Upload
barrie-morris
View
224
Download
4
Tags:
Embed Size (px)
Citation preview
Stuart KwanPrincipal Program Manager Lead2-601
The New Authentication Model: Authentication for Web, Mobile, and Cloud Applications
2-601
• Identity needs of today’s apps
• Azure Active Directory• Scenarios and how they
work• Special guest• Protocols, libraries, and
resources
Agenda
Today’s Applications
Clients using wide variety of devices/languages/platforms
Server applications using wide variety of platforms/languages
Browser
Native app
Server app
Web applicatio
n
Web API
Web API
Web API
Authentication Protocols
Browser
Native app
Server app
Web applicatio
n
Web API
Web API
Web API
Standard-based, http-based protocols for maximum platform reach
WS-Fed, SAML 2.0, OpenID
Connect
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
What is Azure Active Directory?
Bottom line: sign-in users from organizations without being responsible for their accounts
• Cloud-based identity service• Authentication• Directory• Identity management
• Designed for organizations• Manage access to cloud
apps• Can extend on-premises
AD
• Designed for cloud and mobile• HTTP/REST & industry standard
protocols
Today, we announced Azure Active Directory Premium, an advanced offering that includes IAM capabilities for on-premises, hybrid and cloud environments. Built on top of the free Azure AD, provides an additional set of features to empower enterprises with demanding needs of identity and access management, such as:
• Group-based access assignment for SSO to more than 1200 SaaS apps via “myapps.microsoft.com” and mobile apps
• Self-service password reset• Delegated group management• Multi-Factor Authentication • Customized branding • Reporting, alerting, and analytics
Additionally, Azure AD premium offers:• An Enterprise SLA of 99.9%• Usage rights to Forefront Identity Manager
Server and CALs
Azure Active Directory Premium
1. Browser to web app
2. Native client to web API
3. Web app to web API
4. Daemon or server to web API
Let’s drill in to each scenario
Browser
WebApp
Contoso.com directory tenant
WebApp Service Principal• App ID URI• Reply Url
1. Navigate to site
2. Redirect to directory tenant to sign in (App ID URI)
3. Sign in
4. Send security token to Reply URL
5. Set session
Windows Identity
Foundation
Web Browser to
Web App:WS-Federation,
SAML 2.0,OpenID Connect
SAML, WS-Fed, or OpenID Connect Endpoint
OWIN Auth Middlewar
e
An organization (e.g. Contoso) has Azure AD tenant
Azure AD will only issue tokens to an application registered in the tenant
How does an application get registered in a tenant?
Registering an Application
Single tenant application App for users in a single organization Admin or user registers app in directory tenant Sign in at: https://login.windows.net/contoso.com/<protocol>
Multi-tenant application App for users in multiple organizations Admin or user registers app in developer’s directory tenant Admin configures application to be multi-tenant Sign in at: https://login.windows.net/common/<protocol> User prompted to consent based on permissions required by
application Consent registers application in user’s tenant
Two Cases…
Consent
Users can consent to apps that access personal information only
Admins must consent to apps that require broader permissions
Admins can consent on behalf of all users in an organization
What’s In A Token? (In Brief)
Claim Example Intended Purpose
Tenant ID 81aabdd2-3682-48fd-9efa-2cb2fcea8557 Immutable tenant identifier
Name [email protected] Display only
First Name Stuart Display only
Last Name Kwan Display only
Object ID b3809430-6c28-4e43-870d-fa7d38636dcd Immutable security identifier
* Coming soon: group claims and role claims
Tokens for all tenants are signed by same key Keys published via metadata https://login.windows.net/common/.well-known/openid-configuration Keys roll on periodic basis
Your app must handle Periodically refreshing keys from metadata Handling multiple keys Our samples and libraries do this automatically
Azure AD Token Signing Key
WebAPI
Contoso.com directory tenant
WebAPI SP• App ID URI
1. Request Auth Code (Client ID, Redirect URI, App ID URI)
Native Client to
Web API:OAuth 2.0auth code
grant,public client
NativeApp
NativeApp SP• Client ID• Redirect URI
Impersonation grant
Authorize Endpoint Token Endpoint
ADAL*
2. Sign in
3. Return Auth Code to Redirect URI
User seesweb pop up
…
* Active Directory Authentication Library: client-side helper library that handles UI prompts, protocol, caching.
Windows Identity
Foundation
OWIN Auth Middlewar
e
NativeApp
Contoso.com directory tenant
WebAPI SP• App ID URI
4. Redeem Auth Code (Auth Code, Client ID, Redirect URI, App ID URI)
Native Client to
Web API:OAuth 2.0auth code
grant,public client
NativeApp SP• Client ID• Redirect URI
Authorize Endpoint Token Endpoint
ADAL
5. Return Access Token (JWT*), Refresh Token (JWT*)
6. Send Access Token on Authorization Header
* JWT = JSON Web Token, a JSON-encoded security token bearing claims.
WebAPI
Impersonation grant
Windows Identity
Foundation
OWIN Auth Middlewar
e
GET https://login.windows.net/contoso.com/oauth2/authorize?response_type=code&resource=https://skwantoso.com/TodoListService&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d&redirect_uri=http://todolistclient/&prompt=login
<< Stuff happens here to sign the user in... >>
302 Found http://todolistclient/?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff…
Auth Code Request/ResponseI’d like a code
pleaseTo access this
service
This is me
Send the code here
Here’s your code!
POST https://login.windows.net/skwantoso.com/oauth2/tokengrant_type=authorization_code&code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…&client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d&redirect_uri=http://todolistclient/&resource=https://skwantoso.com/TodoListService
200 OK{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…","token_type":"Bearer","expires_in":"3599","expires_on":"1396472189","resource":"https://skwantoso.com/TodoListService","refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…","scope":"user_impersonation","id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJmY…n0."}
Token Request/Response I have a code
This is me
You sent me a code here
To access this service
Here is your bearer tokenWhen it
expires Who it is for
Your permissions
Info about the user
{"typ": "JWT", "alg": "RS256", "x5t": "NGTFvdK-fythEuLwjpwAJOM9n-A"}.{"aud": "https://skwantoso.com/TodoListService", "iss": "https://sts.windows.net/81aabdd2-3682-48fd-9efa-2cb2fcea8557/", "iat": 1396468289, "nbf": 1396468289, "exp": 1396472189, "ver": "1.0", "tid": "81aabdd2-3682-48fd-9efa-2cb2fcea8557", "oid": "b3809430-6c28-4e43-870d-fa7d38636dcd", "upn": "[email protected]", "unique_name": "[email protected]", "sub": "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-A", "family_name": "Kwan", "given_name": "Stuart", "appid": "fb715b0e-3ca9-45b8-9928-2329a776b42d", "appidacr": "0", "scp": "user_impersonation", "acr": "1"}.
What’s Inside the JWT Access Token?
Decoding thanks tohttp://jwt.calebb.net/
Who this is for
User’s Tenant ID
User’s Object ID
Client app they are using
Their permissions
Server-Based Sign-In User Experience
Native client sign-in UI is web-based Same sign-in UI as web app sign-in Web UI allows arbitrary interaction
Consent to use application Multi-factor authentication Account compromise detection … and more stuff we haven’t dreamed up yet
Plan to offer non-interactive methods Name/password Kerberos These will return error if user interaction required
WebAPI
Contoso.com directory tenant
WebAPI SP• App ID URI
Native Client to
Web API:OAuth 2.0auth code
grant,public client
NativeApp
NativeApp SP• Client ID• Redirect URI
Authorize Endpoint Token Endpoint
ADAL
2. Access Token has Expired
3. Request new Access Token (Client ID, Refresh Token*, App ID URI)
4. Return Access Token, Refresh Token
5. Call web API with Access Token in AuthZ Header
*Bonus: “multi-resource refresh token”can be used to get access token to a different service if delegation exists
1. Call WebAPI (Access Token in AuthZ Header)
Impersonation grant
Windows Identity
Foundation
OWIN Auth Middlewar
e
Web app calls web API using own identity Let’s call this “app identity” Uses OAuth 2.0 client credentials grant
Web app calls web API using user’s identity Let’s call this “app + user identity” (or delegated identity) Uses OpenID Connect, or OAuth 2.0 auth code grant and confidential
client
Two Cases…
WebAPI
WIF
Web App toWeb API:OAuth 2.0
client credentials
OWIN
1. Signed in, using the web app…
Browser
WebApp
WIF OWIN
ADAL
2. Request token (Client ID, Credential, App ID URI)
3. Return access token
4. Call web API with Access Token in AuthZ Header
*The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key.
Contoso.com directory tenant
WebAPI SP• App ID URI
WebApp SP• Client ID• Redirect URI• Credential*
Access grant
Authorize Endpoint Token Endpoint
WebAPI
WIF
Web App toWeb API:
OpenID Connect
OWIN
Browser
WebApp
WIF OWIN
1. Navigate to site
2. Redirect to sign in and request auth code (Client ID, Redirect URI)
3. Sign in
4. Return ID Token* and Auth Code to Redirect URI
6. Set session
Contoso.com directory tenant
WebApp SP• Client ID• Redirect URI• Credential
Authorize Endpoint Token Endpoint* ID Token, claims about the user for WebApp.
ADAL
WebAPI SP• App ID URIImpersonation
grant
Might requireuser consent
WebAPI
WIF
Web App toWeb API:
OpenID Connect
OWIN
Browser
WebApp
WIF OWIN
7. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI)
8. Return access token, refresh token
9. Call web API with Access Token in AuthZ Header
Contoso.com directory tenant
WebAPI SP• App ID URI
WebApp SP• Client ID• Redirect URI• Credential
Impersonation grant
Authorize Endpoint Token Endpoint
ADAL
Daemon calls web API using own identity Server, factory device, truck, anything without human interaction for
sign-in Uses OAuth 2.0 client credentials grant Exactly the same as web app to web API, app identity case covered
earlier
Server app calls web API using user’s identity No user with browser present, can’t use auth code grant Proposed OAuth 2.0 “On_Behalf_Of” token exchange
Two Cases…
WebAPI2
Contoso.com directory tenant
WebAPI2 SP• Client ID• Credential
WIF
Server toWeb API:OAuth 2.0
OnBehalfOfToken
Exchange
OWIN
WebAPI1 SP• Client ID• Credential
Authorize Endpoint Token Endpoint
WebAPI1
WIF OWIN
ADAL
1. Use the API, passing user’s Access Token…
Native app
Web app
2. Request token (User’s Access Token, Client ID, Credential)
3. Return Access Token, Refresh Token
4. Call web API with Access Token in AuthZ Header
Impersonation grant
McKesson At-a-Glance
Company Founded:1833
Fortune 500:Ranked 14th
Revenue:$122.5 billion
America’s oldest and largest healthcare services company
Headquarters:San Francisco
Employees:43,500
Segments: Distribution Solutionsand Technology Solutions
Together with our customers and partners, we are creating a sustainable future for healthcare. Together we are charting a
course to better health.
TechnologySolutions
DistributionSolutions
Leadership Positions in Both Segments
#1 pharmaceutical distributor in U.S. and Canada
#1 generics distributor
#1 in medical-surgical distribution to alternate care sites
leader in clinical, revenue-cycle and resource-management solutions
leading RelayHealth claims-processing and connectivity business
#1 in medical-management software and services to payers
Healthcare Analytics in the Cloud Wanted to provide a cloud-based analytics service for healthcare organizations to
show compliance with Health Information Technology for Economic and Clinical Health (HITECH) Act
Sought identity federation service that could be managed entirely in cloud or integrated with on-premises technologies such as Active Directory
Why we chose Azure Focused on supporting many larger healthcare organizations with own IT
departments that implement identity management solutions (smaller organizations often lack such resources)
Considered different cloud vendors, Windows Azure was best choice for meeting our requirements
Healthcare Analytics in the Cloud
Platform Strategy Industry standard, web-based protocols
OpenID Connect, OAuth 2.0, SAML 2.0, WS-Federation JSON Web Token
Client-side open source libraries .Net, Windows Store, iOS, Android, https://github.com/orgs/MSOpenTech
Server-side open source libraries .Net, included in Katana, http://katanaproject.codeplex.com/ Java, Node.js, PHP coming soon, https://github.com/orgs/MSOpenTech .Net JWT handler, https://github.com/orgs/MSOpenTech
Samples for every scenario you saw today:https://github.com/AzureADSamples
New applications Web with web API, mobile, cloud
New authentication model Industry standard protocols enabled via open source libraries
Authentication services for on-premises and cloud For more information: http
://www.windowsazure.com/en-us/solutions/identity/
The New Authentication Model
Your Feedback is Important
Fill out an evaluation of this session and help shape future events.
Scan the QR code to evaluate this session on your mobile device.
You’ll also be entered into a daily prize drawing!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Protocol Support Summary (as of April 2014)Category Protocol AD FS Azure
AD
Native client
OAuth 2.0 auth code grant, public client AD FS 3.0 Preview
Web sign-in
WS-Federation AD FS 2.0+ GA
SAML 2.0 AD FS 2.0+ GA
OpenID Connect Not available
PreviewWeb to Web API
OAuth 2.0 auth code grant, confidential client
Not available
Preview
OAuth 2.0 client credential grant Not available
GAServer to Web API OAuth 2.0 on behalf of Not
availablePreview
WebAPI
WIF
Web App toWeb API:OAuth 2.0auth code
grant, confidential
client
OWIN
2. Request Auth Code (Client ID, Redirect URI)
1. Signed in, using the web app…
Browser
WebApp
WIF OWIN
ADAL3. Return Auth Code
Might requireuser consent
Contoso.com directory tenant
WebAPI SP• App ID URI
WebApp SP• Client ID• Redirect URI• Credential
delegation
Authorize Endpoint Token Endpoint
WebAPI
Contoso.com directory tenant
WebAPI SP• App ID URI
WIF
Web App toWeb API:OAuth 2.0auth code
grant,confidential
client*
OWIN
WebApp SP• Client ID• Redirect URI• Credential
delegation
Authorize Endpoint Token Endpoint
Browser
WebApp
WIF OWIN
ADAL
4. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI)
5. Return access token, refresh token
6. Call web API with Access Token in AuthZ Header
* Called “confidential client” because WebApp uses it’s credentials when redeeming the auth code.