Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300 Peter Selch Dahl - Sr. IT Architect, Cloud and IT Infrastructure
Empowering users User Devices Apps Data IT Enable your users People-centric approach Protect your data User Devices Apps Data IT Unify your environment
Identity as the control plane Build 2012 11/10/2018 Identity as the control plane Simple connection Self-service Single sign on ••••••••••• Username Other Directories Windows Server Active Directory On-premises Cloud SaaS Azure Office 365 Public cloud Microsoft Azure Active Directory
What is Azure Active Directory? A comprehensive identity and access management cloud solution. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers It is available in 3 editions: free, Basic and Premium
What is Azure Active Directory? Windows Server Management Marketing 11/10/2018 What is Azure Active Directory? Your Directory on the cloud Centrally managed identities and access. Monitor and protect access to cloud applications. Empower Users © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your Directory on the cloud Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Connect and Sync on-premises directories with Azure. Microsoft Azure Active Directory Azure Active Directory Connect * * Other Directories PowerShell LDAP v3 SQL (ODBC) Web Services ( SOAP, JAVA, REST) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your Directory on the cloud Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Connect and Sync on-premises directories with Azure. 2400+ Preintegrated popular SaaS apps. Microsoft Azure Active Directory SaaS apps Other Directories © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Your Directory on the cloud Windows Server Management Marketing 11/10/2018 Your Directory on the cloud Microsoft Azure Other Directories Connect and Sync on-premises directories with Azure. 2500+ Preintegrated popular SaaS apps. SaaS apps Web Apps (Azure Active Directory Application Proxy) Integrated custom apps Easily publish on-prem web apps via Application Proxy + Custom apps through a rich standards-based platform. Identities and applications in one place. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Centrally managed identities and access Windows Server Management Marketing 11/10/2018 Centrally managed identities and access SaaS apps Comprehensive identity and access management console. Centralized access administration for preintegrated SaaS apps and other Cloud-based apps. Secure business processes with advanced access management capabilities. IT professional Your cloud apps ready when you are. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Rich standards-based platform for developers 11/10/2018 9:20 PM Rich standards-based platform for developers Custom LOB applications can integrate with Azure Active Directory Sign in to Active Directory-integrated applications with cloud identities Active Directory-integrated applications can access Office 365 and other web APIs Applications can extend Azure Active Directory schema Cross-platform support (iOS, Android, and Windows) Open Standards (SAML, OAuth 2.0, OpenID Connect, Odata 3.0) OAuth2 & OpenID Connect Microsoft Azure Active Directory SAML WS-Federation REST based Graph API SCIM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Now the stage is set - Let’s get started November 10, 2018 @EWUGDK
Agenda Identity needs of today’s apps Azure Active Directory Build 2014 11/10/2018 Agenda Identity needs of today’s apps Azure Active Directory Scenarios and how they work Special guest Protocols, libraries, and resources © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What I will be talking about…. November 10, 2018 @EWUGDK
Azure AD Authentication Library November 10, 2018 @EWUGDK
Azure AD Authentication Library November 10, 2018 @EWUGDK
Introducing MSAL (Microsoft Authentication Library) https://blogs.technet.microsoft.com/ad/2016/03/31/microsoft-identity-at-build-2016/ https://blogs.technet.microsoft.com/ad/2015/08/12/now-in-public-preview-the-converged-microsoft-account-and-azure-active-directory-programming-model/ https://blogs.technet.microsoft.com/ad/2016/02/23/for-developers-the-first-use-cases-of-the-converged-microsoft-account-and-azure-active-directory-programming-model-are-now-ga/ November 10, 2018 @EWUGDK
We expose hard choices to developers BOTH Azure MSA AAD Office
We expose hard choices to end-users outlook.office.com outlook.com ??? ???
MSAL: Putting it together with the applications November 10, 2018 @EWUGDK
Registering an Application An organization (e.g. Contoso) has Azure AD tenant Azure AD will only issue tokens to an application registered in the tenant How does an application get registered in a tenant?
Two Cases… Single tenant application App for users in a single organization Admin or user registers app in directory tenant Sign in at: https://login.windows.net/contoso.com/<protocol> Multi-tenant application App for users in multiple organizations Admin or user registers app in developer’s directory tenant Admin configures application to be multi-tenant Sign in at: https://login.windows.net/common/<protocol> User prompted to consent based on permissions required by application Consent registers application in user’s tenant
Consent Users can consent to apps that access personal information only Admins must consent to apps that require broader permissions Admins can consent on behalf of all users in an organization
Microsoft Graph API: Azure AD behind the scenes November 10, 2018 @EWUGDK
Microsoft Graph API: Azure AD behind the scenes https://azure.microsoft.com/da-dk/documentation/articles/active-directory-graph-api-quickstart/ https://graph.microsoft.io/en-us/changelog# November 10, 2018 @EWUGDK
Microsoft Graph API: Azure AD behind the scenes Getting Azure AD devices using Graph: https://graph.microsoft.com/beta/devices Getting Azure AD information - Behind the scenes… https://graph.microsoft.io/en-us/docs/api-reference/beta/resources/directoryobject November 10, 2018 @EWUGDK
Microsoft Identity: Bridging the GAP November 10, 2018 @EWUGDK
Microsoft Identity: Bridging the GAP November 10, 2018 @EWUGDK
Microsoft Identity: Bridging the GAP Microsoft Azure Active Directory Office 365 Intune OneDrive Dynamics Primary Refresh Token Username Password PRT Windows Server Active Directory TGT Username Password Kerberos Ticket November 10, 2018 @EWUGDK
Microsoft Identity: Bridging the GAP Microsoft Azure Active Directory Intune OneDrive Office 365 Dynamics SSO Token Kerberos Ticket PRT Windows Server Active Directory TGT November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Microsoft Azure Active Directory Dave authenticates to Azure AD as part of logon process 10 November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Microsoft Azure Active Directory Primary Refresh Token (PRT) Returned by Azure AD and cached by Windows 10 10 November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Office 365 Microsoft Azure Active Directory 10 November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Office 365 Microsoft Azure Active Directory Here is my PRT can I please have an SSO token for Office 365 10 November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Office 365 Microsoft Azure Active Directory Your PRT checks out so here is the SSO token you have asked for 10 November 10, 2018 @EWUGDK
AzureAD: Primary Refresh Tokens Office 365 Microsoft Azure Active Directory Here is my Office 365 SSO token give me access please 10 November 10, 2018 @EWUGDK
What’s In A Token? (In Brief) Claim Example Intended Purpose Tenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Immutable tenant identifier Name Peter.dahl@proactive.dk Display only First Name Peter Last Name Dahl Object ID b3809430-6c28-4e43-870d-fa7d38636dcd Immutable security identifier Token also contains Group information
Azure AD Token Signing Key Tokens for all tenants are signed by same key Keys published via metadata https://login.windows.net/common/.well-known/openid-configuration Keys roll on periodic basis Your app must handle Periodically refreshing keys from metadata Handling multiple keys Our samples and libraries do this automatically
AzureAD: Tokens Kerberos Maximum lifetime for service ticket: Kerberos Maximum lifetime for service ticket: 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering): https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx Session timeouts for Office 365 https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US Modern Authentication Vi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Det hænger meget sammen med EMS (Conditional Access) ”Modern Authentication” : http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/ Basic Authentication ADFS Token: 8 timer (Det er standard fra Microsoft). November 10, 2018 @EWUGDK
Questions and Answers Thanks
AzureAD: Azure Association November 10, 2018 @EWUGDK