Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Published byBarrie Morris Modified over 9 years ago

Similar presentations

Presentation on theme: "Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server."— Presentation transcript:

1

2

3

4 Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server app Web application Web API

5 Browser Native app Server app Web application Web API Standard-based, http-based protocols for maximum platform reach WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0

6

7

8

9 Browser Web application WS-Fed, SAML 2.0, OpenID Connect

10 Browser WebApp Contoso.com directory tenant WebApp Service Principal App ID URI Reply Url 1. Navigate to site 2. Redirect to directory tenant to sign in (App ID URI) 3. Sign in 4. Send security token to Reply URL 5. Set session Windows Identity Foundation Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint OWIN Auth Middleware

11

12

13

14 ClaimExampleIntended Purpose Tenant ID81aabdd2-3682-48fd-9efa-2cb2fcea8557Immutable tenant identifier Nameskwan@skwantoso.comDisplay only First NameStuartDisplay only Last NameKwanDisplay only Object IDb3809430-6c28-4e43-870d-fa7d38636dcdImmutable security identifier * Coming soon: group claims and role claims

15

16 Native app Web API OAuth 2.0

17 WebAPI Contoso.com directory tenant WebAPI SP App ID URI 1. Request Auth Code (Client ID, Redirect URI, App ID URI) Native Client to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP Client ID Redirect URI Impersonation grant Authorize Endpoint Token Endpoint ADAL* 2. Sign in 3. Return Auth Code to Redirect URI User sees web pop up … * Active Directory Authentication Library: client-side helper library that handles UI prompts, protocol, caching. Windows Identity Foundation OWIN Auth Middleware

18 NativeApp Contoso.com directory tenant WebAPI SP App ID URI 4. Redeem Auth Code (Auth Code, Client ID, Redirect URI, App ID URI) Native Client to Web API: OAuth 2.0 auth code grant, public client NativeApp SP Client ID Redirect URI Authorize Endpoint Token Endpoint ADAL 5. Return Access Token (JWT*), Refresh Token (JWT*) 6. Send Access Token on Authorization Header * JWT = JSON Web Token, a JSON-encoded security token bearing claims. WebAPI Impersonation grant Windows Identity Foundation OWIN Auth Middleware

19

20

21

22

23

24 WebAPI Contoso.com directory tenant WebAPI SP App ID URI Native Client to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP Client ID Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token (Client ID, Refresh Token*, App ID URI) 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header *Bonus: “multi-resource refresh token”can be used to get access token to a different service if delegation exists 1. Call WebAPI (Access Token in AuthZ Header) Impersonation grant Windows Identity Foundation OWIN Auth Middleware

25 Browser Web application Web API

26

27 WIF Web App to Web API: OAuth 2.0 client credentials OWIN 1. Signed in, using the web app… Browser WebApp WIFOWIN ADAL 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. Contoso.com directory tenant WebAPI SP App ID URI WebApp SP Client ID Redirect URI Credential* Access grant Authorize Endpoint Token Endpoint

28 WebAPI WIF Web App to Web API: OpenID Connect OWIN Browser WebApp WIFOWIN 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token* and Auth Code to Redirect URI 6. Set session Contoso.com directory tenant WebApp SP Client ID Redirect URI Credential Authorize Endpoint Token Endpoint * ID Token, claims about the user for WebApp. ADAL WebAPI SP App ID URI Impersonation grant Might require user consent

29 WebAPI WIF Web App to Web API: OpenID Connect OWIN Browser WebApp WIFOWIN 7. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI) 8. Return access token, refresh token 9. Call web API with Access Token in AuthZ Header Contoso.com directory tenant WebAPI SP App ID URI WebApp SP Client ID Redirect URI Credential Impersonation grant Authorize Endpoint Token Endpoint ADAL

30 Native app Server app Web API

31

32 WebAPI2 Contoso.com directory tenant WebAPI2 SP Client ID Credential WIF Server to Web API: OAuth 2.0 OnBehalfOf Token Exchange OWIN WebAPI1 SP Client ID Credential Authorize Endpoint Token Endpoint WebAPI1 WIFOWIN ADAL 1. Use the API, passing user’s Access Token… Native app Web app 2. Request token (User’s Access Token, Client ID, Credential) 3. Return Access Token, Refresh Token 4. Call web API with Access Token in AuthZ Header Impersonation grant

33

34 Company Founded: 1833 Fortune 500: Ranked 14 th Revenue: $122.5 billion America’s oldest and largest healthcare services company Headquarters: San Francisco Employees: 43,500 Segments: Distribution Solutions and Technology Solutions Together with our customers and partners, we are creating a sustainable future for healthcare. Together we are charting a course to better health.

35 Technology Solutions Distribution Solutions #1 pharmaceutical distributor in U.S. and Canada #1 generics distributor #1 in medical-surgical distribution to alternate care sites leader in clinical, revenue-cycle and resource-management solutions leading RelayHealth claims-processing and connectivity business #1 in medical-management software and services to payers

36

37

38

39

40

41

42

43

44 CategoryProtocolAD FSAzure AD Native clientOAuth 2.0 auth code grant, public clientAD FS 3.0Preview Web sign-inWS-FederationAD FS 2.0+GA SAML 2.0AD FS 2.0+GA OpenID ConnectNot availablePreview Web to Web API OAuth 2.0 auth code grant, confidential clientNot availablePreview OAuth 2.0 client credential grantNot availableGA Server to Web API OAuth 2.0 on behalf ofNot availablePreview

45 WebAPI WIF Web App to Web API: OAuth 2.0 auth code grant, confidential client OWIN 2. Request Auth Code (Client ID, Redirect URI) 1. Signed in, using the web app… Browser WebApp WIFOWIN ADAL 3. Return Auth Code Might require user consent Contoso.com directory tenant WebAPI SP App ID URI WebApp SP Client ID Redirect URI Credential delegation Authorize Endpoint Token Endpoint

46 WebAPI Contoso.com directory tenant WebAPI SP App ID URI WIF Web App to Web API: OAuth 2.0 auth code grant, confidential client* OWIN WebApp SP Client ID Redirect URI Credential delegation Authorize Endpoint Token Endpoint Browser WebApp WIFOWIN ADAL 4. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI) 5. Return access token, refresh token 6. Call web API with Access Token in AuthZ Header * Called “confidential client” because WebApp uses it’s credentials when redeeming the auth code.

Download ppt "Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server."

Similar presentations

FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Secure RESTful Interface Profile Phase 1 Briefing

Secure RESTful Interface Profile Phase 1 Briefing
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
Introducing Windows Server 2012 R2 Work Folders:

Introducing Windows Server 2012 R2 Work Folders:
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Microsoft Ignite /16/2017 4:55 PM

Microsoft Ignite /16/2017 4:55 PM
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.

Office 365 Platform Flexible Tools Each Office 365 Workload API required different Authentication.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

Similar presentations

Ads by Google