Securing ASP.NET Applications and Services: Security Facelift for Modern ApplicationsIdo Flatow

DEV-B421

Senior Architect, Sela Group, Israel.Co-author:

Microsoft courses – “WCF 4” and “Developing Windows Azure and Web Services”Books – “Pro .NET Performance” and “Pro Single Page Application Development”

Microsoft ASP.NET/IIS MVPFocus on server, services, web, and cloud technologiesManager of the Israeli Web Developers User Group

About Me

From Membership to Identity

ASP.NET 1.1N/A

ASP.NET 2.0Membership Provider

ASP.NET 4Simple Membership

ASP.NET 4/4.5Universal Providers

ASP.NET 4.5One ASP.NET Identity

Migrating? Check here: www.asp.net/identity/overview/migrations

What’s Your Poison?Identities & Scenarios

Identity Usage ScenariosIndividual User Accounts (ASP.NET Identity with or w/o Social Identities)

Internet apps, small and medium businesses, consumer apps

Active Directory (AD) On-premises enterprise apps and users (LAN/VPN)

Active Directory Federation Services (ADFS)

On-premises enterprise apps with remote users

Azure Active Directory (AAD) Cloud-based enterprise apps

Identity / CredentialsAuthentication / AuthorizationRoles / ClaimsTwo Factor Authentication (2FA)Passive / Active Protocols

Terminology

Open Web Interface for .NETAbstraction layer between .NET web servers and web applicationsA new pipeline for HTTP requests and responsesOWIN = community-owned specificationKatana (Microsoft OWIN Components) = Microsoft’s implementation of OWINMicrosoft OWIN security middlewares

OWIN & Katana Recap

Individual User Accounts

Usable across all ASP.NET Frameworks (Web Forms, MVC, Web Pages, Web API, and SignalR)Accessible from web, desktop, and mobile clientsManage users internally or use external providersCustomizable scheme and persistency(Can be relational database or NoSql storage)Supports both roles and claimsAuthentication based on OWIN middlewares

ASP.NET Identity - One to Rule Them

Two-Factor AuthenticationAccount LockoutAccount confirmationPassword resetSign-out everywhereEnhanced password validatorIQueryable for users and roles

What’s New in Identity 2.0? (Highlights)

Everything that’s new: bit.ly/aspnet-identity-2-rtm

DEMO

ASP.NET Identity with MVC, Web API, and SignalR

Why force users to create yet another identity?

ASP.NET Identity supports external social providers(Facebook, Google, Microsoft, Twitter)

Pluggable using OWIN middlewares

Supports storing additional user information

Single user can have multiple social identities

ASP.NET Identity and External Providers

DEMO

ASP.NET Identity with Social Providers

On-Premises and Cloud with AD, ADFS, and AAD

On-Premises users? using Windows Authentication?Nothing has changed!

External users? Using ADFS? Continue reading…

Back in .NET 3.5 / 4 – needed to install WIF

As of .NET 4.5 – WIF is part of the .NET Framework

Create new ASP.NET projects using ADFS in VS 2013

OWIN middleware support

What Has Changed for the Enterprise?

User and group repository – as a serviceIntegrates with on-premises AD/ADFSSupports single and multi-tenant applicationsManageable with the Graph API (HTTP-based)Create new ASP.NET projects using AAD in VS 2013AAD and ASP.NET:

Use same techniques as ADFS (WIF modules / OWIN security middlewares)AAD also supports the OpenID Connect middleware

Microsoft Azure AD in a Nutshell

DEMO

ASP.NET in the Cloud with AAD

What Are Your Options?Identities & Technologies

Identity TechnologyIndividual User Accounts ASP.NET Identity, Social Providers

One ASP.NET Identity SystemMany new features in ASP.NET Identity 2.0 such as 2FA.

Active Directory (AD) IIS + Windows Authentication

Active Directory Federation Services (ADFS)

WS-Federation middleware (Passive)OAuth 2 middleware (Active)

Azure Active Directory (AAD) Same as for ADFSOpenID Connect

ResourcesAll About ASP.NET Identityhttp://asp.net/identityhttp://curah.microsoft.com/55636/aspnet-identity

Codehttp://aspnetidentity.codeplex.comhttp://katanaproject.codeplex.comhttp://github.com/thinktecture

Blogs and Docshttp://blogs.msdn.com/b/webdevhttp://blogs.technet.com/b/adhttp://asp.net/identity/overview/migrationshttp://azure.microsoft.com/en-us/documentation/services/active-directory

My Info@idoflatow idof@sela.co.il http://blogs.microsoft.co.il/idof

Slides & Samples:http://1drv.ms/1kDVjEtEvaluate this session

Breakout SessionsDEV-B213, ASP.NET: Building Web Application Using ASP.NET and Visual Studio

DEV-B344, Building Web Apps and Mobile Apps Using Microsoft Azure Active Directory for Identity Management

DEV-B359, Latest Innovations in Developing ASP.NET MVC Web Applications

DEV-B385, INTRODUCING: The Future of .NET on the Server

DEV-B411, DEEP DIVE: The Future of .NET on the Server

DEV-B416, SignalR: Building Real-Time Applications with ASP.NET SignalR

Related content

LabsDEV-H203, Bringing Together One ASP.NET

Find Me Later At. . .Apress booth, 12:30-1:00. Book signing, “Pro Single Page Application Development”

Visit the Developer Platform & Tools BoothHaving a friend buy your coffee?Yea, it’s kind of like that.

MSDN Subscribers get up to $150/mo in Azure credits.

Stop by the Developer Platform and Tools booth and visit the MSDN Subscriptions station to activate your benefits and receive a gift!

http://aka.ms/msdn_teched

3 Steps to New Gear! With Application Insights

1. Create a Visual Studio Online account http://visualstudio.com

2. Install Application Insights Tools for Visual Studio Online http://aka.ms/aivsix

3. Come to our booth for a t-shirt and a chance to win!

VSIP QR Tag Contests Visit our booth to join the hunt for cool prizes!

ResourcesMicrosoft Engineering Stories

How Microsoft Builds Softwarehttp://aka.ms/EngineeringStories

Visual Studio Industry Partner Program

Meet Our New Visual Studio Online Partners or Join Now.http://vsipprogram.com

Visual Studio | Integrate

Create Your Own Dev Environmenthttp://integrate.visualstudio.com

Development tools & services for teams of all sizeshttp://www.visualstudio.com

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.