Consulting/Training

Azure Active DirectoryAn Introduction for Developers

Consulting/Training

John Garland

Microsoft MVP Windows Platform Development

Member Microsoft Azure Insider

Azure Mobile Services Advisory Board

Author Windows Store Apps Succinctly

Co-Author Programming the Windows Runtime by Example

MCPD Azure, Windows Developer, Windows Phone

MCTS Silverlight

jgarland@wintellect.com

@dotnetgator

Wintellect Principal Consultant

Consulting/Training

consulting

Wintellect helps you build better software, faster,

tackling the tough projects and solving the software

and technology questions that help you transform

your business.

Architecture, Analysis and Design

Full lifecycle software development

Debugging and Performance tuning

Database design and development

training

Wintellect's courses are written and taught by some of

the biggest and most respected names in the Microsoft

programming industry.

Learn from the best. Access the same training

Microsoft’s developers enjoy

Real world knowledge and solutions on both current

and cutting edge technologies

Flexibility in training options – onsite, virtual, on

demand

Wintellect is the only company that offers the combined value of world class consulting services along with

onsite, virtual and on-demand developer training. We help companies build better software, faster, helping you

maximize and protect your consulting and training investments through ongoing knowledge transfer.

who we are

About Wintellect

Consulting/Training

A Simple Demo – Adding Authentication to an ASP.NET MVC Application

An Overview of Azure Active Directory

The Developer Story

Background – Integrating an Application’s Authentication with Azure Active Directory

Demo – Working with the Azure Active Directory Graph API

Demo – Calling a Secured Web API from a Secured Web App

Demo – Calling a Secured Web API from a Native Client Application

Wrapup

Agenda

Consulting/Training

Securing MVC Web Application Content with Azure Active Directory

Consulting/Training

Created an app entry in an Azure

Active Directory tenant (and

some users)

Used the OWIN middleware to

add authentication support to

the MVC Web App

Configured the OWIN

middleware to know about the

AD app

What Have We Seen?

Consulting/Training

Identity & Access Management as a Service

You decide who the users are, what information is stored, who can get at it, who

can manage it, and what apps can use it.

Microsoft is responsible for keeping it all running.

Standalone, but can be synced with on-premises AD

3 Editions: Free, Basic, Premium

Application integration via support for several standard authentication

protocols (SAML 2.0, WS-Federation, Open ID Connect)

Azure Active Directory – What Is It?

Consulting/Training

No Object Limit No Object Limit

No Limit

Adv Security Reports

Yes (Advanced)**

Premium

+ Basic

Features

Group-based access management/provisioning Yes Yes

Self-Service Password Reset for cloud users Yes Yes

Company Branding (Logon Pages/Access Panel customization) Yes Yes

SLA Yes (99.9%) Yes (99.9%)

Consulting/Training

Designed for “The Cloud” (as opposed to being retrofitted/adapted)

REST Graph API with OData syntax for queries (instead of LDAP)

Synchronize OR Connect to on-prem AD (ADFS is optional) via AAD Connect

Sync

User attributes synced using Identity Sync Services (includes a password hash)

Authentication completes against AAD

Connect

User attributes synced vis Identity Sync Services

Authentication passed back to local AD via ADFS and is completed locally

Synchronize OR Connect to external SaaS applications

Azure Active Directory != Windows Active Directory

Consulting/Training

Company Branding for Sign-In Screen

Active Directory Application Proxy

Access Control Services 2.0

Multi-Factor Authentication

Security Reporting and Alerts

License Management

Leverage Single Sign On with 2400+ 3rd party apps in the Azure AD

App Gallery

Etc…

But Wait, There’s More!

Consulting/Training

Applications

Entities that rely on AAD for

Authentication

Configuration Values:

ClientID – Unique ID (GUID) for an application

Application ID URI - Sent to AAD to indicate

the what the caller wants a token for

ReplyURL - For web API or web application,

the location to which Azure AD will send the

authentication response

Redirect URI – For an OAuth 2.0 request, a

unique identifier to which Azure AD will

redirect the user-agent

Domains

Default <tenant>.onmicrosoft.com

A default domain is created with your Azure Subscription for managing Azure Management Access

Can also provision custom domain names, use tenant ID, or use the “custom” tenant

Users

Create in portal, via AAD PowerShell cmdlet, or via sync

Azure Active Directory Development Terminology

Consulting/Training

First Step – Stand up some middleware in front of the server

Intercept requests and redirect if necessary to an Identity Provider (IdP).

The IdP issues a token back to the client (browser, app), which is provided to the

server that is hosting the secured resource.

The Server verifies the token with the IdP and – if valid – allows the request to

continue.

Later

Additional logic can request more information about the verified identity and

check to determine the resource in question can be accessed.

Fundamentals of Token-Based Web Authentication

Consulting/Training

OpenID Auth Code Authentication Flow

1 – Request Resource

2 – Redirect to IdP

3–

Req

uest

Co

de

4 -

Ch

allen

ge/R

esp

on

se

5 –

Retu

rn a

n A

ccess

Co

de

6 – Send Auth Code To Server

9:

Relying Party

(eg – Your Web App)

Client

(eg – Your Web Browser)

Identity Provider (IdP)

(eg – Azure Active Directory)

OAuth-A OAuth-T

Consulting/Training

Then - Windows Identity Foundation (WIF)

API for building claims-aware applications

Configuration heavy, older tech, a product of a different era (WS-Fed)

Authentication tooling in ASP.NET VS2013 Projects leverages WIF

Now - “Katana” – Microsoft’s ASP.NET OWIN implementation.

WS-Fed, OpenID Connect

MUCH simpler to work with

Hopefully VS Projects will get significant OWIN tooling “SOON”

ASP.NET Authentication Middleware

Consulting/Training

Azure AD Graph Client Library

Wraps the REST API for Azure Active

Directory - Access objects such as

Users, Groups, Contacts, Tenant

Information, Roles, Applications,

Permissions

OAuth 2.0 Support, supports both

Client Credentials and Authorization

Code flow

Does not depend on ADAL, but

often used together

AD Authentication Library (ADAL)

Authenticate users to AD and obtain

access tokens for securing API calls

Manage token caching & lifetime

Works with Azure AD, Windows

Server ADFS for Windows Server

2012 R2, and ACS

Available for .NET, Windows Store

(WinRT), Node.js

V3.0 (Pre) is a PCL with support for WinRT,

Xamarin iOS, Xamarin Android)

Tools for Working with Azure Active Directory

Consulting/Training

Calling the Graph API from an Authenticated MVC Web Site Endpoint

Consulting/Training

The previous example looked at

Securing one or more endpoints of an ASP.NET MVC app

Using parts of the work done to authenticate the MVC App endpoint to also

access the Azure AD Graph

Now What If

The Web App needs to call a secured Web API? As the App? As the User?

A Native Client App needs to call the same secured Web API?

Now What If…

Consulting/Training

Flowing authentication from a Web App to a Web Service

Calling the same Web Service from a Native Client Application

Consulting/Training

Using OWIN Middleware to add AAD-based authentication to an MVC Web App endpoint

Using Web App authentication credentials to call the AAD Graph API

Using Web App authentication credentials to call a Web API service as both a user and an app

Calling a Web API that requires authentication from a Native App

What Have We Seen

Consulting/Training

APIs and Sample Code

Azure AD Authentication Library for

.NET - http://msdn.microsoft.com/en-

us/library/azure/jj573266.aspx

Azure AD Graph API -

http://msdn.microsoft.com/en-

us/library/azure/hh974476.aspx

Azure Active Directory Code Samples -

http://msdn.microsoft.com/en-

us/library/azure/dn646737.aspx

Claims

A Guide to Claims-Based Identity and Access Control (2nd Edition) -http://msdn.microsoft.com/en-us/library/ff423674.aspx

Azure Active Directory Videos

Channel 9 AAD Series -http://channel9.msdn.com/Series/Windows-Azure-Active-Directory

TechEd Europe 2014 -http://channel9.msdn.com/Events/TechEd/Europe/2014?tag=microsoft-azure-active-directory

Resources

Consulting/Training

Native Clients

WPF calling Web API

WinRT Calling WebAPI

Call Web API, calling another WebAPI

Xamarin – Multiple OS’s

Headless calling Web API

Daemons (Services)

Calling WebAPI (Password & Certificate)

.NET Web Apps

Call via OpenID Connect & WS-Fed

App calls Web API via OpenID Connect,

OAuth2 (App & User Identities)

SPAs

JavaScript client calling to .NET service

Calling Azure AD Graph API

RBAC via Groups and Roles

Azure AD Samples

And many more…

Consulting/Training

Get to know the basic concepts of distributed application

authentication

Get familiar with the lay-of-the-land of the AAD Samples

See if your needs [align with || can be slightly pivoted to align with] the

concepts shown in the AAD Samples, and then use them as a roadmap

If you’re a .NET developer, focus on leveraging the ASP.NET OWIN

(“Katana”) middleware components in your applications (unless you are

already moving forward to vNext)

$0.05 of Advice

Consulting/Training

Thank You