IT Unity Webinar SeriesSeptember 2015

Using Azure Active Directory to Secure Your Apps

Using Azure AD To Secure Your AppsPart 1: Introduction to Azure AD

http://itunity.com/go/azure1

Part 2: Integrating Azure ADNow

Part 3: Advanced Azure AD TopicsSeptember 30th

About MeSharePoint Solution Architect / DeveloperSpeaker / Trainer / MentorMicrosoft MVP – Office 365 (Previously SharePoint Server)

Part 2: Integrating Azure Active Directory

Using Azure AD to Secure Your Apps

AgendaUsing Azure AD to secure a web application

Using Azure AD to secure a service

Consuming a service secured by Azure AD

Question and Answer

Application Types and Scenarios

Using Azure AD to secure a Web Application

Application Types and Scenarios

Secure a Web Application?Allow access only to certain users

Authorization

Restrict functionality to members of a role.

Authentication

Security PrincipalsUsers

Groups

“Service Accounts”

Application

Authentication & AuthorizationWhat is Authentication (AuthN)?

The process of verifying a principal’s identity.

What is Authorization (AuthZ)?

Determines which resources the principal can access.

AuthN/AuthZ Roles

Authentication and Authorization roles

Appl

icati

onIn

fras

truc

ture

Phase

Start

Logon Logon Valid?

Allowed to execute

function?

Authentication

Authorization

Common Authentication methods Integrated Windows NT Authentication

Forms-Based Authentication.NET MembershipASP.NET Identity

Claims-based Authentication

Anonymous

Authenticating Users in the cloudIntegrated NT not usually possible

Unless running a managed cloud

FBA requires management interface creationIs your code secure? Your password storage

container?

Claims-based is current standardMultiple formats, but same concepts

AnonymousWell…

Claims in real lifeForm I-9

Purchasing Alcohol

Login with Facebook

Auth Protocols & Code Libraries

Authenticating UsersExternalize authentication

No more ASP.NET Membership

Authentication delegated to an Identity Provider (IdP)IdP issues a token that contains claimsClaims are used in Authorization decisions

Authenticating Users - ProtocolsWS-FED

SAML format (Security Assertion Markup Language)

ProvidersAzure Access Control ServicesActive Directory Federation Services (AD FS)

OpenID ConnectJWT formatProviders

Azure Active Directory (Azure AD)Social Networks

Authenticating Users – LibrariesWF-FED / SAML

Windows Identity Foundation (WIF)System.IdentityModel & System.Security.Claims

namespaces (4.5)Identity & Access Control in VS2012Change Authentication button on New Project Dialog

(VS2013 & VS2015)

OpenID ConnectADAL (Active Directory Authentication

Library)Builds on top of WIFBoth managed and javascript librariesProject templates in VS2015

Authentication in Azure AD

Authentication in Azure AD

Web Browser to Web Application

DemoConfiguring an ASP.NET application to authenticate to Azure AD

OpenIDConnect using OWIN (VS2015)public void ConfigureAuth(IAppBuilder app){  app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);  app.UseCookieAuthentication(new CookieAuthenticationOptions());          app.UseOpenIdConnectAuthentication(    new OpenIdConnectAuthenticationOptions    {      ClientId = clientId,      Authority = authority,      PostLogoutRedirectUri = postLogoutRedirectUri,                 

Notifications = new OpenIdConnectAuthenticationNotifications()                  {        AuthenticationFailed = (context) =>        {         return System.Threading.Tasks.Task.FromResult(0);        }      }    }  );  // This makes any middleware defined above this line run before the  // Authorization rule is applied in web.config          app.UseStageMarker(PipelineStage.Authenticate);     }

WS-FED using WIF (VS2013)public static void ConfigureIdentity() {  RefreshValidationSettings(); Realm = ConfigurationManager.AppSettings["ida:realm"];  AudienceUri = ConfigurationManager.AppSettings["ida:AudienceUri"];  if (!String.IsNullOrEmpty(AudienceUri)) { UpdateAudienceUri(); }}

public static void RefreshValidationSettings() {      string metadataLocation =  ConfigurationManager.AppSettings["ida:FederationMetadataLocation"];

public static void UpdateAudienceUri() {      int count = FederatedAuthentication.FederationConfiguration

Using Azure AD to Secure a Service

Application Types and Scenarios

Web Application to WebAPI

DemoConfiguring a WebAPI project to authenticate to Azure AD

Click icon to add picture

Azure AD issued Bearer Tokens

public void ConfigureAuth(IAppBuilder app)         { app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions      {        Audience = ConfigurationManager.AppSettings["ida:Audience"],         Tenant = ConfigurationManager.AppSettings["ida:Tenant"]      });}

Consuming a Service Secured by Azure AD

OAuth2 - AppIdentityprivate static AuthenticationContext authContext =  new AuthenticationContext(authority);private static ClientCredential clientCredential =  new ClientCredential(clientId, appKey);

// ADAL includes an in memory cache, so this call will only send // a message to the server if the cached token is expired.AuthenticationResult result =  authContext.AcquireToken(todoListResourceId, clientCredential);

HttpClient client = new HttpClient();HttpRequestMessage request = new HttpRequestMessage( HttpMethod.Get,  todoListBaseAddress +  "/api/todolist?ownerid=" +  ownerId);request.Headers.Authorization =  new AuthenticationHeaderValue("Bearer", result.AccessToken);HttpResponseMessage response = await client.SendAsync(request);

Resources

Resources – Notables Cloud Identity Blog – Vittorio Bertocci

http://www.cloudidentity.com/blog/

Dominick Baierhttp://leastprivilege.com/

Brock Allenhttp://brockallen.com/

Resources – Azure ADAzure Active Directory developer's guide

http://aka.ms/aaddev

Authentication Scenarios for Azure ADhttps://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/

Azure Active Directory Authentication Librarieshttps://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-libraries/

Azure Active Directory Code Sampleshttps://azure.microsoft.com/en-us/documentation/articles/active-directory-code-samples/

Resources – updates to app modelNow in public preview: The Converged

Microsoft Account and Azure Active Directory Programming Modelhttp://blogs.technet.com/b/ad/archive/2015/08/12/azure-ad-microsoft-account-preview-sign-in-personal-and-work-accounts-using-a-single-stack.aspx

Working with the converged Azure AD v2 app modelRich DiZerega

http://blogs.msdn.com/b/richard_dizeregas_blog/archive/2015/09/04/working-with-the-converged-azure-ad-v2-app-model.aspx

Using Azure AD To Secure Your AppsPart 1: Introduction to Azure AD

http://itunity.com/go/azure1

Part 2: Integrating Azure ADhttp://itunity.com/go/azure2

Part 3: Advanced Azure AD TopicsSeptember 30th

http://itunity.com/go/azure3