it unity webinar series september 2015 using azure active directory to secure your apps
TRANSCRIPT
IT Unity Webinar SeriesSeptember 2015
Using Azure Active Directory to Secure Your Apps
Using Azure AD To Secure Your AppsPart 1: Introduction to Azure AD
http://itunity.com/go/azure1
Part 2: Integrating Azure ADNow
Part 3: Advanced Azure AD TopicsSeptember 30th
About MeSharePoint Solution Architect / DeveloperSpeaker / Trainer / MentorMicrosoft MVP – Office 365 (Previously SharePoint Server)
Part 2: Integrating Azure Active Directory
Using Azure AD to Secure Your Apps
AgendaUsing Azure AD to secure a web application
Using Azure AD to secure a service
Consuming a service secured by Azure AD
Question and Answer
Application Types and Scenarios
Using Azure AD to secure a Web Application
Application Types and Scenarios
Secure a Web Application?Allow access only to certain users
Authorization
Restrict functionality to members of a role.
Authentication
Security PrincipalsUsers
Groups
“Service Accounts”
Application
Authentication & AuthorizationWhat is Authentication (AuthN)?
The process of verifying a principal’s identity.
What is Authorization (AuthZ)?
Determines which resources the principal can access.
AuthN/AuthZ Roles
Authentication and Authorization roles
Appl
icati
onIn
fras
truc
ture
Phase
Start
Logon Logon Valid?
Allowed to execute
function?
Authentication
Authorization
Common Authentication methods Integrated Windows NT Authentication
Forms-Based Authentication.NET MembershipASP.NET Identity
Claims-based Authentication
Anonymous
Authenticating Users in the cloudIntegrated NT not usually possible
Unless running a managed cloud
FBA requires management interface creationIs your code secure? Your password storage
container?
Claims-based is current standardMultiple formats, but same concepts
AnonymousWell…
Claims in real lifeForm I-9
Purchasing Alcohol
Login with Facebook
Auth Protocols & Code Libraries
Authenticating UsersExternalize authentication
No more ASP.NET Membership
Authentication delegated to an Identity Provider (IdP)IdP issues a token that contains claimsClaims are used in Authorization decisions
Authenticating Users - ProtocolsWS-FED
SAML format (Security Assertion Markup Language)
ProvidersAzure Access Control ServicesActive Directory Federation Services (AD FS)
OpenID ConnectJWT formatProviders
Azure Active Directory (Azure AD)Social Networks
Authenticating Users – LibrariesWF-FED / SAML
Windows Identity Foundation (WIF)System.IdentityModel & System.Security.Claims
namespaces (4.5)Identity & Access Control in VS2012Change Authentication button on New Project Dialog
(VS2013 & VS2015)
OpenID ConnectADAL (Active Directory Authentication
Library)Builds on top of WIFBoth managed and javascript librariesProject templates in VS2015
Authentication in Azure AD
Authentication in Azure AD
Web Browser to Web Application
DemoConfiguring an ASP.NET application to authenticate to Azure AD
OpenIDConnect using OWIN (VS2015)public void ConfigureAuth(IAppBuilder app){ app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications() { AuthenticationFailed = (context) => { return System.Threading.Tasks.Task.FromResult(0); } } } ); // This makes any middleware defined above this line run before the // Authorization rule is applied in web.config app.UseStageMarker(PipelineStage.Authenticate); }
WS-FED using WIF (VS2013)public static void ConfigureIdentity() { RefreshValidationSettings(); Realm = ConfigurationManager.AppSettings["ida:realm"]; AudienceUri = ConfigurationManager.AppSettings["ida:AudienceUri"]; if (!String.IsNullOrEmpty(AudienceUri)) { UpdateAudienceUri(); }}
public static void RefreshValidationSettings() { string metadataLocation = ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
public static void UpdateAudienceUri() { int count = FederatedAuthentication.FederationConfiguration
Using Azure AD to Secure a Service
Application Types and Scenarios
Web Application to WebAPI
DemoConfiguring a WebAPI project to authenticate to Azure AD
Click icon to add picture
Azure AD issued Bearer Tokens
public void ConfigureAuth(IAppBuilder app) { app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Audience = ConfigurationManager.AppSettings["ida:Audience"], Tenant = ConfigurationManager.AppSettings["ida:Tenant"] });}
Consuming a Service Secured by Azure AD
OAuth2 - AppIdentityprivate static AuthenticationContext authContext = new AuthenticationContext(authority);private static ClientCredential clientCredential = new ClientCredential(clientId, appKey);
// ADAL includes an in memory cache, so this call will only send // a message to the server if the cached token is expired.AuthenticationResult result = authContext.AcquireToken(todoListResourceId, clientCredential);
HttpClient client = new HttpClient();HttpRequestMessage request = new HttpRequestMessage( HttpMethod.Get, todoListBaseAddress + "/api/todolist?ownerid=" + ownerId);request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);HttpResponseMessage response = await client.SendAsync(request);
Resources
Resources – Notables Cloud Identity Blog – Vittorio Bertocci
http://www.cloudidentity.com/blog/
Dominick Baierhttp://leastprivilege.com/
Brock Allenhttp://brockallen.com/
Resources – Azure ADAzure Active Directory developer's guide
http://aka.ms/aaddev
Authentication Scenarios for Azure ADhttps://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/
Azure Active Directory Authentication Librarieshttps://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-libraries/
Azure Active Directory Code Sampleshttps://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/
Resources – updates to app modelNow in public preview: The Converged
Microsoft Account and Azure Active Directory Programming Modelhttp://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx
Working with the converged Azure AD v2 app modelRich DiZerega
http://blogs.msdn.com/b/richard_dizeregas_blog/archive/2015/09/04/working-with-the-converged-azure-ad-v2-app-model.aspx
Using Azure AD To Secure Your AppsPart 1: Introduction to Azure AD
http://itunity.com/go/azure1
Part 2: Integrating Azure ADhttp://itunity.com/go/azure2
Part 3: Advanced Azure AD TopicsSeptember 30th
http://itunity.com/go/azure3