so, you wanna build a sso

So, you wanna build a SSO?

Case study and technology review

Piotr Benetkiewicz

AgendaTake 1: Custom STS

• Architecture

• Protocol

• Demo

• Conclusions

Take 2: Azure AD• Architecture

• Protocol

• Demo

Future

Architecture

Requirements• Legacy user store, proxying On-Premise AD

• Superadmins: managers of App and other supporting services• Managing access to up to 10 resources

• App admins: access to /reports• Typically access to all apps in /org

• Users of apps• Out of scope

Let’s write our own STS• Custom STS on top Legacy User Store

• WS-Fed, WIF based

• Very little custom code needed

• Ability to add claims STS-side• Resource = Url = Claim

WS-Fed

Custom STS Architecture

DemoCustom STS and Relying Party

Custom STS conclusions• Dev perspective - nice, clean and explicit

• Certs nightmare

• Custom implementation??? Lack of trust.

• Veto

• Hmm… We might have azure AD for Office 365, let’s use Azure!

New Architecture• Azure AD synced with On-Premise AD for “Admin” identities

• Another Azure AD for sign-up (public)

• Azure groups. Group = URL = AccessGraph API

Oauth2 and OpenIdConnect

Demo• Adding Azure AuthN to simple MVC app

• Azure portal environment overview

• Graph API and other “gotcha’s”

Azure AD B2C conclusionsLot’s of “Gotcha’s”

• Sliding expiration

• Missing cookies (Old stack vs. Owin Stack)

• JSON manifest setup

• Groups-Claims overflow

Future• Machine to machine scenario

• Integration processes

• Sign up• B2C Policies