Embed Size (px)
Citation preview
BUILDING AN ENTERPRISE APPLICATION ECOSYSTEM IN OFFICE 365SECURITY, IDENTITY AND AUTH
James TramelMicrosoft Technology CenterMalvern, PA
March 7, 2015
AGENDA
• Demo – ADAL and Azure websites
• Demo – ACS and Azure websites
• other Access points and methods
• Identity discussion
• ADAL
AZURE
• Are you currently consuming Azure?
• How?
DEMO – ADAL WITH AZURE WEBSITE
• Creating global navigation for the enterprise in the app launcher
DEMO - ACS AND AZURE WEBSITES
• Provider hosted app
OTHER METHODS
• Power BI (data management gateway:8050)
• BCS / STS
• One Drive / Hybrid Search
• Hybrid Apps
• Hybrid Trust
OAUTH 2.0• OAuth is an open standard for authorization
• OAuth is not OpenID (authentication/digital ID)
• Valet Key
• Access Token
• Scopes
JWT
• What is it?
• How do you say it?
JWT
• JSON web token• JWT is comparable to a SAML token but sacrifices some security options and
expressivity for simplicity and size; it’s designed to fit into HTTP headers and URI query arguments.
• From current draft abstracts• JSON Web Token (JWT) defines a token format that can encode claims
transferred between two parties. The claims in a JWT are encoded as a JSON object that is then optionally digitally signed.
• SharePoint uses JWT tokens for its OAuth implementation
JWT SPEC
Actor:
:Access
X.059
• The JWT token has two parts, a header and a body. The header indicates the token type (JWT) and the algorithm used, while the body looks like the sample access token we provided earlier. The header and body are separated by a “.”
• The header is encoded to JSON, then base64UrlEncoded.
• The body is encoded to JSON, then base64UrlEncoded.
• The two base64UrlEncoded values are joined together by a “.”
• The resulting value is then signed using an X.509 certificate using RSA SHA256 signature algorithm and a SHA256 digest algorithm.
• The result from step 5 is base64URLEncoded.
• The value of step 4 is concatenated with the result of step 6, joined together by a “.”
SSO
• Dir Sync / Password sync – Same Sign On
• Dir Sync / ADFS – SSO
• Third parties
OFFICE 365 API
• Great for 3rd party apps and all of 365
• Done on behalf of the user = client apps
OFFICE 365 API &&
APP MODEL
Office 365 API tools SharePoint App model
•REST support•Everything is on behalf of the user•In Preview (tooling okay, but it changes)•Require Azure tenant•Azure AD, Exchange, SharePoint, CRM support•Mobile and Native support•Loosely integrated
•CSOM and REST support•On behalf of the user or app•Mature (good tooling)•No external requirement (if you do SharePoint hosted)•SharePoint only•Web only•Tight integration with SharePoint
http://slides.com/simonj-k-pedersen/office-365-api-tools#/7
OFFICE 365 API &&
APP MODEL
http://www.sharepointnutsandbolts.com/2014/12/office-365-apps-and-sharepoint-apps-comparison.html - Chris O’Brien
ADAL – ACTIVE DIRECTORY AUTHENTICATION LIBRARY
(AZURE)
ADAL.NET
• Microsoft.IdentityModel.Clients.ActiveDirectory : a library meant to help developers take advantage of Active Directory for enabling client apps to access protected resources.
• Problem• I have a client app• I want to call a service, but it requires me to present a token
• Solution• I go to some kind of authority, and I do whatever is necessary to get a token
for the resource• once I have the token, I call the resource
ADAL.NET HIGH LEVEL
• Main Class – AuthenticationContext – authority to get tokens
• Main method – Aquiretoken – Get the token• Returns – Authenticationresult
• Most of the work is now in AD setup• Fixed setups (remember the menu)
NEW
• ADAL JS• signing on Azure AD users in your Single Page Apps (SPAs)• consuming directly from JavaScript Web APIs secured by Azure AD
THANKS!
REFERENCES
• Vittorio Bertocci http://www.cloudidentity.com/
• Kirk Evans: http://blogs.msdn.com/b/kaevans/archive/2014/07/14/high-trust-sharepoint-apps-on-non-microsoft-platforms.aspx
• Wes Hackett: http://weshackett.com/2015/01/creating-a-simple-redirect-app-for-the-app-launcher/
• Adam Korczynski: http://adamkorczynski.com/2013/10/29/azure-oauth-2-0-tokens-and-endpoints/
• Chris O’Brien: http://www.sharepointnutsandbolts.com/2014/12/office-365-apps-and-sharepoint-apps-comparison.html
• Simon Pederson: http://www.sharepointnutsandbolts.com/2014/12/office-365-apps-and-sharepoint-apps-comparison.html
• Steve Peshka https://samlman.wordpress.com/2015/02/27/using-adal-access-tokens-with-o365-rest-apis-and-csom/
• Jeremey Thake http://www.jeremythake.com/2014/06/using-the-sharepoint-csom-and-rest-api-with-office-365-api-via-azure-ad/
• Frank LaVigne: ACS virtual lab - Microsoft
REFERENCES
• Microsoft• https://msdn.microsoft.com/library/azure/dn383787.aspx• http://blogs.office.com/2014/04/15/synchronizing-your-directory-with-office-3
65-is-easy/
• http://blogs.office.com/2014/11/12/office-2013-updated-authentication-enabling-multi-factor-authentication-saml-identity-providers/
• https://technet.microsoft.com/en-us/library/hh852486.aspx• http://technet.microsoft.com/en-us/library/dn197169(v=office.15).aspx• http://msdn.microsoft.com/en-us/library/office/dn155905(v=office.15).aspx
