azure active directory - an introduction for developers
TRANSCRIPT
Consulting/Training
John Garland
Microsoft MVP Windows Platform Development
Member Microsoft Azure Insider
Azure Mobile Services Advisory Board
Author Windows Store Apps Succinctly
Co-Author Programming the Windows Runtime by Example
MCPD Azure, Windows Developer, Windows Phone
MCTS Silverlight
@dotnetgator
Wintellect Principal Consultant
Consulting/Training
consulting
Wintellect helps you build better software, faster,
tackling the tough projects and solving the software
and technology questions that help you transform
your business.
Architecture, Analysis and Design
Full lifecycle software development
Debugging and Performance tuning
Database design and development
training
Wintellect's courses are written and taught by some of
the biggest and most respected names in the Microsoft
programming industry.
Learn from the best. Access the same training
Microsoft’s developers enjoy
Real world knowledge and solutions on both current
and cutting edge technologies
Flexibility in training options – onsite, virtual, on
demand
Wintellect is the only company that offers the combined value of world class consulting services along with
onsite, virtual and on-demand developer training. We help companies build better software, faster, helping you
maximize and protect your consulting and training investments through ongoing knowledge transfer.
who we are
About Wintellect
Consulting/Training
A Simple Demo – Adding Authentication to an ASP.NET MVC Application
An Overview of Azure Active Directory
The Developer Story
Background – Integrating an Application’s Authentication with Azure Active Directory
Demo – Working with the Azure Active Directory Graph API
Demo – Calling a Secured Web API from a Secured Web App
Demo – Calling a Secured Web API from a Native Client Application
Wrapup
Agenda
Consulting/Training
Created an app entry in an Azure
Active Directory tenant (and
some users)
Used the OWIN middleware to
add authentication support to
the MVC Web App
Configured the OWIN
middleware to know about the
AD app
What Have We Seen?
Consulting/Training
Identity & Access Management as a Service
You decide who the users are, what information is stored, who can get at it, who
can manage it, and what apps can use it.
Microsoft is responsible for keeping it all running.
Standalone, but can be synced with on-premises AD
3 Editions: Free, Basic, Premium
Application integration via support for several standard authentication
protocols (SAML 2.0, WS-Federation, Open ID Connect)
Azure Active Directory – What Is It?
Consulting/Training
No Object Limit No Object Limit
No Limit
Adv Security Reports
Yes (Advanced)**
Premium
+ Basic
Features
Group-based access management/provisioning Yes Yes
Self-Service Password Reset for cloud users Yes Yes
Company Branding (Logon Pages/Access Panel customization) Yes Yes
SLA Yes (99.9%) Yes (99.9%)
Consulting/Training
Designed for “The Cloud” (as opposed to being retrofitted/adapted)
REST Graph API with OData syntax for queries (instead of LDAP)
Synchronize OR Connect to on-prem AD (ADFS is optional) via AAD Connect
Sync
User attributes synced using Identity Sync Services (includes a password hash)
Authentication completes against AAD
Connect
User attributes synced vis Identity Sync Services
Authentication passed back to local AD via ADFS and is completed locally
Synchronize OR Connect to external SaaS applications
Azure Active Directory != Windows Active Directory
Consulting/Training
Company Branding for Sign-In Screen
Active Directory Application Proxy
Access Control Services 2.0
Multi-Factor Authentication
Security Reporting and Alerts
License Management
Leverage Single Sign On with 2400+ 3rd party apps in the Azure AD
App Gallery
Etc…
But Wait, There’s More!
Consulting/Training
Applications
Entities that rely on AAD for
Authentication
Configuration Values:
ClientID – Unique ID (GUID) for an application
Application ID URI - Sent to AAD to indicate
the what the caller wants a token for
ReplyURL - For web API or web application,
the location to which Azure AD will send the
authentication response
Redirect URI – For an OAuth 2.0 request, a
unique identifier to which Azure AD will
redirect the user-agent
Domains
Default <tenant>.onmicrosoft.com
A default domain is created with your Azure Subscription for managing Azure Management Access
Can also provision custom domain names, use tenant ID, or use the “custom” tenant
Users
Create in portal, via AAD PowerShell cmdlet, or via sync
Azure Active Directory Development Terminology
Consulting/Training
First Step – Stand up some middleware in front of the server
Intercept requests and redirect if necessary to an Identity Provider (IdP).
The IdP issues a token back to the client (browser, app), which is provided to the
server that is hosting the secured resource.
The Server verifies the token with the IdP and – if valid – allows the request to
continue.
Later
Additional logic can request more information about the verified identity and
check to determine the resource in question can be accessed.
Fundamentals of Token-Based Web Authentication
Consulting/Training
OpenID Auth Code Authentication Flow
1 – Request Resource
2 – Redirect to IdP
3–
Req
uest
Co
de
4 -
Ch
allen
ge/R
esp
on
se
5 –
Retu
rn a
n A
ccess
Co
de
6 – Send Auth Code To Server
9:
Relying Party
(eg – Your Web App)
Client
(eg – Your Web Browser)
Identity Provider (IdP)
(eg – Azure Active Directory)
OAuth-A OAuth-T
Consulting/Training
Then - Windows Identity Foundation (WIF)
API for building claims-aware applications
Configuration heavy, older tech, a product of a different era (WS-Fed)
Authentication tooling in ASP.NET VS2013 Projects leverages WIF
Now - “Katana” – Microsoft’s ASP.NET OWIN implementation.
WS-Fed, OpenID Connect
MUCH simpler to work with
Hopefully VS Projects will get significant OWIN tooling “SOON”
ASP.NET Authentication Middleware
Consulting/Training
Azure AD Graph Client Library
Wraps the REST API for Azure Active
Directory - Access objects such as
Users, Groups, Contacts, Tenant
Information, Roles, Applications,
Permissions
OAuth 2.0 Support, supports both
Client Credentials and Authorization
Code flow
Does not depend on ADAL, but
often used together
AD Authentication Library (ADAL)
Authenticate users to AD and obtain
access tokens for securing API calls
Manage token caching & lifetime
Works with Azure AD, Windows
Server ADFS for Windows Server
2012 R2, and ACS
Available for .NET, Windows Store
(WinRT), Node.js
V3.0 (Pre) is a PCL with support for WinRT,
Xamarin iOS, Xamarin Android)
Tools for Working with Azure Active Directory
Consulting/Training
The previous example looked at
Securing one or more endpoints of an ASP.NET MVC app
Using parts of the work done to authenticate the MVC App endpoint to also
access the Azure AD Graph
Now What If
The Web App needs to call a secured Web API? As the App? As the User?
A Native Client App needs to call the same secured Web API?
Now What If…
Consulting/Training
Flowing authentication from a Web App to a Web Service
Calling the same Web Service from a Native Client Application
Consulting/Training
Using OWIN Middleware to add AAD-based authentication to an MVC Web App endpoint
Using Web App authentication credentials to call the AAD Graph API
Using Web App authentication credentials to call a Web API service as both a user and an app
Calling a Web API that requires authentication from a Native App
What Have We Seen
Consulting/Training
APIs and Sample Code
Azure AD Authentication Library for
.NET - http://msdn.microsoft.com/en-
us/library/azure/jj573266.aspx
Azure AD Graph API -
http://msdn.microsoft.com/en-
us/library/azure/hh974476.aspx
Azure Active Directory Code Samples -
http://msdn.microsoft.com/en-
us/library/azure/dn646737.aspx
Claims
A Guide to Claims-Based Identity and Access Control (2nd Edition) -http://msdn.microsoft.com/en-us/library/ff423674.aspx
Azure Active Directory Videos
Channel 9 AAD Series -http://channel9.msdn.com/Series/Windows-Azure-Active-Directory
TechEd Europe 2014 -http://channel9.msdn.com/Events/TechEd/Europe/2014?tag=microsoft-azure-active-directory
Resources
Consulting/Training
Native Clients
WPF calling Web API
WinRT Calling WebAPI
Call Web API, calling another WebAPI
Xamarin – Multiple OS’s
Headless calling Web API
Daemons (Services)
Calling WebAPI (Password & Certificate)
.NET Web Apps
Call via OpenID Connect & WS-Fed
App calls Web API via OpenID Connect,
OAuth2 (App & User Identities)
SPAs
JavaScript client calling to .NET service
Calling Azure AD Graph API
RBAC via Groups and Roles
Azure AD Samples
And many more…
Consulting/Training
Get to know the basic concepts of distributed application
authentication
Get familiar with the lay-of-the-land of the AAD Samples
See if your needs [align with || can be slightly pivoted to align with] the
concepts shown in the AAD Samples, and then use them as a roadmap
If you’re a .NET developer, focus on leveraging the ASP.NET OWIN
(“Katana”) middleware components in your applications (unless you are
already moving forward to vNext)
$0.05 of Advice