Presentation is loading. Please wait.

Presentation is loading. Please wait.

A quick guide to modern authentication protocols

Published byHeather Stevens Modified over 6 years ago

Similar presentations

Presentation on theme: "A quick guide to modern authentication protocols"— Presentation transcript:

1 A quick guide to modern authentication protocols
6/11/2018 6:25 AM THR3088 A quick guide to modern authentication protocols John Craddock Identity and security architect, XTSeminars Ltd @john_Craddock © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 What’s in this session Setting the scene with Kerberos authentication
Today’s identity challenges Federation Open ID Connect and Oauth 2.0

3 Kerberos Server running application B Server running application A
KDC service Access application Not authenticated, I speak Kerberos If necessary, do Kerberos authentication to AD Request Kerberos session ticket to application A Returns Kerberos session ticket ST Access application ST ST accepted as proof of identity Request Kerberos session ticket with user’s identity to application B Returns Kerberos session ticket ST ST accepted as proof of delegated identity Access application ST

4 Kerberos implementation in AD, the facts
Regardless of the service being accessed, session tickets (ST), issued with a particular user’s identity, all contain the same identity information The ST contains the identity of the user and group memberships There is no way to control the ticket’s contents on a per service basis When delegation is enabled from server X to server Y A user does not have the opportunity to consent to server X using their identity The ST is encrypted with a symmetric key shared between the AD and the service Kerberos only works within your security realm

5 Today’s Challenge: Anywhere, anyone and anything
Federation joins it all together Name: Fred Password: ***** Age: 107 Country: Japan User Own organization Partner organization Customer Device “anything” User’s identity Own organization Partner organization 3rd party enterprise identity provider Social identity provider Application On-premise Partner organization Cloud

6 Federation protocol flow
AppX Security token service (STS) AppX trusts STS Our user Browse app Not authenticated Redirected to STS with authentication request Authenticates user Creates a token for App X and digitally signs it Return security token ST ST Send Token Validates token and checks signature Return cookies and page Authentication is without physical boundaries and encompasses all services that “trust” the IdP

7 Traditional federation protocols
Traditionally, federation in the enterprise and across enterprises used SAML-P WS-* Heavy-weight SAML token – XML format <saml:Attribute AttributeName="upn"AttributeNamespace="     </saml:Attribute> <saml:Attribute AttributeName="primarygroupsid"AttributeNamespace="   <saml:AttributeValue>S </saml:AttributeValue> <saml:Attribute AttributeName="primarysid"AttributeNamespace="   <saml:AttributeValue>S </saml:AttributeValue> <saml:Attribute AttributeName="name"AttributeNamespace="   <saml:AttributeValue>EXAMPLE\john</saml:AttributeValue>

8 6/11/2018 6:25 AM The game changers Consumerization drives the need to support many device and application types Native applications Single page application (Javascript) Web applications Web APIs © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Modern authentication protocols
OAuth 2.0 for delegation of access Allows the user to consent (give permission) for one service to access the user’s data held by another service Administrator can consent to access on the user’s behalf Claims held in an access_token OpenID Connect Adds authentication to OAuth 2.0 Claims held in a id_token JSON Web Token (JWT) mandated in OpenID Connect Used in most OAuth 2.0 implementations

10 JWT - Lightweight Header Body Signature {
"aud": " "iss": " "iat": , "nbf": , "exp": , "ver": "1.0", "tid": "ab0a45c7-c085-4f3f-a868-62f ef", "oid": "50ce00f0-eb1a-491d-88b c3856d", "upn": "unique_name": "sub": "i9Q7DOmfn6x2R6RNQu1U1KV12jg9rKm9a9JNp1jQSpo", "puid": "10033FFF855525C2", "family_name": "Craddock", "given_name": "John", "appid": "92aaae6f-cbd a0-03fdbd540a7c", "appidacr": "1", "scp": "62e f e10", "acr": "1" } Header eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3h0c2VtaW5hcnMuY29tL0FQSS9NeXNhbXBsZSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2FiMGE0NWM3LWMwODUtNGYzZi1hODY4LTYyZjM5Mjc5MjZlZi8iLCJpYXQiOjEzOTQ3MTE1MDAsIm5iZiI6MTM5NDcxMTUwMCwiZXhwIjoxMzk0NzE1NDAwLCJ2ZXIiOiIxLjAiLCJ0aWQiOiJhYjBhNDVjNy1jMDg1LTRmM2YtYTg2OC02MmYzOTI3OTI2ZWYiLCJvaWQiOiI1MGNlMDBmMC1lYjFhLTQ5MWQtODhiNi0zNjQ3NDZjMzg1NmQiLCJ1cG4iOiJqb2huQHh0c2VtaW5hcnMuY28udWsiLCJ1bmlxdWVfbmFtZSI6ImpvaG5AeHRzZW1pbmFycy5jby51ayIsInN1YiI6IjF1SEp1OGtVZEVFcXZVaGloakl1QXNLRnV3OTlNTVpDREtISmtJVjZYdEkiLCJmYW1pbHlfbmFtZSI6IkNyYWRkb2NrIiwiZ2l2ZW5fbmFtZSI6IkpvaG4iLCJhcHBpZCI6IjhlNzJjZmY4LWM1ZjMtNDE3Ni05ZjA0LTI0ZDBhNWIwNzE0YyIsImFwcGlkYWNyIjoiMCIsInNjcCI6InVzZXJfaW1wZXJzb25hdGlvbiIsImFjciI6IjEifQ.ZG2Kaag2tnqYWBPnoPggNgmVyh18zs1IXW-hGFMrQv0TOsF2Em5Qva0Bz2WUkeEWiw16XRo47nqgWgTtiaD0yzPDXD0_AZhnj5HbT6UmrMBEOd3tJ5Si3z6E5nbWB4KQZ4K7LZ_UhcMM3onD2uS0tyUkIzg-zj4OjGgZPzYUfIDa72AH6esy-adF7_HutB0zS6m35U97aUk6KOYs6F1-qTn63gAZ_G9_MNpm9yICKBU1vl2fktOwZMd7pQST8YDz9QYm9p5BF-dHP1_nK2KCX-1HWIbbtpSBEYInFYjjb_q310iG7BXl2HAbouf_YXDA1J5HDC1JcJIcA0xWVwkDQ Body Signature

11 Modern authentication scenarios
Web application OpenID Connect Browser ST ST Id_token access_token Web APIs access_token ST Native apps ST ST Web APIs access_token Web APIs access_token Server app The WebAPIs are protected resources and probably REST services

12 Development support Authentication libraries available for most platforms .NET OpenID Connect middleware for web applications Active Directory Authentication Library (ADAL) for native and web apps Connects to Azure AD v1 endpoints Microsoft Authentication Library (MSAL) for native and web apps Connects to v2 endpoints to authenticate users with a Microsoft or Azure AD account v2 endpoints introduce new feature and do not currently support all the functionality of the v1 endpoints

13 Hybrid-flow – one example of many flows
STS Resource Server WebAPI Resource owner Application (client) Azure AD User agent Start Redirect Request authentication to application & authorization code for resource Authorize endpoint Authenticate user (and request consent) Redirect with authorization code & id_token ST ST Sets authentication cookies Present client credentials and request access_token via authorization code code Id_token Token endpoint ST Response including access_token access_token ST Request with token WebAPI endpoint Returned data Render page Sets authentication cookies

14 Asking for Consent Administrators can consent on behalf of all users
Some consents need admin privileges Each user will be prompted to consent Administrators can consent on behalf of all users

15 Refresh token With the access_token a refresh token may also be returned by the STS The lifetime of the access token is normally short-lived The client can obtain a new access token using the refresh token, this allows The client to interact with the resource server even if the user is offline Access can be revoked at the point of refresh

16 Application registration in Azure AD
Name Sign-on url Logo Client ID Client secret App ID URI Reply URL Multi-tenant Add groups to claims Add roles Delegated Permissions to other applications Application Permissions to other applications As part of the registration, the application’s access to other apps is defined The consent dialog is based on the defined access permissions The required permissions are not defined for apps using the new Azure AD v2 endpoints, these support dynamic incremental consent

17 Supporting native Apps
The Active Directory Authentication Library ADAL provides all the heavy lifting to obtain tokens ADAL is supported on multiple platforms Invokes a “browser dialog” if the user is required to logon New - Microsoft Authentication Library (MSAL) Connects to v2 endpoints to authenticate users with a Microsoft or Azure AD account v2 endpoints introduce new feature and do not currently support all the functionality of the v1 endpoints Uses a system webview

18 Finding out more… My session tomorrow at 14:15 Attend my masterclass:
Deep-dive: Azure Active Directory Authentication and Single-Sign-On BRK3015 Attend my masterclass: 5-Day Hands-on Microsoft Identity Masterclass with John Craddock US, UK, The Netherlands or Scandinavia: Indepth course with over 35 hands-on labs Deep-dive into federation protocols including OpenID Connect and OAuth 2.0 for full course details and booking links

19 My TechNet Blog Mastering Identity with Azure Active Directory
1: Introductions all round 2: It’s all about protocols 3: Creating and managing an Azure Active Directory 4: Synchronising Azure and on-premises AD 5: Working with SaaS applications 6: Managing your applications 7: The Azure AD Application Proxy 8: Integrating with on-premises AD and AD FS 9: Creating a B2C directory 10: Enabling partners with B2B invitations Search for: Mastering identity John Craddock

20 Consulting services on request
@john_craddock John has designed and implemented computing systems ranging from high-speed industrial controllers through to distributed IT systems with a focus on security and high-availability. A key player in many IT projects for industry leaders including Microsoft, the UK Government and multi-nationals that require optimized IT systems. Developed technical training courses that have been published worldwide, co-authored a highly successful book on Microsoft Active Directory Internals, presents regularly at major international conferences including TechEd, IT Forum and European summits. John can be engaged as a consultant or booked for speaking engagements through XTSeminars. John Craddock Infrastructure and security Architect XTSeminars Ltd

21 Please evaluate this session
Tech Ready 15 6/11/2018 Please evaluate this session From your Please expand notes window at bottom of slide and read. Then Delete this text box. PC or tablet: visit MyIgnite Phone: download and use the Microsoft Ignite mobile app Your input is important! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22 Identity @ Ignite | Monday
BRK3020 What's new and upcoming in AD FS to securely sign-in your users to Office 365 and other applications Check location in App Monday 4:00–5:15 Sam Devasahayam Ignite | Tuesday BRK2019 Productivity and protection for your employees, partners, and customers with Azure Active Directory Check location in App Tue 9:00–10:15 Alex Simons Nasos Kladakis BRK2017 Saying goodbye to passwords Tue 12:45-1:30 BRK1051 Locking down access to the Azure Cloud using SSO, Roles Based Access Control, and Conditional Access Tue 2:15–3:30 Stuart Kwan

23 Identity @ Ignite | Wednesday
BRK3225 Office development: Authentication demystified Check location in App Wed 10:45–12:00 Vittorio Bertocci BRK3146 The power of common identity across any cloud Wed 12:45-1:30 Sam Devasahayam THR2126 Azure Active Directory: Your options explained from AD sync to pass through authentication & more Wed 1:35-1:55 Alex Simons Simon May   BRK3352 Windows devices in Azure Active Directory: Why should I care? Wed 2:15–3:30 Jairo Cadena BRK3040 Deliver management and security at scale to Office 365 with Azure Active Directory Wed 3:15-4:00 Brjann Brekkan BRK3295 What’s new in Azure Active Directory Domain Services Wed 4:00–5:15 Mahesh Unnikrishnan BRK3016 Shut the door to cybercrime with Azure Active Directory risk-based identity protection Alex Weinert Nitika Gupta BRK3216 How Graph powers intelligent experiences in SharePoint and Office 365 CJ Tan Torbjørn Helvik

24 Identity @ Ignite | Thursday
BRK2018 Share corporate resources with your partners using Azure Active Directory B2B collaboration Check location in App Thu 9:00–10:15 Mary Lynch Sarat Subramaniam Laith Al Shamri BRK3207 The keys to the cloud: Use Microsoft identities to sign in and access API from your mobile+web apps Thu 10:45-12:00 Vittorio Bertocci BRK3012 Secure access to Office 365, SaaS and on-premises apps with Microsoft Enterprise Mobility + Security Caleb Baker Chris Green BRK3013 Ensure users have the right access with Azure Active Directory Thu 12:30–1:45 Joseph Dadzie Mark Wahl BRK2079 Secure Windows 10 with Intune, Azure AD and System Center Configuration Manager Dune Desormeaux Dilip Radhakrishnan BRK3340 Use Microsoft Graph to reach on-premises users of Exchange 2016 deployments Deepak Singh BRK3015 Deep-dive: Azure Active Directory Authentication and Single-Sign-On Thu 2:15-3:30 John Craddock BRK2078 Microsoft’s guide for going password-less Karanbir Singh BRK3014 Azure Active Directory best practices from around the world Thu 4:00–5:15 Tarek Dawoud Mark Morowczynski BRK4011 Understanding hybrid identity, authentication, and authorization with Microsoft Azure Stack Shriram Natarajan BRK3053 Troubleshooting Office 365 identity: How modern authentication works and what to do when it doesn't Jonas Gunnemo

25 Identity @ Ignite | Friday
BRK2276 Modernize your customer identity management with Azure Active Directory B2C Check location in App Friday 9:00-9:45 Saeed Akhter

26 6/11/2018 6:25 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "A quick guide to modern authentication protocols"

Similar presentations

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Success through People with LinkedIn and O365

Success through People with LinkedIn and O365
4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Deployment Planning Services

Deployment Planning Services
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
Make your app a native part of Office with Add-ins

Make your app a native part of Office with Add-ins
5/13/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

5/13/2018 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
5/17/2018 Productivity and protection for your employees, partners, and customers with Azure Active Directory Alex Simons Partner Director Program Mgmt.

5/17/2018 Productivity and protection for your employees, partners, and customers with Azure Active Directory Alex Simons Partner Director Program Mgmt.
Create beautiful, fast, interactive pages in SharePoint

Create beautiful, fast, interactive pages in SharePoint
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Deployment Planning Services

Deployment Planning Services
5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.

5/29/2018 1:51 AM THR2071 Managing enterprise applications, permissions, and consent in Azure Active Directory Adam Steenwyk & Jeff Sakowicz Program Managers.
6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Rottem @AmitaiTechie Senior Program Manager,

6/10/2018 5:07 PM THR2218 Deploying Windows Defender AV and more with Intune and Configuration Manager Amitai Senior Program Manager,
Azure Active Directory best practices from around the world

Azure Active Directory best practices from around the world
SaaS Application Deep Dive

SaaS Application Deep Dive
Developing Hybrid Apps on Microsoft Azure Stack

Developing Hybrid Apps on Microsoft Azure Stack
6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.

6/17/2018 5:54 AM OSP322 Getting the best of both worlds, making the most of SharePoint hybrid search solutions Shyam Narayan Microsoft © 2013 Microsoft.
Windows 10 and the cloud: Why the future needs hybrid solutions

Windows 10 and the cloud: Why the future needs hybrid solutions
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

Similar presentations

Ads by Google