Karanbir SinghSenior PM, Operating Systems SecuritySSO with Secure Authentication

Single Sign Onwith Secure Authentication

2-709

Identity Investments in Windows 10

New authentication infrastructure

How you can participate!

Q&A

Agenda

of employees use personal devices for work purposes.*

of employees that typically work on employer premises, also frequently work away from their desks.***

of all software will be available on a SaaS delivery by 2020.**

Mobility and the cloud is the new normal

66% 25% 33%

*CEB The Future of Corporate ITL: 203-2017. 2013.**Forrester Application Adoption Trends: The Rise Of SaaS***CEB IT Impact Report: Five Key Findings on Driving Employee Productivity Q1 2014.

Mobility and the cloud is the new normal

Windows 10 connects to personal and work clouds.

Next

This choice is important, and it isn’t easy to switch later. If this machine belongs to your organization, signing in with that ID will give you access to their resources.

Who owns this PC?

NextBack

Help me choose

This device belongs to me

This device belongs to my organization

Let’s get you signed in

Forgot your password?

Sign inBack

Sign in with the username and password you use with Office 365 (or other business services from Microsoft).

Privacy statement

Work or school account

Which account should I use?

Skip this step

Password

someone@example.combob@contoso.com

Sign inBack

Privacy statement

Password

bob@contoso.com

Forgot your password?

Let’s get you signed in

Work or school account

Skip this step

Contact the Contoso Help Desk at (206) 555-1234. This service is operated by Microsoft on behalf of Contoso and is for the exclusive use of their employees and partners.

Need help?

••••••••

3-654: Managing Mobile Devices and Applications in an Enterprise

Windows 10 connects to personal and work clouds.

Windows connects with AD and AAD too!

Log on to Windows with work accounts Access apps & resources in either

environment Device and app state roams Install apps from the Business Store

Portal Devices are automatically enrolled in

MDM IT can use Conditional Access

Windows 10 takes a bold step forward…

Identity is a means to an end, not the end.

Your scenarios and experiences are the end.

No native support for AAD auth in Windows

Competing development models

Limited 3rd party integration support

Leads to poor end-user experience

Challenges

Web Account Manager

App

Identity/Service Provider

Web Account Provider

Web Account Manager

Web Account Manager

1. RequestTokenAsync

2. Token request

3. Authenticate

4. Token

5. Request result

6. RequestResult

7. Access resources

Microsoft Web Account Provider

Identity/Service Provider

RequestTokenAsync

GetTokenSilentlyAsync

SignOutAsync

Web Account Manager APIs

WebTokenRequestResultResults

- WebTokenResponse i.e. Token and WebAccount- Status e.g. success, user cancelled, provider not available, provider specific errors, etc.

WebAccountObject that represents a web account specific to an IDP

- ID, WebAccountProvider, User Name, State, Properties, etc.- Can be used as a hint for subsequent token requests

Output

If your app targets Window 10, use Web Account Manager

If your app targets other versions or platforms, use ADAL

Existing apps built using ADAL will continue to work

*ADAL = Active Directory Authentication Library

Web Account Manager vs ADAL*

2-769: Develop Modern Native Application with Azure Active Directory

3-767: Building Universal Windows Apps with Office 365 APIs

Web Account Manager is extensible.

Identity/Service Provider

Web Account Provider

Web Account Manager

Web Account Manager

1. RequestTokenSync

2. Token request

3. Authenticate

4. Token

5. Request result

6. RequestResult

Contoso Web Account Provider

Your customWeb Account Provider!

App

BrowserBrowser SSO

Web Account Provider – Why?

You are already an Identity Provider

You provide services to a suite of apps and websites

Off-the-shelf providers do not meet your custom needs

Register as a WebAccountProvider

Handle Activation Kinds

Manage account lifecycle

Writing a Web Account Provider

2-639: Microsoft Passport and Windows Hello: Moving Beyond Passwords and Credential Theft

3-765: App-to-App Communication: Building a Web of Apps

Web Account Manager

Native support for AAD auth in Windows

One consistent way of authentication

Rich 3rd party integration support

Together - lets deliver great end-user experience!

Q&A

Web Account ManagerApp APIsWebAccountProvider APIs

SDK samples

Other relevant sessions3-767: Building Universal Windows Apps with Office 365 APIs2-769: Develop Modern Native Application with Azure Active Directory2-639: Microsoft Passport and Windows Hello3-765: App-to-App Communication: Building a Web of Apps3-654: Managing Mobile Devices and Applications in an Enterprise

Resources

© 2015 Microsoft Corporation. All rights reserved.

Appendix

Update your app’s manifest

<uap:Extension Category="windows.webAccountProvider">

<!-- Url defines the Plugin ID. -->

<!-- BackgroundEntryPoint defines the Plugin's interface for the background. -->

<uap:WebAccountProvider Url=“https://www.contoso.com”

BackgroundEntryPoint=“WebAccountProvider.BackgroundHandler"/>

</uap:Extension>

Register as a WebAccountProvider

void OnWebAccountProvider(WebAccountProviderActivatedEventArgs args) {

// Get the base operation from the activated event args IWebAccountProviderOperation baseOperation = args.Operation;  // Depending on the type of option in the base operation, cast the base operation // to the specific operation and handle it in the specific root frame switch (baseOperation.Kind) { case WebAccountProviderOperationKind.RequestToken: var operation = baseOperation as WebAccountProviderRequestTokenOperation; rootFrame.Navigate(typeof(RequestTokenPage), operation); break;  case WebAccountProviderOperationKind.AddAccount: var operation = baseOperation as WebAccountProviderAddAccountOperation; rootFrame.Navigate(typeof(AddAccountPage), operation); break;  case WebAccountProviderOperationKind.ManageAccount: var operation = baseOperation as WebAccountProviderManageAccountOperation; rootFrame.Navigate(typeof(ManageAccountPage), operation); break;  default: base.OnActivated(args); break; } }

Handle Activation Kinds (with UI)

switch (baseOperation.Kind){

case WebAccountProviderOperationKind.GetTokenSilently:var operation = baseOperation as WebAccountProviderGetTokenSilentOperation;HandleGetTokenSilently(operation);break;

 case WebAccountProviderOperationKind.RetrieveCookies:var operation = baseOperation as WebAccountProviderRetrieveCookiesOperation;HandleRetrieveCookies(operation);break;

 default:

// This is an Errorbreak; 

}

Handle Activation Kinds (No UI)

AddWebAccountAsyncTo add a Web Account to the System

UpdateWebAccountPropertiesAsyncTo update a Web Account

DeleteWebAccountAsyncDelete a WebAccount to the System

FindAllProviderWebAccountsAsyncUsed to find all Web Accounts you to the System

Manage account lifecycle