Embed Size (px)
Citation preview
Securing Windows Store applicationsand REST services with Active DirectoryVittorio Bertocci - @vibronetPrincipal Program Manager3-518
Building a Modern Business App
Resource
App
Resource
Access resources outside of the corporate network.Handle authentication and session mechanics.Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
Access resources outside of the corporate network
REST, OAuth2
AppResource
authorization server
authorizationendpoint
tokenendpoint
A
A
R4
Windows Azure Active Directory
Contoso’s On-Premises Directory
AM
Windows Azure Active Directory
Dir
Sync
Contoso’s tenant
SAML-P
WS-Federation
Metadata
OAuth2Management Portal
Graph API
Registration• Today - via
Graph Explorer• Soon - via
Windows Azure Portal
Clients and Resources in Windows Azure AD
App Resource
App Resource
Demo
ADFS in Windows Server 2012 R2
New! OAuth2 code grantResources represented as classic Relying Party Trust entriesClients registered via PowerShell• No permission table entry necessary
Support for JWT format
New! Registered devices authenticationMore details later in the session
Demo
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
Handle authentication and session mechanics
Windows Azure Authentication Library (AAL)Helps developers to add authentication capabilities to rich client appsUser authentication experienceObtaining tokensToken lifecycle management (caching, automatic token refresh, etc)Assisted authority discovery
Works with both Windows Azure AD and Windows Server 2012 R2 ADFSShips out of band as NuGet package.NET and Windows Store in developer preview• details here• download from VS2012 or here
AAL is a Windows Runtime Component
Windows Azure Authentication Library
OS
Windows Runtime (WinRT)
AAL for Windows Store .WINMD
C#Windows Store App
JS/HTML5Windows Store App
Application
System
Essential AAL Usage (C#)
AuthenticationContext aCtx = new AuthenticationContext("https://login.windows.net/contoso.onmicrosoft.com");
AuthenticationResult result = await authorizationContext.AcquireTokenAsync("http://host.com/shipmentservice", clientID);
Authenticate the user to get a token
HttpClient httpClient = new HttpClient();httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);//...
Use the token to invoke a REST service
Demo
Notes on User Experience
AAL wraps the WebAuthenticationBroker API in WinRTNew in Windows 8.1: built-in account selection experienceSee Karanbir’s session later today (3-113)
Demo
AAL for Windows Store offers a persistent token cache
AAL Cache
ValueKey
Authority
ClientID
Resource
User
AccessToken
RefreshToken
Expiration
ValueKey
Authority
ClientID
Resource
User
AccessToken
RefreshToken
Expiration
AAL Cache[authority],resource,
clientid, user
matching cache entry?
valid access token?
refresh token?
success?
success?
return cache entry
use the refresh token to refresh the access
token
prompt the user via WebAuthenticationBrok
er
cache access token, refresh
token, validity
replace cache entry
return error info
YES
NO
YES
YES
YES
NO
NO
NO
YES
NO
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Use the Windows Azure Authentication Library.
Apply access policies on non-domain joined devices.
Tackle those, and you’ve got yourself a nice business app.
Checklist
Apply access policies on non-domain joined devices
Workplace-join in Windows 8.1
Especially useful foruser-owned devicesDevices incapable of joining a domain
Allows administrator to apply access control policies in a wide range of scenariosWorkplace-join ability available directly in Windows 8.1
Workplace Join Mechanics
25
IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.
Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device
Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications
As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device
Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud
On the clientEnsure your app manifest has the right capabilities• WebAuthenticationBroker should be invoked in
SSO modeIn AAL: you should use the AcquireTokenAsync(resource, clientid) overload
In ADFSServer-wide: enable device authenticationPer-RP: Add device-related issuance authorization rules
Some constraints about how authentication should take place to apply device-aware access policies
Using Device Authentication Info to Drive Access
Demo
Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens
Handle authentication and session mechanics.Use the Windows Azure Authentication Library.
Apply access policies on non-domain joined devices.Use Windows 8.1 Workplace-join and ADFS rules.
Tackle those, and you’ve got yourself a nice business app.
Checklist
In summary
all you need to build great modern business app
App
Resource
Windows AzureAuthentication Library
Resources
Windows Azure AD homeWindow Server AD homeWindows Azure and Windows Server AD Team BlogWindows azure AD Walkthroughs
Find me:On twitter - @vibronetOn the web – www.cloudidentity.com
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Evaluate this session
Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!
