Using Azure Active Directory to Secure Your Apps

Using Azure Active Directory to
Secure Your Apps
IT Unity Webinar Series
September 2015
Using Azure AD To Secure Your Apps
 Part 1: Introduction to Azure AD
 http://itunity.com/go/azure1
 Part 2: Integrating Azure AD
 Now
 Part 3: Advanced Azure AD Topics
 September 30th
About Me
SharePoint Solution Architect / Developer
Speaker / Trainer / Mentor
Microsoft MVP – Office 365 (Previously SharePoint Server)
Using Azure AD to Secure Your Apps
Part 2: Integrating Azure Active Directory
Agenda
 Using Azure AD to secure a web application
 Using Azure AD to secure a service
 Consuming a service secured by Azure AD
 Question and Answer
Application Types and Scenarios
Using Azure AD to secure a Web
Application
Application Types and Scenarios
Secure a Web Application?
 Allow access only to certain users
 Authorization
 Restrict functionality to members of a role.
 Authentication
Security Principals
 Users
 Groups
 “Service Accounts”
 Application
Authentication & Authorization
 What is Authentication (AuthN)?
 The process of verifying a principal’s identity.
 What is Authorization (AuthZ)?
 Determines which resources the principal can access.
AuthN/AuthZ Roles
Authentication and Authorization roles
Phase
Infrastructure
Application
Authorization
Allowed to
execute
function?
Start
Logon
Authentication
Logon Valid?
Common Authentication methods
 Integrated Windows NT Authentication
 Forms-Based Authentication
 .NET Membership
 ASP.NET Identity
 Claims-based Authentication
 Anonymous
Authenticating Users in the cloud
 Integrated NT not usually possible
 Unless running a managed cloud
 FBA requires management interface creation
 Is your code secure? Your password storage container?
 Claims-based is current standard
 Multiple formats, but same concepts
 Anonymous
 Well…
Claims in real life
 Form I-9
 Purchasing Alcohol
 Login with Facebook
Auth Protocols & Code Libraries
Authenticating Users
 Externalize authentication
 No more ASP.NET Membership
 Authentication delegated to an Identity Provider (IdP)
 IdP issues a token that contains claims
 Claims are used in Authorization decisions
Authenticating Users - Protocols
 WS-FED
 SAML format (Security Assertion Markup Language)
 Providers
 Azure Access Control Services
 Active Directory Federation Services (AD FS)
 OpenID Connect
 JWT format
 Providers
 Azure Active Directory (Azure AD)
 Social Networks
Authenticating Users – Libraries
 WF-FED / SAML
 Windows Identity Foundation (WIF)
 System.IdentityModel & System.Security.Claims namespaces (4.5)
 Identity & Access Control in VS2012
 Change Authentication button on New Project Dialog (VS2013 &
VS2015)
 OpenID Connect
 ADAL (Active Directory Authentication Library)
 Builds on top of WIF
 Both managed and javascript libraries
 Project templates in VS2015
Authentication in Azure AD
Authentication in Azure AD
Web Browser to Web Application
Demo
Configuring an ASP.NET application to authenticate to Azure AD
OpenIDConnect using OWIN (VS2015)
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
return System.Threading.Tasks.Task.FromResult(0);
}
}
}
);
// This makes any middleware defined above this line run before the
// Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}
WS-FED using WIF (VS2013)
public static void ConfigureIdentity()
{
RefreshValidationSettings();
Realm = ConfigurationManager.AppSettings["ida:realm"];
AudienceUri = ConfigurationManager.AppSettings["ida:AudienceUri"];
if (!String.IsNullOrEmpty(AudienceUri)) { UpdateAudienceUri(); }
}
public static void RefreshValidationSettings()
{
string metadataLocation =
ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];
public static void UpdateAudienceUri()
{
int count = FederatedAuthentication.FederationConfiguration
Using Azure AD to Secure a Service
Application Types and Scenarios
Web Application to WebAPI
Demo
Configuring a WebAPI project to authenticate to Azure AD
Azure AD issued Bearer Tokens
public void ConfigureAuth(IAppBuilder app)
{
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
Tenant = ConfigurationManager.AppSettings["ida:Tenant"]
});
}
Consuming a Service Secured by
Azure AD
OAuth2 - AppIdentity
private
new
private
new
static AuthenticationContext authContext =
AuthenticationContext(authority);
static ClientCredential clientCredential =
ClientCredential(clientId, appKey);
// ADAL includes an in memory cache, so this call will only send
// a message to the server if the cached token is expired.
AuthenticationResult result =
authContext.AcquireToken(todoListResourceId, clientCredential);
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(
HttpMethod.Get,
todoListBaseAddress +
"/api/todolist?ownerid=" +
ownerId);
request.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
Resources
Resources – Notables
 Cloud Identity Blog –Vittorio Bertocci
http://www.cloudidentity.com/blog/
 Dominick Baier
http://leastprivilege.com/
 Brock Allen
http://brockallen.com/
Resources – Azure AD
 Azure Active Directory developer's guide
http://aka.ms/aaddev
 Authentication Scenarios for Azure AD
https://azure.microsoft.com/en-us/documentation/articles/active-directoryauthentication-scenarios/
 Azure Active Directory Authentication Libraries
https://azure.microsoft.com/en-us/documentation/articles/active-directoryauthentication-libraries/
 Azure Active Directory Code Samples
https://azure.microsoft.com/en-us/documentation/articles/active-directorycode-samples/
Resources – updates to app model
 Now in public preview: The Converged Microsoft Account
and Azure Active Directory Programming Model
http://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoftaccount-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx
 Working with the converged Azure AD v2 app model
 Rich DiZerega
http://blogs.msdn.com/b/richard_dizeregas_blog/archive/2015/09/04/
working-with-the-converged-azure-ad-v2-app-model.aspx
Using Azure AD To Secure Your Apps
 Part 1: Introduction to Azure AD
 http://itunity.com/go/azure1
 Part 2: Integrating Azure AD
 http://itunity.com/go/azure2
 Part 3: Advanced Azure AD Topics
 September 30th
http://itunity.com/go/azure3

Download Report