GRDevDay March 21, 2015 Cloud-based Identity for Applications
About Me Solutions Architect Trainer Hockey fan
Hackathon 2015
Agenda Identity Concepts Cloud-based Identity Management Authentication and Authorization
Identity Concepts
Glossary App Application designed to read/write data from remote system Authentication Identify the current principal Authorization Verify principal has proper permission for operation Cloud App App hosted on servers off-premises JSON JavaScript object notation
Glossary JWT JSON Web Token OAuth Open Authentication standard Principal User or App performing an operation SAML Security Assertion Markup Language (XML) Token Encoded, signed data representing principal and/or app
Security Principals Users Groups “Service Accounts” Application
Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access.
AuthN/AuthZ Roles (Legacy)
Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication.NET Membership ASP.NET Identity Claims-based Authentication Anonymous
Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well…
Authenticating Apps Server to Server (S2S) Trust Uses server certificates Just like SSL App ID & Password Also called Client Secret Trust Broker (Claims) Service and App trust same 3 rd -party
Claims in real life Form I-9 Purchasing Alcohol Login with Facebook
Cloud-Based Identity Management On-premises directory in DMZ High-Risk Cloud Directory Azure AD Minimal control over password policy/requirements Federated Identity Used by SaaS Azure AD “relies on” on-premises directory Full control over authentication Password policy Logon policy (device, time of day, etc.)
Cloud-Based Identity Management Maintain principals in cloud UI Synchronize from on-premises Azure AD Roadmap Azure AD Connect Based on FIM
Auth Protocols & Code Libraries
Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions
Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks
Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries VS Tooling is a bit behind
Authenticating Apps
Standard for programs accessing remote systems OAuth2
Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password. Cross platform app authorization Internet Standard supported by Azure, Facebook, Google, Twitter, and more What is OAuth 2.0?
Client: application requesting access to a user’s resources Resource Owner: the user who can grant rights to the application Resource Server: the server hosting the protected resources and exposing a web- based API Authorization Server – server issuing tokens OAuth 2.0 Actors
Client: SharePoint app, Azure web application, Windows 8 app Resource Owner: individual or administrator with an Organizational Account in Azure Active Directory Resource Server: SharePoint, Exchange Authorization Server: Azure Access Control Services OAuth 2.0 Actors in Office 365
Client ID is used to uniquely identify applications Client Secret is used to authenticate token requests Application Principals
Context Token Information about the Resources Owner and Client that can be used to get an Access Token later. Refresh Token A token used to get an Access Token from the Authorization Server. Access Token A token passed to the Resource Server authorizing the Client to access resources. Authorization Code A code that can be used to register an app on-the-fly. OAuth 2.0 Tokens
OAuth 2.0 Access Tokens are unbound tokens (a.k.a, “Bearer Tokens”) An Access Token can be used by any application that possesses it Always use SSL – OAuth design depends on it! Never expose tokens in JavaScript or allow them to be accessed by client-side debugging tools If an Access Token is compromised, damage is limited by expiration If a Refresh Token is compromised, damage is limited because the Client ID and Client Secret are required to get an Access Token from a Refresh Token. Bearer Tokens
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server)
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) User accesses Web application
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Redirected to AAD
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Consent dialog displayed
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Grant access using Consent Dialog
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code returned and user redirected
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code, App Id, App Secret sent
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access and Refresh Tokens returned
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access Token presented Along with request
OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Response returned
Demo
References
Azure Active Directory Documentation us/documentation/services/active-directory/ us/documentation/services/active-directory/ Samples Azure Active Directory Authentication Libraries us/library/azure/dn aspx us/library/azure/dn aspx
AAD Graph API Documentation: aspx aspx Graph Explorer: Metadata: tadata tadata
AAD Graph API Walkthrough Initial Post: /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx Update for new capabilities /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx
Open Web Interface for.NET OWIN and Katana in ASP.NET
OpenID Connect Specification Samples id-connect.html nnect id-connect.html nnect
Cloud Identity in.Net Dominick Baier Brock Allen
Thank You! You can find me at: