building secure cloud applications for the enterprise
DESCRIPTION
A cornerstone for just about any application is the identity of users using the application. In an enterprise, the identity of users is often managed in Windows Server Active Directory, and enterprise developers building line-of-business (LOB) applications have become accustom to using Windows Authentication to authenticate users of their application using their Active Directory credentials. Today, as enterprise developers target Microsoft Azure for their cloud applications, handling the identity and access needs of users in a way that is secure, robust and familiar to users is absolutely critical. After all, the online world is extremely hostile. The good news is we don't have to be security experts to build secure LOB applications. We can leverage the services of Azure Active Directory and the industry standard protocols it supports. We can leverage libraries like Windows Identity Foundation (WIF) / .NET Framework, Active Directory Authentication Library (ADAL), and the Graph API, to build secure, claims-based applications. And finally, we can use Visual Studio to pull it all together in a developer friendly way. If you want to learn how, then this session is for you.TRANSCRIPT
![Page 1: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/1.jpg)
Building Secure Cloud Applications for the
EnterpriseMicrosoftAzure
Azure Web Site
Visual Studio 2013
Azure Active Directory
Azure SDK
![Page 2: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/2.jpg)
Introductions…
•About me• Rick Rainey• Independent Consultant, Trainer, Writer, Speaker
•Contact information• [email protected]• @RickRaineyTx• http://rickrainey.com• LinkedIn: www.linkedin.com/rickrain
![Page 3: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/3.jpg)
Agenda
• Introduction to Azure Active Directory•Developing for Azure Active Directory• Claims-Based Identity• .NET Framework Classes and Client Libraries • Visual Studio 2013
![Page 4: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/4.jpg)
An Introduction to Azure Active DirectoryWhat is it?
![Page 5: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/5.jpg)
What Azure Active Directory is not
Contoso
Contoso
Windows Server Active Directory
Virtual Machines running Windows Server Active Directory
Microsoft
Azure
![Page 6: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/6.jpg)
What Azure Active Directory is
Contoso
Fabrikam
Northwind
Microsoft
Azure
Azure Active Directory
A multi-tenant service providing identity and access management capabilities for the cloud.
![Page 7: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/7.jpg)
Azure Active Directory for an Enterprise (example)
Contoso
Contoso
Windows Server Active Directory
Microsoft
AzureAzure Active Directory
Contoso Paystub App
Contoso Benefits App
Other LOB App
Extend an on-premises Server Directory to Azure AD.
Protect access to cloud applications.
Grant access to SaaS applications.
![Page 8: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/8.jpg)
DEMO
Azure Active Directory• A lap around Azure AD using the
Azure Management Portal
![Page 9: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/9.jpg)
Developing for Azure Active Directory
![Page 10: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/10.jpg)
Azure AD’s Application Endpoints
• WS-Federation• https://login.windows.net/<tenant id>/wsfed
• SAML-P• https://login.windows.net/<tenant id>/saml2
• Azure AD Graph API• https://graph.windows.net/<tenant id>
• OAuth 2.0 Token• https://login.windows.net/<tenant id>/oauth2/token
• OAuth 2.0 Authorization• https://login.windows.net/<tenant id>/oauth2/authorize
![Page 11: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/11.jpg)
Accessing the Endpoints
•REST API’s
•Client Libraries• .NET Framework / Windows Identity Foundation• Active Directory Authentication Library (ADAL)• Azure Active Directory Graph Client Library
![Page 12: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/12.jpg)
Windows Identity Foundation
• A set of .NET Framework classes…• Claim
• Statement about a user or entity provided by an Identity Provider
• ClaimsPrincipal• Claims collection, Identities collection, IsInRole, and more
• ClaimsIdentity• Name, Authentication Type
• …and HTTP Modules• WSFederationAuthenticationModule (WSFAM)
• SessionAuthenticationModule (SAM)*** Already included in .NET Framework 4.5 and higher. ***
![Page 13: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/13.jpg)
What is Claims-Based Identity?
Dept. of Transportation
I would like a Blue Moon
please.
You look under age. Show me some ID.
Thank you for that compliment…
allow me to present to you my
driver’s license
Relying Party (RP)Subject
Identity Provider (IdP)
Externalized Authentication to Dept. of Transportation
![Page 14: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/14.jpg)
WS-Federation: Simplified
Azure Active Directory
Contoso Benefits Website
I trust tokens from the Contoso directory tenant.
Contoso user authenticates with Azure AD.
![Page 15: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/15.jpg)
Windows Identity Foundation
Contoso Benefits Website
WIF
• Validates token signature• Descripts token• Extracts claims• Sets session cookies• Optionally invokes authorization code• And a lot more…
![Page 16: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/16.jpg)
DEMO
Developing for Azure Active Directory• Build an Azure Website protected by
Azure Active Directory
![Page 17: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/17.jpg)
Active Directory Authentication Library (ADAL)
![Page 18: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/18.jpg)
Active Directory Authentication Library•A library that provides simple authentication functionality for client applications.
•Works with Azure Active Directory and Windows Server Active Directory (with ADFS).
•Download from the NuGet package gallery.
![Page 19: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/19.jpg)
ADAL Scenarios
•Authenticate Users of a Client Application to a Remote Resource
•Authenticate a Server Application to a Remote Resource
•Authenticate a Server Application on Behalf of a User to Access a Remote Resource
![Page 20: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/20.jpg)
ADAL Notable Classes and Methods
•AuthenticationContext
• An instance of an authority, such as an Azure AD Tenant or a Windows Server ADFS
• AcquireToken(…) Method
•AuthenticationResult
• Contains the AccessToken to use when accessing a protected resource.
![Page 21: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/21.jpg)
Azure Active Directory Graph (“Graph API”)
![Page 22: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/22.jpg)
Azure Active Directory Graph Client Library•A library that provides CRUD capabalities for objects in Azure Active Directory.• A wrapper for the native REST API’.s
•Works with Azure Active Directory.
•Download from the NuGet package gallery.
![Page 23: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/23.jpg)
Graph API Scenarios
•Query the directory• List of Users, Groups, Company Information, and more.• Get Details about an object (user, group, etc.) in the directory.
•Add, Update, or Delete (or just disable) a User.
•Check a User’s Group membership for RBAC cases.
•And more…
![Page 24: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/24.jpg)
Azure AD Graph Client Library - Notables•GraphConnection• Represents a “connection” to an Azure AD Tenant.• Requires an AccessToken, which you get from ADAL.
•Azure AD must configure the application for appropriate permissions• Sign-On and read user profile• Read directory data• Write directory data
![Page 25: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/25.jpg)
DEMO
ADAL and Graph Client Library• Build an application that performs
CRUD operations in Azure Active Directory
![Page 26: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/26.jpg)
Some Key Take-Aways
•Azure Active Directory• A multi-tenant service providing identity and access
management for cloud applications
• Can be integrated with an on-premises Server Active Directory
•Active Directory Authentication Library (ADAL)• Provides authentication capabilities for client apps
•Azure Active Directory Client Library (“Graph API”)• Provides CRUD capabilities for directory data and objects
![Page 27: Building secure cloud applications for the enterprise](https://reader034.vdocument.in/reader034/viewer/2022051208/546fc24faf7959a4058b4760/html5/thumbnails/27.jpg)
References
• [blog] Azure Active Directory Graph Client Library 1.0 • http://bit.ly/1r5jIcz
• [blog] Authenticating with Organizational Accounts and Azure Active directory • http://bit.ly/1s5DEhp
• [blog] Deep Dive: Azure Websites and Organizational Authentication using Azure AD • http://bit.ly/ZoDPrk
• Vittorio Bertocci’s Blog• http://www.cloudidentity.com/blog/
• Active Directory Team Blog• http://blogs.technet.com/b/ad/