Upload
rick-rainey
View
190
Download
9
Tags:
Embed Size (px)
DESCRIPTION
A cornerstone for just about any application is the identity of users using the application. In an enterprise, the identity of users is often managed in Windows Server Active Directory, and enterprise developers building line-of-business (LOB) applications have become accustom to using Windows Authentication to authenticate users of their application using their Active Directory credentials. Today, as enterprise developers target Microsoft Azure for their cloud applications, handling the identity and access needs of users in a way that is secure, robust and familiar to users is absolutely critical. After all, the online world is extremely hostile. The good news is we don't have to be security experts to build secure LOB applications. We can leverage the services of Azure Active Directory and the industry standard protocols it supports. We can leverage libraries like Windows Identity Foundation (WIF) / .NET Framework, Active Directory Authentication Library (ADAL), and the Graph API, to build secure, claims-based applications. And finally, we can use Visual Studio to pull it all together in a developer friendly way. If you want to learn how, then this session is for you.
Citation preview
Building Secure Cloud Applications for the
EnterpriseMicrosoftAzure
Azure Web Site
Visual Studio 2013
Azure Active Directory
Azure SDK
Introductions…
•About me• Rick Rainey• Independent Consultant, Trainer, Writer, Speaker
•Contact information• [email protected]• @RickRaineyTx• http://rickrainey.com• LinkedIn: www.linkedin.com/rickrain
Agenda
• Introduction to Azure Active Directory•Developing for Azure Active Directory• Claims-Based Identity• .NET Framework Classes and Client Libraries • Visual Studio 2013
An Introduction to Azure Active DirectoryWhat is it?
What Azure Active Directory is not
Contoso
Contoso
Windows Server Active Directory
Virtual Machines running Windows Server Active Directory
Microsoft
Azure
What Azure Active Directory is
Contoso
Fabrikam
Northwind
Microsoft
Azure
Azure Active Directory
A multi-tenant service providing identity and access management capabilities for the cloud.
Azure Active Directory for an Enterprise (example)
Contoso
Contoso
Windows Server Active Directory
Microsoft
AzureAzure Active Directory
Contoso Paystub App
Contoso Benefits App
Other LOB App
Extend an on-premises Server Directory to Azure AD.
Protect access to cloud applications.
Grant access to SaaS applications.
DEMO
Azure Active Directory• A lap around Azure AD using the
Azure Management Portal
Developing for Azure Active Directory
Azure AD’s Application Endpoints
• WS-Federation• https://login.windows.net/<tenant id>/wsfed
• SAML-P• https://login.windows.net/<tenant id>/saml2
• Azure AD Graph API• https://graph.windows.net/<tenant id>
• OAuth 2.0 Token• https://login.windows.net/<tenant id>/oauth2/token
• OAuth 2.0 Authorization• https://login.windows.net/<tenant id>/oauth2/authorize
Accessing the Endpoints
•REST API’s
•Client Libraries• .NET Framework / Windows Identity Foundation• Active Directory Authentication Library (ADAL)• Azure Active Directory Graph Client Library
Windows Identity Foundation
• A set of .NET Framework classes…• Claim
• Statement about a user or entity provided by an Identity Provider
• ClaimsPrincipal• Claims collection, Identities collection, IsInRole, and more
• ClaimsIdentity• Name, Authentication Type
• …and HTTP Modules• WSFederationAuthenticationModule (WSFAM)
• SessionAuthenticationModule (SAM)*** Already included in .NET Framework 4.5 and higher. ***
What is Claims-Based Identity?
Dept. of Transportation
I would like a Blue Moon
please.
You look under age. Show me some ID.
Thank you for that compliment…
allow me to present to you my
driver’s license
Relying Party (RP)Subject
Identity Provider (IdP)
Externalized Authentication to Dept. of Transportation
WS-Federation: Simplified
Azure Active Directory
Contoso Benefits Website
I trust tokens from the Contoso directory tenant.
Contoso user authenticates with Azure AD.
Windows Identity Foundation
Contoso Benefits Website
WIF
• Validates token signature• Descripts token• Extracts claims• Sets session cookies• Optionally invokes authorization code• And a lot more…
DEMO
Developing for Azure Active Directory• Build an Azure Website protected by
Azure Active Directory
Active Directory Authentication Library (ADAL)
Active Directory Authentication Library•A library that provides simple authentication functionality for client applications.
•Works with Azure Active Directory and Windows Server Active Directory (with ADFS).
•Download from the NuGet package gallery.
ADAL Scenarios
•Authenticate Users of a Client Application to a Remote Resource
•Authenticate a Server Application to a Remote Resource
•Authenticate a Server Application on Behalf of a User to Access a Remote Resource
ADAL Notable Classes and Methods
•AuthenticationContext
• An instance of an authority, such as an Azure AD Tenant or a Windows Server ADFS
• AcquireToken(…) Method
•AuthenticationResult
• Contains the AccessToken to use when accessing a protected resource.
Azure Active Directory Graph (“Graph API”)
Azure Active Directory Graph Client Library•A library that provides CRUD capabalities for objects in Azure Active Directory.• A wrapper for the native REST API’.s
•Works with Azure Active Directory.
•Download from the NuGet package gallery.
Graph API Scenarios
•Query the directory• List of Users, Groups, Company Information, and more.• Get Details about an object (user, group, etc.) in the directory.
•Add, Update, or Delete (or just disable) a User.
•Check a User’s Group membership for RBAC cases.
•And more…
Azure AD Graph Client Library - Notables•GraphConnection• Represents a “connection” to an Azure AD Tenant.• Requires an AccessToken, which you get from ADAL.
•Azure AD must configure the application for appropriate permissions• Sign-On and read user profile• Read directory data• Write directory data
DEMO
ADAL and Graph Client Library• Build an application that performs
CRUD operations in Azure Active Directory
Some Key Take-Aways
•Azure Active Directory• A multi-tenant service providing identity and access
management for cloud applications
• Can be integrated with an on-premises Server Active Directory
•Active Directory Authentication Library (ADAL)• Provides authentication capabilities for client apps
•Azure Active Directory Client Library (“Graph API”)• Provides CRUD capabilities for directory data and objects
References
• [blog] Azure Active Directory Graph Client Library 1.0 • http://bit.ly/1r5jIcz
• [blog] Authenticating with Organizational Accounts and Azure Active directory • http://bit.ly/1s5DEhp
• [blog] Deep Dive: Azure Websites and Organizational Authentication using Azure AD • http://bit.ly/ZoDPrk
• Vittorio Bertocci’s Blog• http://www.cloudidentity.com/blog/
• Active Directory Team Blog• http://blogs.technet.com/b/ad/