Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

Published byBernice Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "GRDevDay March 21, 2015 Cloud-based Identity for Applications."— Presentation transcript:

1 GRDevDay March 21, 2015 Cloud-based Identity for Applications

2 About Me Solutions Architect Trainer Hockey fan http://www.schaeflein.net/blog

3

4 Hackathon 2015

5 Agenda Identity Concepts Cloud-based Identity Management Authentication and Authorization

6 Identity Concepts

7 Glossary App Application designed to read/write data from remote system Authentication Identify the current principal Authorization Verify principal has proper permission for operation Cloud App App hosted on servers off-premises JSON JavaScript object notation

8 Glossary JWT JSON Web Token OAuth Open Authentication standard Principal User or App performing an operation SAML Security Assertion Markup Language (XML) Token Encoded, signed data representing principal and/or app

9 Security Principals Users Groups “Service Accounts” Application

10 Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access.

11 AuthN/AuthZ Roles (Legacy)

12 Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication.NET Membership ASP.NET Identity Claims-based Authentication Anonymous

13 Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well…

14 Authenticating Apps Server to Server (S2S) Trust Uses server certificates Just like SSL App ID & Password Also called Client Secret Trust Broker (Claims) Service and App trust same 3 rd -party

15 Claims in real life Form I-9 Purchasing Alcohol Login with Facebook

16 Cloud-Based Identity Management On-premises directory in DMZ High-Risk Cloud Directory Azure AD Minimal control over password policy/requirements Federated Identity Used by SaaS Azure AD “relies on” on-premises directory Full control over authentication Password policy Logon policy (device, time of day, etc.)

17 Cloud-Based Identity Management Maintain principals in cloud UI Synchronize from on-premises Azure AD Roadmap Azure AD Connect Based on FIM

18 Auth Protocols & Code Libraries

19 Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions

20 Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks

21 Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries VS Tooling is a bit behind

22 Authenticating Apps

23 Standard for programs accessing remote systems OAuth2 http://oauth.net

24 Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password. Cross platform app authorization Internet Standard supported by Azure, Facebook, Google, Twitter, and more What is OAuth 2.0?

25 Client: application requesting access to a user’s resources Resource Owner: the user who can grant rights to the application Resource Server: the server hosting the protected resources and exposing a web- based API Authorization Server – server issuing tokens OAuth 2.0 Actors

26 Client: SharePoint app, Azure web application, Windows 8 app Resource Owner: individual or administrator with an Organizational Account in Azure Active Directory Resource Server: SharePoint, Exchange Authorization Server: Azure Access Control Services OAuth 2.0 Actors in Office 365

27 Client ID is used to uniquely identify applications Client Secret is used to authenticate token requests Application Principals

28 Context Token Information about the Resources Owner and Client that can be used to get an Access Token later. Refresh Token A token used to get an Access Token from the Authorization Server. Access Token A token passed to the Resource Server authorizing the Client to access resources. Authorization Code A code that can be used to register an app on-the-fly. OAuth 2.0 Tokens

29 OAuth 2.0 Access Tokens are unbound tokens (a.k.a, “Bearer Tokens”) An Access Token can be used by any application that possesses it Always use SSL – OAuth design depends on it! Never expose tokens in JavaScript or allow them to be accessed by client-side debugging tools If an Access Token is compromised, damage is limited by expiration If a Refresh Token is compromised, damage is limited because the Client ID and Client Secret are required to get an Access Token from a Refresh Token. Bearer Tokens

30 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server)

31 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) User accesses Web application

32 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Redirected to AAD

33 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Consent dialog displayed

34 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Grant access using Consent Dialog

35 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code returned and user redirected

36 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code, App Id, App Secret sent

37 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access and Refresh Tokens returned

38 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access Token presented Along with request

39 OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Response returned

40 Demo

41 References

42 Azure Active Directory Documentation http://azure.microsoft.com/en- us/documentation/services/active-directory/ http://azure.microsoft.com/en- us/documentation/services/active-directory/ Samples https://github.com/AzureADSamples https://github.com/AzureADSamples Azure Active Directory Authentication Libraries https://msdn.microsoft.com/en- us/library/azure/dn151135.aspx https://msdn.microsoft.com/en- us/library/azure/dn151135.aspx

43 AAD Graph API Documentation: http://msdn.microsoft.com/library/windowsazure/dn 151791.aspx http://msdn.microsoft.com/library/windowsazure/dn 151791.aspx Graph Explorer: http://graphexplorer.cloudapp.net http://graphexplorer.cloudapp.net Metadata: https://graph.windows.net/contoso.onmicrosoft.com/$me tadata https://graph.windows.net/contoso.onmicrosoft.com/$me tadata

44 AAD Graph API Walkthrough Initial Post: http://blogs.msdn.com/b/aadgraphteam/archive/2013/01 /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx http://blogs.msdn.com/b/aadgraphteam/archive/2013/01 /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx Update for new capabilities http://blogs.msdn.com/b/aadgraphteam/archive/2013/05 /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx http://blogs.msdn.com/b/aadgraphteam/archive/2013/05 /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx

45 Open Web Interface for.NET http://owin.org OWIN and Katana in ASP.NET http://www.asp.net/aspnet/overview/owin-and-katana http://www.asp.net/aspnet/overview/owin-and-katana

46 OpenID Connect Specification http://openid.net/connect/ http://openid.net/connect/ Samples https://www.pingidentity.com/en/resources/articles/open id-connect.html https://developers.google.com/accounts/docs/OpenIDCo nnect https://www.pingidentity.com/en/resources/articles/open id-connect.html https://developers.google.com/accounts/docs/OpenIDCo nnect

47 Cloud Identity in.Net Dominick Baier http://leastprivilege.com/ http://leastprivilege.com/ Brock Allen http://brockallen.com/ http://brockallen.com/

48 Thank You! paul@schaeflein.net http://www.schaeflein.net/blog You can find me at:

Download ppt "GRDevDay March 21, 2015 Cloud-based Identity for Applications."

Similar presentations

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Office 365 Identity aka Azure Active Directory

Office 365 Identity aka Azure Active Directory
SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue

SharePoint 2010 Business Productivity: What's new for Developers in Microsoft SharePoint 2010 Matthew McDermott, MVP Aptillon, Able Blue
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.

App development in SharePoint 2013 LIVE Introducing Cloud App Model Cloud-hosted Apps Experiences from the Field.
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Similar presentations

Ads by Google