ASP.NET 1.1 N/A ASP.NET 2.0 Membership Provider ASP.NET 4 Simple Membership ASP.NET 4/4.5 Universal...
Embed Size (px)
Transcript of ASP.NET 1.1 N/A ASP.NET 2.0 Membership Provider ASP.NET 4 Simple Membership ASP.NET 4/4.5 Universal...
Securing ASP.NET Applications and Services: Security Facelift for Modern ApplicationsIdo Flatow
Senior Architect, Sela Group, Israel.Co-author:
Microsoft courses – “WCF 4” and “Developing Windows Azure and Web Services”Books – “Pro .NET Performance” and “Pro Single Page Application Development”
Microsoft ASP.NET/IIS MVPFocus on server, services, web, and cloud technologiesManager of the Israeli Web Developers User Group
From Membership to Identity
ASP.NET 2.0Membership Provider
ASP.NET 4Simple Membership
ASP.NET 4/4.5Universal Providers
ASP.NET 4.5One ASP.NET Identity
Migrating? Check here: www.asp.net/identity/overview/migrations
What’s Your Poison?Identities & Scenarios
Identity Usage ScenariosIndividual User Accounts (ASP.NET Identity with or w/o Social Identities)
Internet apps, small and medium businesses, consumer apps
Active Directory (AD) On-premises enterprise apps and users (LAN/VPN)
Active Directory Federation Services (ADFS)
On-premises enterprise apps with remote users
Azure Active Directory (AAD) Cloud-based enterprise apps
Identity / CredentialsAuthentication / AuthorizationRoles / ClaimsTwo Factor Authentication (2FA)Passive / Active Protocols
Open Web Interface for .NETAbstraction layer between .NET web servers and web applicationsA new pipeline for HTTP requests and responsesOWIN = community-owned specificationKatana (Microsoft OWIN Components) = Microsoft’s implementation of OWINMicrosoft OWIN security middlewares
OWIN & Katana Recap
Individual User Accounts
Usable across all ASP.NET Frameworks (Web Forms, MVC, Web Pages, Web API, and SignalR)Accessible from web, desktop, and mobile clientsManage users internally or use external providersCustomizable scheme and persistency(Can be relational database or NoSql storage)Supports both roles and claimsAuthentication based on OWIN middlewares
ASP.NET Identity - One to Rule Them
Two-Factor AuthenticationAccount LockoutAccount confirmationPassword resetSign-out everywhereEnhanced password validatorIQueryable for users and roles
What’s New in Identity 2.0? (Highlights)
Everything that’s new: bit.ly/aspnet-identity-2-rtm
ASP.NET Identity with MVC, Web API, and SignalR
Why force users to create yet another identity?
ASP.NET Identity supports external social providers(Facebook, Google, Microsoft, Twitter)
Pluggable using OWIN middlewares
Supports storing additional user information
Single user can have multiple social identities
ASP.NET Identity and External Providers
ASP.NET Identity with Social Providers
On-Premises and Cloud with AD, ADFS, and AAD
On-Premises users? using Windows Authentication?Nothing has changed!
External users? Using ADFS? Continue reading…
Back in .NET 3.5 / 4 – needed to install WIF
As of .NET 4.5 – WIF is part of the .NET Framework
Create new ASP.NET projects using ADFS in VS 2013
OWIN middleware support
What Has Changed for the Enterprise?
User and group repository – as a serviceIntegrates with on-premises AD/ADFSSupports single and multi-tenant applicationsManageable with the Graph API (HTTP-based)Create new ASP.NET projects using AAD in VS 2013AAD and ASP.NET:
Use same techniques as ADFS (WIF modules / OWIN security middlewares)AAD also supports the OpenID Connect middleware
Microsoft Azure AD in a Nutshell
ASP.NET in the Cloud with AAD
What Are Your Options?Identities & Technologies
Identity TechnologyIndividual User Accounts ASP.NET Identity, Social Providers
One ASP.NET Identity SystemMany new features in ASP.NET Identity 2.0 such as 2FA.
Active Directory (AD) IIS + Windows Authentication
Active Directory Federation Services (ADFS)
WS-Federation middleware (Passive)OAuth 2 middleware (Active)
Azure Active Directory (AAD) Same as for ADFSOpenID Connect
ResourcesAll About ASP.NET Identityhttp://asp.net/identityhttp://curah.microsoft.com/55636/aspnet-identity
Blogs and Docshttp://blogs.msdn.com/b/webdevhttp://blogs.technet.com/b/adhttp://asp.net/identity/overview/migrationshttp://azure.microsoft.com/en-us/documentation/services/active-directory
My Info@idoflatow [email protected] http://blogs.microsoft.co.il/idof
Slides & Samples:http://1drv.ms/1kDVjEtEvaluate this session
Breakout SessionsDEV-B213, ASP.NET: Building Web Application Using ASP.NET and Visual Studio
DEV-B344, Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management
DEV-B359, Latest Innovations in Developing ASP.NET MVC Web Applications
DEV-B385, INTRODUCING: The Future of .NET on the Server
DEV-B411, DEEP DIVE: The Future of .NET on the Server
DEV-B416, SignalR: Building Real-Time Applications with ASP.NET SignalR
LabsDEV-H203, Bringing Together One ASP.NET
Find Me Later At. . .Apress booth, 12:30-1:00. Book signing, “Pro Single Page Application Development”
Visit the Developer Platform & Tools BoothHaving a friend buy your coffee?Yea, it’s kind of like that.
MSDN Subscribers get up to $150/mo in Azure credits.
Stop by the Developer Platform and Tools booth and visit the MSDN Subscriptions station to activate your benefits and receive a gift!
3 Steps to New Gear! With Application Insights
1. Create a Visual Studio Online account http://visualstudio.com
2. Install Application Insights Tools for Visual Studio Online http://aka.ms/aivsix
3. Come to our booth for a t-shirt and a chance to win!
VSIP QR Tag Contests Visit our booth to join the hunt for cool prizes!
ResourcesMicrosoft Engineering Stories
How Microsoft Builds Softwarehttp://aka.ms/EngineeringStories
Visual Studio Industry Partner Program
Meet Our New Visual Studio Online Partners or Join Now.http://vsipprogram.com
Visual Studio | Integrate
Create Your Own Dev Environmenthttp://integrate.visualstudio.com
Development tools & services for teams of all sizeshttp://www.visualstudio.com
Microsoft Certification & Training Resources
Resources for Developers
Resources for IT Professionals
Sessions on Demand
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.