GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Slides:



Advertisements
Similar presentations
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Advertisements

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Office 365 Identity aka Azure Active Directory
SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Fraser Technical Solutions, LLC
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Windows 8 Application Microsoft Word with Apps For Office Internal O365 SharePoint Site Windows Azure Cloud Services Windows Azure Workflow Server.
A Lap Around Windows Azure Active Directory Stuart Kwan Lead Principal Program Manager Microsoft Corporation SIA209.
(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps.
101 ways to authenticate with Azure Active Directory
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Access resources in a federation partner organization.
Building consumer apps with Azure AD B2C
Adxstudio Portals Training
Securing Angular Apps Brian Noyes
Identities and Azure AD Premium
Slavko Kukrika MVP Connect Windows 10 to the Cloud – Cloud Join.
Secure Mobile Development with NetIQ Access Manager
Today’s Applications Web API Browser Native app Web API Web API
Architectural Patterns For The Cloud Brian H. Prince | Microsoft.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
F5 APM & Security Assertion Markup Language ‘sam-el’
Martina Grom MVP Office 365 How to (remote) control Office 365 with Azure Toni Pohl MVP Client Dev
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
11 | Managing User Info Jeremy Foster Michael Palermo
Application Authentication using Azure AD
SharePoint Authentication and Authorization
Stop Those Prying Eyes Getting to Your Data
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Azure Active Directory - Business 2 Consumer
Introduction to Windows Azure AppFabric
Federation made simple
Solving the Identity Crisis
Automate Custom Solutions Deployment on Office 365 and Azure
Migrating SharePoint Add-ins from Azure ACS to Azure AD
SaaS Application Deep Dive
9/13/2018 4:54 PM BRK How to get Office 365 to the next level with Azure Active Directory Premium Brjann Brekkan Program Manager Lead – Customer.
Azure AD Line Of Business Application Integration
Azure AD Application Proxy
Office 365 Development July 2014.
Office 365 Identity Management
Office 365 Identity Management
Agenda OAuth Concepts Programming OAuth.
Matthew Levy Azure AD B2B vs B2C Matthew Levy
SharePoint Online Authentication Patterns
Office 365 Development.
Introduction into the Power BI REST API Jan Pieter Posthuma
Token-based Authentication
4/15/2019 1:57 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
07 | Introduction to Authentication
Computer Network Information Center, Chinese Academy of Sciences
Presentation transcript:

GRDevDay March 21, 2015 Cloud-based Identity for Applications

About Me Solutions Architect Trainer Hockey fan

Hackathon 2015

Agenda Identity Concepts Cloud-based Identity Management Authentication and Authorization

Identity Concepts

Glossary App Application designed to read/write data from remote system Authentication Identify the current principal Authorization Verify principal has proper permission for operation Cloud App App hosted on servers off-premises JSON JavaScript object notation

Glossary JWT JSON Web Token OAuth Open Authentication standard Principal User or App performing an operation SAML Security Assertion Markup Language (XML) Token Encoded, signed data representing principal and/or app

Security Principals Users Groups “Service Accounts” Application

Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access.

AuthN/AuthZ Roles (Legacy)

Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication.NET Membership ASP.NET Identity Claims-based Authentication Anonymous

Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well…

Authenticating Apps Server to Server (S2S) Trust Uses server certificates Just like SSL App ID & Password Also called Client Secret Trust Broker (Claims) Service and App trust same 3 rd -party

Claims in real life Form I-9 Purchasing Alcohol Login with Facebook

Cloud-Based Identity Management On-premises directory in DMZ High-Risk Cloud Directory Azure AD Minimal control over password policy/requirements Federated Identity Used by SaaS Azure AD “relies on” on-premises directory Full control over authentication Password policy Logon policy (device, time of day, etc.)

Cloud-Based Identity Management Maintain principals in cloud UI Synchronize from on-premises Azure AD Roadmap Azure AD Connect Based on FIM

Auth Protocols & Code Libraries

Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions

Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks

Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries VS Tooling is a bit behind

Authenticating Apps

Standard for programs accessing remote systems OAuth2

Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password. Cross platform app authorization Internet Standard supported by Azure, Facebook, Google, Twitter, and more What is OAuth 2.0?

Client: application requesting access to a user’s resources Resource Owner: the user who can grant rights to the application Resource Server: the server hosting the protected resources and exposing a web- based API Authorization Server – server issuing tokens OAuth 2.0 Actors

Client: SharePoint app, Azure web application, Windows 8 app Resource Owner: individual or administrator with an Organizational Account in Azure Active Directory Resource Server: SharePoint, Exchange Authorization Server: Azure Access Control Services OAuth 2.0 Actors in Office 365

Client ID is used to uniquely identify applications Client Secret is used to authenticate token requests Application Principals

Context Token Information about the Resources Owner and Client that can be used to get an Access Token later. Refresh Token A token used to get an Access Token from the Authorization Server. Access Token A token passed to the Resource Server authorizing the Client to access resources. Authorization Code A code that can be used to register an app on-the-fly. OAuth 2.0 Tokens

OAuth 2.0 Access Tokens are unbound tokens (a.k.a, “Bearer Tokens”) An Access Token can be used by any application that possesses it Always use SSL – OAuth design depends on it! Never expose tokens in JavaScript or allow them to be accessed by client-side debugging tools If an Access Token is compromised, damage is limited by expiration If a Refresh Token is compromised, damage is limited because the Client ID and Client Secret are required to get an Access Token from a Refresh Token. Bearer Tokens

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server)

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) User accesses Web application

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Redirected to AAD

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Consent dialog displayed

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Grant access using Consent Dialog

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code returned and user redirected

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code, App Id, App Secret sent

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access and Refresh Tokens returned

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access Token presented Along with request

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Response returned

Demo

References

Azure Active Directory Documentation us/documentation/services/active-directory/ us/documentation/services/active-directory/ Samples Azure Active Directory Authentication Libraries us/library/azure/dn aspx us/library/azure/dn aspx

AAD Graph API Documentation: aspx aspx Graph Explorer: Metadata: tadata tadata

AAD Graph API Walkthrough Initial Post: /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx Update for new capabilities /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx

Open Web Interface for.NET OWIN and Katana in ASP.NET

OpenID Connect Specification Samples id-connect.html nnect id-connect.html nnect

Cloud Identity in.Net Dominick Baier Brock Allen

Thank You! You can find me at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.