karanbir singh senior pm, operating systems security sso with secure authentication single sign on...
TRANSCRIPT
Karanbir SinghSenior PM, Operating Systems SecuritySSO with Secure Authentication
Single Sign Onwith Secure Authentication
2-709
Identity Investments in Windows 10
New authentication infrastructure
How you can participate!
Q&A
Agenda
of employees use personal devices for work purposes.*
of employees that typically work on employer premises, also frequently work away from their desks.***
of all software will be available on a SaaS delivery by 2020.**
Mobility and the cloud is the new normal
66% 25% 33%
*CEB The Future of Corporate ITL: 203-2017. 2013.**Forrester Application Adoption Trends: The Rise Of SaaS***CEB IT Impact Report: Five Key Findings on Driving Employee Productivity Q1 2014.
Next
This choice is important, and it isn’t easy to switch later. If this machine belongs to your organization, signing in with that ID will give you access to their resources.
Who owns this PC?
NextBack
Help me choose
This device belongs to me
This device belongs to my organization
Let’s get you signed in
Forgot your password?
Sign inBack
Sign in with the username and password you use with Office 365 (or other business services from Microsoft).
Privacy statement
Work or school account
Which account should I use?
Skip this step
Password
[email protected]@contoso.com
Sign inBack
Privacy statement
Password
Forgot your password?
Let’s get you signed in
Work or school account
Skip this step
Contact the Contoso Help Desk at (206) 555-1234. This service is operated by Microsoft on behalf of Contoso and is for the exclusive use of their employees and partners.
Need help?
••••••••
Windows connects with AD and AAD too!
Log on to Windows with work accounts Access apps & resources in either
environment Device and app state roams Install apps from the Business Store
Portal Devices are automatically enrolled in
MDM IT can use Conditional Access
Windows 10 takes a bold step forward…
No native support for AAD auth in Windows
Competing development models
Limited 3rd party integration support
Leads to poor end-user experience
Challenges
App
Identity/Service Provider
Web Account Provider
Web Account Manager
Web Account Manager
1. RequestTokenAsync
2. Token request
3. Authenticate
4. Token
5. Request result
6. RequestResult
7. Access resources
Microsoft Web Account Provider
Identity/Service Provider
WebTokenRequestResultResults
- WebTokenResponse i.e. Token and WebAccount- Status e.g. success, user cancelled, provider not available, provider specific errors, etc.
WebAccountObject that represents a web account specific to an IDP
- ID, WebAccountProvider, User Name, State, Properties, etc.- Can be used as a hint for subsequent token requests
Output
If your app targets Window 10, use Web Account Manager
If your app targets other versions or platforms, use ADAL
Existing apps built using ADAL will continue to work
*ADAL = Active Directory Authentication Library
Web Account Manager vs ADAL*
2-769: Develop Modern Native Application with Azure Active Directory
3-767: Building Universal Windows Apps with Office 365 APIs
Identity/Service Provider
Web Account Provider
Web Account Manager
Web Account Manager
1. RequestTokenSync
2. Token request
3. Authenticate
4. Token
5. Request result
6. RequestResult
Contoso Web Account Provider
Your customWeb Account Provider!
App
BrowserBrowser SSO
Web Account Provider – Why?
You are already an Identity Provider
You provide services to a suite of apps and websites
Off-the-shelf providers do not meet your custom needs
Register as a WebAccountProvider
Handle Activation Kinds
Manage account lifecycle
Writing a Web Account Provider
2-639: Microsoft Passport and Windows Hello: Moving Beyond Passwords and Credential Theft
3-765: App-to-App Communication: Building a Web of Apps
Web Account Manager
Native support for AAD auth in Windows
One consistent way of authentication
Rich 3rd party integration support
Together - lets deliver great end-user experience!
Web Account ManagerApp APIsWebAccountProvider APIs
SDK samples
Other relevant sessions3-767: Building Universal Windows Apps with Office 365 APIs2-769: Develop Modern Native Application with Azure Active Directory2-639: Microsoft Passport and Windows Hello3-765: App-to-App Communication: Building a Web of Apps3-654: Managing Mobile Devices and Applications in an Enterprise
Resources
Update your app’s manifest
<uap:Extension Category="windows.webAccountProvider">
<!-- Url defines the Plugin ID. -->
<!-- BackgroundEntryPoint defines the Plugin's interface for the background. -->
<uap:WebAccountProvider Url=“https://www.contoso.com”
BackgroundEntryPoint=“WebAccountProvider.BackgroundHandler"/>
</uap:Extension>
Register as a WebAccountProvider
void OnWebAccountProvider(WebAccountProviderActivatedEventArgs args) {
// Get the base operation from the activated event args IWebAccountProviderOperation baseOperation = args.Operation; // Depending on the type of option in the base operation, cast the base operation // to the specific operation and handle it in the specific root frame switch (baseOperation.Kind) { case WebAccountProviderOperationKind.RequestToken: var operation = baseOperation as WebAccountProviderRequestTokenOperation; rootFrame.Navigate(typeof(RequestTokenPage), operation); break; case WebAccountProviderOperationKind.AddAccount: var operation = baseOperation as WebAccountProviderAddAccountOperation; rootFrame.Navigate(typeof(AddAccountPage), operation); break; case WebAccountProviderOperationKind.ManageAccount: var operation = baseOperation as WebAccountProviderManageAccountOperation; rootFrame.Navigate(typeof(ManageAccountPage), operation); break; default: base.OnActivated(args); break; } }
Handle Activation Kinds (with UI)
switch (baseOperation.Kind){
case WebAccountProviderOperationKind.GetTokenSilently:var operation = baseOperation as WebAccountProviderGetTokenSilentOperation;HandleGetTokenSilently(operation);break;
case WebAccountProviderOperationKind.RetrieveCookies:var operation = baseOperation as WebAccountProviderRetrieveCookiesOperation;HandleRetrieveCookies(operation);break;
default:
// This is an Errorbreak;
}
Handle Activation Kinds (No UI)