessing the Endpoints

•REST API’s

•Client Libraries• .NET Framework / Windows Identity Foundation• Active Directory Authentication Library (ADAL)• Azure Active Directory Graph Client Library

Windows Identity Foundation

• A set of .NET Framework classes…• Claim

• Statement about a user or entity provided by an Identity Provider

• ClaimsPrincipal• Claims collection, Identities collection, IsInRole, and more

• ClaimsIdentity• Name, Authentication Type

• …and HTTP Modules• WSFederationAuthenticationModule (WSFAM)

• SessionAuthenticationModule (SAM)*** Already included in .NET Framework 4.5 and higher. ***

What is Claims-Based Identity?

Dept. of Transportation

I would like a Blue Moon

please.

You look under age. Show me some ID.

Thank you for that compliment…

allow me to present to you my

driver’s license

Relying Party (RP)Subject

Identity Provider (IdP)

Externalized Authentication to Dept. of Transportation

WS-Federation: Simplified

Azure Active Directory

Contoso Benefits Website

I trust tokens from the Contoso directory tenant.

Contoso user authenticates with Azure AD.

Windows Identity Foundation

Contoso Benefits Website

WIF

• Validates token signature• Descripts token• Extracts claims• Sets session cookies• Optionally invokes authorization code• And a lot more…

DEMO

Developing for Azure Active Directory• Build an Azure Website protected by

Azure Active Directory

Active Directory Authentication Library (ADAL)

Active Directory Authentication Library•A library that provides simple authentication functionality for client applications.

•Works with Azure Active Directory and Windows Server Active Directory (with ADFS).

•Download from the NuGet package gallery.

ADAL Scenarios

•Authenticate Users of a Client Application to a Remote Resource

•Authenticate a Server Application to a Remote Resource

•Authenticate a Server Application on Behalf of a User to Access a Remote Resource

ADAL Notable Classes and Methods

•AuthenticationContext

• An instance of an authority, such as an Azure AD Tenant or a Windows Server ADFS

• AcquireToken(…) Method

•AuthenticationResult

• Contains the AccessToken to use when accessing a protected resource.

Azure Active Directory Graph (“Graph API”)

Azure Active Directory Graph Client Library•A library that provides CRUD capabalities for objects in Azure Active Directory.• A wrapper for the native REST API’.s

•Works with Azure Active Directory.

•Download from the NuGet package gallery.

Graph API Scenarios

•Query the directory• List of Users, Groups, Company Information, and more.• Get Details about an object (user, group, etc.) in the directory.

•Add, Update, or Delete (or just disable) a User.

•Check a User’s Group membership for RBAC cases.

•And more…

Azure AD Graph Client Library - Notables•GraphConnection• Represents a “connection” to an Azure AD Tenant.• Requires an AccessToken, which you get from ADAL.

•Azure AD must configure the application for appropriate permissions• Sign-On and read user profile• Read directory data• Write directory data

DEMO

ADAL and Graph Client Library• Build an application that performs

CRUD operations in Azure Active Directory

Some Key Take-Aways

•Azure Active Directory• A multi-tenant service providing identity and access

management for cloud applications

• Can be integrated with an on-premises Server Active Directory

•Active Directory Authentication Library (ADAL)• Provides authentication capabilities for client apps

•Azure Active Directory Client Library (“Graph API”)• Provides CRUD capabilities for directory data and objects

References

• [blog] Azure Active Directory Graph Client Library 1.0 • http://bit.ly/1r5jIcz

• [blog] Authenticating with Organizational Accounts and Azure Active directory • http://bit.ly/1s5DEhp

• [blog] Deep Dive: Azure Websites and Organizational Authentication using Azure AD • http://bit.ly/ZoDPrk

• Vittorio Bertocci’s Blog• http://www.cloudidentity.com/blog/

• Active Directory Team Blog• http://blogs.technet.com/b/ad/

Thank you!

•Questions? Comments? Etc. ?

• rick@cloudalloc.com•@RickRaineyTx