View
228
Download
0
Category
Tags:
Preview:
Citation preview
“If you are successful, enterprise IT will require you to integrate your application with their enterprise identity management system.”
- Stuart KwanActive Directory
Microsoft Identity Platformfor Developers: Overview and RoadmapStuart Kwan @stuartkwanPrincipal Program ManagerMicrosoft Corporation
BRK3867
Azure AD and Identity Management as a Service
Benefits of integrating with Azure AD How to integrate Futures Next steps
Agenda
Before Azure AD and IdMaaS
Enterprise customerwith Active Directory
Your applicatio
nfederatio
n
Complex per-customer stepsto set up federation
user p
rovisioning
Per-customer custom code
and manual stepsfor user provisioning
Manage a
s single lo
gical d
irect
ory
With Azure AD
YourApplication
Enterprise customerwith Active Directory
Office 365 and
more
Azure AD
Use Azure AD for sign up, sign in, provisioning, and directory
services: one consistent interface
1
Sync and federation between on-premises and
cloud identity systems
2
On-premises identity
management functions from
cloud
3
Integrating with Azure AD == Integrating with AD
1 Trillionauthentications since release of service
50 MOffice 365 users active every month
>1 Billion authentications every day on Azure AD
More than
500 M
objects hosted on Azure Active Directory
Azure AD manages identity data for
>5 M organizations
86% of Fortune 500 companies on Microsoft Cloud (Azure, O365, CRM Online and PowerBI)
Azure AD by the numbers
Every Office 365 and Microsoft Azure customeruses Azure Active Directory
Promote your app in the Azure AD App Gallery
Register your app to appear in Azure AD App Gallery
Your app here
Your logo
Your details
Your description
Your app
Promote your app in Office 365 Store
Your app here
Register your app toappear in Office 365Store – coming soon
Appear in Office 365 My Apps listing
Your app
If installed from store or gallery or assigned
by IT, your app will appear in user’s
Office 365 My Apps listing and
myapps.microsoft.com Access Panel
User can pin your app to their App Launcher
Pin to App Launcher – drive user engagement
Your app here
Pinned app will appear in user’s App Launcher
Detect:brute force attack
1: <qwrsd!@@#> Nah! Didn’t work
2: <sdsaswer> Nah! Didn’t work
3: <34sdfs> Nah! Didn’t work
4: <sdsaswer> Nah! Didn’t work
5: <asas> Nah! Didn’t work
6: <qwrsd!@@#> Nah! Didn’t work
7: <sdsaswer> Nah! Didn’t work
8: <34sdfs> Nah! Didn’t work
9: <sdsaswer> Nah! Didn’t work
10: <asas> Nah! Didn’t work…………………………………………………………………………….………………………………………….……………………………………..…………………………………..
78: <Password>Aha!!!!! That worked! Duh!
Signal if appears attacker has brute forced user’s password
Detect: sign in from anonymizer network
IP address: 199.34.28.10
IP Address:
31.172.30.4
TOR Network
Signal if requests originate from anonymizer network
Detect: unlikely travel
Joe@Contoso.comLocation: Seattle, WATime: 8:29 AM, PST (3:29 PM, UTC)
Joe@Contoso.comLocation: Somewhere in AsiaTime: 7:54 AM, local time(3:54 PM, UTC)
Signal if user signs in from locations distant from each other in short time period
Detect: anomalous activity spanning tenants
IP Address: 199.34.28.10
X Bad username
X Bad password
X Bad password
X Bad password
X Bad usernameX Bad username
X Bad username
X Bad password
Signal if multiple failed requests from single IP to many tenants
Detect: sign in from known infected device
Botnet control center
IP = 199.34.28.10IP = 199.34.28.10
Signal if requests from known infected devices
1. Register your app in AD section of Azure portal
Get a client ID, secret (if needed), register redirect URL, request API permissions
2. Add code for sign in Send request, process response, validate token, extract claims, redeem
auth code
3. Add code to query Azure AD Graph API (optional)
OData v3 compliant REST API
Integration steps
Azure ADBrowser Web App
authorize token graph
Navigate to your application
Post token and auth code to your application’s redirect URL
No session,send authNrequest
Verifytokensignature
302 redirect for sign in
OpenID Connect request
(user signs in)
Set cookie and return user to page they started on
Redeem auth code
Return access token and refresh token
Call the Graph API
Integrating with Azure AD for sign in and directoryhttps://github.com/skwan/WebApp-GroupClaims-DotNet
Authentication scenarios
Clients using wide variety of devices/languages/platforms
Server applications using wide variety of platforms/languages
Browser
Native app
Server app
Web applicatio
n
Web API
Web API
Web API
js
Authentication scenarios
Browser
Native app
Server app
Web applicatio
n
Web API
Web API
Web API
Standard-based, http-based protocols for maximum platform reach
WS-Fed, SAML 2.0, OpenID
Connect
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
js
Sign-in UI is web-based For both web apps and native client apps Web UI allows arbitrary interrupt Consent to use application Multi-factor authentication Account compromise detection … stuff we haven’t dreamed up yet
Also non-interactive methods Name/password Kerberos Will return error if user interaction
required
OAuth 2.0 and OpenID Connect
RESTful access to directory Objects: users, groups, devices, licenses Relationships: member/memberOf, manager/directReport POST, GET, PATCH, DELETE to create, read, update, delete Full text search (in preview) Supports CORS Response in JSON (optionally XML) OData v3 compatible (v4 support coming soon) .Net, Cordova, iOS, Android libraries available Check out the API ref at: https://
msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/api-catalog
Azure AD Graph API
Client: Active Directory Authentication Library (ADAL) .Net, Windows Store, Windows Phone JavaScript iOS Android
Server .Net: ASP.Net OWIN middleware for OpenID Connect and OAuth 2.0 Node.js
In use today by Office apps, Visual Studio, and more
More languages to come
OSS libraries: http://github.com/AzureAD
Xamarin Cordova Node.js Java
Reduce exposure of keys to dev/ops Keys and secrets stored encrypted in Key Vault service, e.g. Storage
keys
Store & perform key operations e.g. encryption keys Enable customer to bring own keys, usually for compliance reasons
Access to keys monitored and audited Only Azure AD users/apps can be granted access to keys
In preview now
Key Vault – safeguarding keys and secrets
Future capability - in development
At setup time1. Developer creates Key Vault, adds Storage keys2. Developer registers new application in Azure AD3. Developer creates cert as credential for app and uploads to Azure and
Azure AD4. Developer grants application identity access to Storage keys
At runtime1. Application requests token to Key Vault from Azure AD2. Application retrieves Storage secrets from Key Vault
Net – no secrets in source code
Key Vault example: protect storage keys
Future capability - in development
At customer setup1. Customer creates Key Vault and uploads encryption key2. Customer grants App access to encryption key3. App creates local encryption keys to encrypt data at rest4. App uses Key Vault to encrypt local encryption keys, stores keys
locally
At runtime1. App loads encrypted local keys from storage2. App uses Key Vault to decrypt local encryption keys3. App uses decrypted local keys to encrypt and decrypt customer data
Net – customer controls encryption keys
Key Vault example: encrypt to customer key
Future capability - in development
AD FS and Azure AD Parity
Scenario Protocol Release
Native client
OAuth 2.0 auth code grant, public client GA
Web sign in
WS-Federation GA
SAML 2.0 GA
Web to Web API
OpenID Connect Server 2016
OAuth 2.0 implicit grant Server 2016
OAuth 2.0 auth code grant, confidential client
Server 2016
Server to Web API
OAuth 2.0 client credential grant Server 2016
OAuth 2.0 on behalf of Server 2016
Goal to maintain developer experience parity between AD FS and Azure AD
Future capability - in development
Take advantage of Azure AD security, availability, scalability for customer IdM, plus B2C features Social IdPs and “application local accounts” Self-service sign up, password reset, profile management Customizable sign in and sign up UI Same protocols, libraries, and programming model
Consumption based pricing Meters for # of users and # of authentications
Preview coming soon
Azure AD B2C: “IdMaaS for applications”
Future capability - in development
Azure AD B2C
CustomizeUI
Social andlocal accounts
Define attributes to gather during sign up
Handles sign up,password reset
Future capability - in development
Working on unified dev experience for apps that support both Microsoft account and Azure AD Single endpoint, OpenID Connect and OAuth 2.0 Single SDK Single end user sign in experience Single streamlined app registration experience, outside of Azure portal,
no Azure subscription required
Works with unified Office business + consumer APIs
Preview coming soon
Microsoft account + Azure ADFuture capability - in development
https://login.microsoft.com/xxxxx Sign in to your account
Fabrikam Calendar
Password
Microsoft account (personal or business)
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Microsoft account + Azure ADFuture capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
kelly@contoso.comPassword
Microsoft account (personal or business)
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
kelly@contoso.comPassword
Microsoft account (personal or business)
٠٠ ٠ ٠ ٠ ٠ ٠
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoftonline.com/xxxxx Sign in to your
account
Keep me signed in
Password
Sign in to Fabrikam Calendar
Can’t access your account?
Contact Help Desk at (206) 555-1234. This site is operated by Microsoft on behalf of Contoso Inc and is for the exclusive use of its employees and partners.
Sign in Back
kelly@contoso.com
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
Password
Microsoft account (personal or business)
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
kelly@outlook.comPassword
Microsoft account (personal or business)
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
kelly@outlook.comPassword
Microsoft account (personal or business)
٠٠ ٠ ٠ ٠ ٠ ٠
Can’t access your account?
Other sign in options
Get a new account
Sign in Back
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Microsoft account + Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Taking you to the sign in page for Microsoft accounts. Cancel
kelly@outlook.comPassword
٠٠ ٠ ٠ ٠ ٠ ٠
Future capability - in development
Microsoft account + Azure ADhttps://login.live.com/xxxxx Sign in to your
Microsof…
kelly@outlook.com
Future capability - in development
Microsoft account and Azure ADhttps://login.microsoft.com/xxxxx Sign in to your
account
Fabrikam Calendar
Kelly Yangkelly@outlook.com
Kellykelly@contoso.com
Use another account
•••
•••
Which account do you want to use?
© 2015 Microsoft Terms of Use Privacy & Cookies
Future capability - in development
Windows 10 Azure AD Join Sign-in to desktop with Azure AD
account
Single sign on to: Kerberos-based on-premises
applications Native applications that use WebAccountManager
Web apps that support Azure AD sign-in
Enhanced device support – Windows 10
Future capability - in development
Updated iOS & Android authenticator apps Single sign on across
mobile apps using ADAL library
Device conditional access Multi-factor authentication Apps using ADAL
seamlessly take advantage of authenticator
Enhanced device support – iOS and Android
Future capability - in development
Sign up for Azure trial to get Azure AD You won’t be charged if you only use Azure AD free capabilities
Check out Azure AD Developer Guide Azure.comDocumentationID&A ManagementActive
DirectoryDevelop
Go deeper at Ignite BRK4850: Developing Web and Cross Platform Mobile Apps with Azure
AD
Subscribe to AD team blog http://blogs.technet.com/b/ad/ or search “active directory team blog”
Next steps
If you are successful, enterprise IT will require you to integrate with Active Directory Integrating with Azure AD == integrating with Active Directory
Benefits Reduce security surface area Reduce sign in friction and sign up drop off Promote your application in the Office 365 and Azure Marketplaces Increase using engagement by appearing in the Office 365 application
launcher
Development based on standard protocols and open source libraries
Summary
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
Recommended