IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps

Using Azure AD To Secure Your Apps Part 1: Introduction to Azure AD Part 2: Integrating Azure AD Now Part 3: Advanced Azure AD Topics September 30 th

About Me SharePoint Solution Architect / Developer Speaker / Trainer / Mentor Microsoft MVP – Office 365 (Previously SharePoint Server)

Part 2: Integrating Azure Active Directory Using Azure AD to Secure Your Apps

Agenda Using Azure AD to secure a web application Using Azure AD to secure a service Consuming a service secured by Azure AD Question and Answer

Application Types and Scenarios

Using Azure AD to secure a Web Application

Application Types and Scenarios

Secure a Web Application? Allow access only to certain users Authorization Restrict functionality to members of a role. Authentication

Security Principals Users Groups “Service Accounts” Application

Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access.

AuthN/AuthZ Roles

Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication.NET Membership ASP.NET Identity Claims-based Authentication Anonymous

Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well…

Claims in real life Form I-9 Purchasing Alcohol Login with Facebook

Auth Protocols & Code Libraries

Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions

Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks

Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 Change Authentication button on New Project Dialog (VS2013 & VS2015) OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries Project templates in VS2015

Authentication in Azure AD

Web Browser to Web Application

Demo Configuring an ASP.NET application to authenticate to Azure AD

OpenIDConnect using OWIN (VS2015) public void ConfigureAuth(IAppBuilder app) { app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { ClientId = clientId, Authority = authority, PostLogoutRedirectUri = postLogoutRedirectUri, Notifications = new OpenIdConnectAuthenticationNotifications() { AuthenticationFailed = (context) => { return System.Threading.Tasks.Task.FromResult(0); } ); // This makes any middleware defined above this line run before the // Authorization rule is applied in web.config app.UseStageMarker(PipelineStage.Authenticate); }

WS-FED using WIF (VS2013) public static void ConfigureIdentity() { RefreshValidationSettings(); Realm = ConfigurationManager.AppSettings["ida:realm"]; AudienceUri = ConfigurationManager.AppSettings["ida:AudienceUri"]; if (!String.IsNullOrEmpty(AudienceUri)) { UpdateAudienceUri(); } } public static void RefreshValidationSettings() { string metadataLocation = ConfigurationManager.AppSettings["ida:FederationMetadataLocation"]; public static void UpdateAudienceUri() { int count = FederatedAuthentication.FederationConfiguration

Using Azure AD to Secure a Service

Application Types and Scenarios

Web Application to WebAPI

Demo Configuring a WebAPI project to authenticate to Azure AD

Azure AD issued Bearer Tokens public void ConfigureAuth(IAppBuilder app) { app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions { Audience = ConfigurationManager.AppSettings["ida:Audience"], Tenant = ConfigurationManager.AppSettings["ida:Tenant"] }); }

Consuming a Service Secured by Azure AD

OAuth2 - AppIdentity private static AuthenticationContext authContext = new AuthenticationContext(authority); private static ClientCredential clientCredential = new ClientCredential(clientId, appKey); // ADAL includes an in memory cache, so this call will only send // a message to the server if the cached token is expired. AuthenticationResult result = authContext.AcquireToken(todoListResourceId, clientCredential); HttpClient client = new HttpClient(); HttpRequestMessage request = new HttpRequestMessage( HttpMethod.Get, todoListBaseAddress + "/api/todolist?ownerid=" + ownerId); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken); HttpResponseMessage response = await client.SendAsync(request);

Resources

Resources – Notables Cloud Identity Blog – Vittorio Bertocci Dominick Baier Brock Allen

Resources – Azure AD Azure Active Directory developer's guide Authentication Scenarios for Azure AD authentication-scenarios/ Azure Active Directory Authentication Libraries authentication-libraries/ Azure Active Directory Code Samples code-samples/

Resources – updates to app model Now in public preview: The Converged Microsoft Account and Azure Active Directory Programming Model account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx Working with the converged Azure AD v2 app model Rich DiZerega working-with-the-converged-azure-ad-v2-app-model.aspx

Using Azure AD To Secure Your Apps Part 1: Introduction to Azure AD Part 2: Integrating Azure AD Part 3: Advanced Azure AD Topics September 30 th