patterns & practices Symposium 2013

Windows Azure Active Directory

Vittorio Bertoccivittorib@Microsoft.com

@vibronet

directories offer the best modelfor business applications

traditional directories don’t work too well

with cloud workloads

One Cloud Directory for Every Organization

Cloud Apps and Users from Organizations

Apps you buy Your LoB Apps Apps you sell

Your Customers’DirectoriesYour Directory

Symposium 2013

Agenda The Directory Pattern Directory in Action: Windows Azure for

Organizations Your Directory and Line of Business Apps in the

Cloud Your Customer’s Directory and your SaaS Apps in

the Cloud

Symposium 2013

Directories

Manage Authenticate

The Directory Approach

Direct Reports MemberOf

Asset

App

Contoso’s On-Premises Directory

Anatomy of Windows Azure Active Directory

Management Portal

AM

Graph API

OAuth2

SAML-P

WS-Federation

Metadata

Contoso’s WA AD Tenant

Windows Azure Active Directory

Dir S

ync

Symposium 2013

Directory in Action: Windows Azure for Organizations

Symposium 2013

DEMO Accessing the Windows Azure Portal With an

Organizational Identity

Symposium 2013

Advantages of Using Organizational Identities Centrally managed provisioning and

deprovisioning Enforceable credential policies Multiple authentication factor Better User Experience

Less credentials to remember

Symposium 2013

Your Directory and Your LoB Applications in the Cloud

Using the ASP.NET tools to connect to Windows Azure AD

DEMO

Windows Azure Active DirectoryOAuth2

SAML-P

WS-Federation

MetadataGraph API

Connecting your LoB App to Windows Azure AD

WIF Config

ServicePrincipal

Your LoB App

WIF Module

s

Contoso’s WA AD Tenant

Symposium 2013

The Graph API• RESTful Interface to Windows Azure Active Directory

Compatible with OData V3 Uses OAuth 2.0 for Authentication and Role Based Assignment for

Application and Users, for Authorization• Programmatic access to Windows Azure Active Directory

Objects such as Users, Groups, Contacts, Tenant Information, Licensing, Roles

Support Links such as Member, memberOf, Manager, DirectReport Differential queries

• Requests use standard HTTP methods GET, POST, PATCH, DELETE to create, read, update, and delete directory

objects. Response support XML and JSON, and standard HTTP status codes

Symposium 2013

Your Customer’s Directory & Your SaaS Apps in the Cloud

Seamless Consent for SaaS Apps

DEMO

The Application Publishing FlowVisual Studio

Modify your app to- admit multiple tenants- handle consent messages

Seller Dashboard

Register your app in the Seller Hub- create keys, catalog entries…- paste keys back in the app

code

App

Windows Azure AD Portal

The SaaS Application Publishing Cycle

DEMO

Windows Azure Active Directory

Graph API

OAuth2

SAML-P

WS-Federation

Metadata

Management Portal

Multi-tenancy and Consent FlowWIF Config

ServicePrincipal

Your SaaS App

WIF Module

s

Contoso’s WA AD Tenant

ServicePrincipal

Fabrikam’s WA AD Tenant

Consent

ModuleMultitenant

TokenHandler

MultitenantTokenHandler

Reference

Symposium 2013

Resources Get your free tenant at http://

g.microsoftonline.com/0AX00en/5 Download the samples and tutorials at

https://activedirectory.windowsazure.com/develop/

Give us feedback at http://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/

One Cloud Directory for Every Organization

Symposium 2013

Thanks! vittorib@microsoft.com @vibronet http://blogs.msdn.com/vbertocci