Download presentation
Presentation is loading. Please wait.
3
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps
4
Windows Server Active Directory Intranet Managed Access Managed Identities Integrated Business Apps SAAS you buySAAS you build
5
Windows Server Active Directory On-Premises SAAS you buildSAAS you sell Windows Azure Active Directory Other Microsoft Services Office 3653 rd Party SAAS you buy DirSync
6
Small Businesses AD/ADFS Medium/Large Enterprises AD/LDAP Shibboleth Schools & Universities Windows Azure AD Directory Tenant 1 Directory Tenant 2 Directory Tenant n...... SAML2.0 WS-Federation Federation Metadata OAuth2.0 REST based Directory Graph API Web Applications Web APIs Rich Client Apps Single Tenant / Multi Tenant SAAS Applications Admin Consent / Application Install
8
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) Registers App
9
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata User from developer’s Organization Sign on
10
1 HTTP GET https://resource.com 2 HTTP 302 REDIRECT https://login.windows.net/ /wsfed ?wa=wsignin1.0 &wtrealm=https%3a%2f%2fresource.com &wct=2013-06-19T03%3a20%3a02Z https://login.windows.net/ /saml2 ?SAMLRequest=jZFNS8NA… &RelayState=http… HTTP GET https://login.windows.net/ /wsfed ?wa=wsignin1.0 &wtrealm=https%3a%2f%2fresource.com &wct=2013-06-19T03%3a20%3a02Z https://login.windows.net/ /saml2 ?SAMLRequest=jZFNS8NA… &RelayState=http… 3 User Authentication 4 HTTP 200 OK <input type=“hidden” name=“SAMLResponse” <input type=“hidden” name=“RelayState” HTTP POST https://resource.com wa=wsignin1.0&wresult=token SAMLResponse=token 5 HTTP 302 REDIRECT https://resource.com Cookie=Auth Cookie 6 HTTP GET https://resource.com Cookie=Auth Cookie 7 HTTP 200 OK
11
Name ID Tenant ID Object Identifier Name Audience
12
SAML-P Related SAML SSO URL SAML Logout URL Token Signing Key WS-Fed Related WS-Fed SSO & Signout URL EntityID
13
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata User from developer’s Organization Sign on
14
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata User from developer’s Organization Sign out
15
1 User initiates sign-out 2 HTTP 302 REDIRECT https://login.windows.net/ /wsfed ?wa=wsignout1.0 &wtrealm=https%3a%2f%2fresource.com &wreply=https%3a%2f%2fresource.com https://login.windows.net/ /saml2 ?SAMLRequest=jZFNS8NA… &Signature= … &SigAlg=… Clear Cookie HTTP GET https://login.windows.net/ /wsfed ?wa=wsignout1.0 &wtrealm=https%3a%2f%2fresource.com &wreply=https%3a%2f%2fresource.com https://login.windows.net/ /saml2 ?SAMLRequest=jZFNS8NA… &Signature= … &SigAlg=… 3 Sign-out Broadcast 4 HTTP 302 REDIRECT https://resource.com/signoutURL ?SAMLResponse=… &Signature=… &SignAlg=… HTTP GET https://resource.com/signoutURL ?SAMLResponse=… &Signature=… &SignAlg=… 5 HTTP 200 OK
16
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata User from developer’s Organization Sign out
17
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata Multi Tenant App Designates App to be Externally Available
18
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata Multi Tenant App Customer’s Windows Azure AD (Identity Provider 2) Customer (Tenant Administrator) SAML2.0 WS-Federation Federation Metadata Consents to Application Install
19
1 Administrator initiates application install 2 HTTP 302 REDIRECT https://account.activedirectory.windowsazu re.com/Consent.aspx ?ClientID=eb74… &RequestedPermissions=DirectoryReaders &ConsentReturnURL=https%3a%... 4 HTTP 302 REDIRECT https://appConsentReturnURL ?Consent=Granted &TenantId=82869… HTTP GET https://account.activedirectory.windowsazu re.com/Consent.aspx ?ClientID=eb74… &RequestedPermissions=DirectoryReaders &ConsentReturnURL=https%3a%... 3 Authentication & Consent UI HTTP GET https://appConsentReturnURL ?Consent=Granted &TenantId=82869… AAD provisions app service principal in the tenant. The app service principal is assigned permissions per Tenant Admin’s consent. SAAS application completes on- boarding the new customer/organization
20
Developer’s Organization’s Windows Azure AD (Identity Provider) Single Tenant App 1 ASP.net Web App Single Tenant App 2 PhP Web App Developer (Relying Parties) SAML2.0 WS-Federation Federation Metadata Multi Tenant App Customer’s Windows Azure AD (Identity Provider 2) Customer (Tenant Administrator) SAML2.0 WS-Federation Federation Metadata Consents to Application Install
Similar presentations
