“we bought grandma a new tv. this is what my dad did to her remote.”
TRANSCRIPT
Vittorio BertocciPrincipal Program ManagerActive Directory
Building Enterprise and SaaS web apps using Azure Active Directory for sign in
3-599
Web sign in: past, present AAD model and Protocols, part 1 OpenID Connect OpenId Connect in ASP.NET AAD model, part 2 Multitenancy
Plan
Mostly a matter of redirects, ending up with a cookie
SAML, WS-Federation, etc Mature technologies, widespread support
Servers and services: ADFS, SharePoint, Azure Active Directory Programming stacks: Windows Identity Foundation, etc IDEs: from VS 2010 onward
Traditional Web Sign In
Web SSO in VS2013Create a web app using AAD right from the start
DEMO
Run your AD as a tenant AAD exposes ~ as many endpoints as the protocols it
supports Every app needs an entry in AD providing protocol-specific
coordinates
How did that work? The AAD model
http://webapp1.comcontoso.onmicrosoft.com
Fabrikam.onmicrosoft.comWebApp 1
SAML
WS-Fed
OAuth-A
OAuth-T
OAuth2
OAuth-AOAuth-T
http://webapp1.com
Resource 1
[CODE]
OpenID Connect formalizes how to layer sign in on OAuth2
OpenID Connect
OAuth-AOAuth-T
http://webapp1.com
Resource 1
[CODE]
New Programming Model: Distill to the Essential
“We bought Grandma a new TV. This is what my Dad did to her remote.”
http://imgur.com/r/funny/Q8GMvsa
New HTTP processing pipeline Lightweight, host-independent Very compact syntax, no tooling necessary Metadata-driven
OpenID Connect and ASP.NET: OWIN
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);app.UseCookieAuthentication(new CookieAuthenticationOptions { });app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {
Client_Id = "d71c88d1-f3d3-47e9-8313-06bc9af9a991",
Authority = "https://login.windows.net/common/" });[Authorize]
OpenID Connect Sign In with OWINAdding sign in capabilities in just few lines of code
DEMO
UseOpenIdConnectAuthentication extension method
OpenIdConnectAuthenticationOptions class TokenValidationParameters class OpenIdConnectAuthenticationNotifications
class
Basic OM
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType);
HttpContext.GetOwinContext().Authentication.SignOut( OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType);
Extensibility points
Taking advantage of the Authorization CodeNotifications = new OpenIdConnectAuthenticationNotifications(){ AccessCodeReceived = (context) => { var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey); string tenantID = context.ClaimsIdentity.FindFirst(tenantIdClaimType).Value; AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", tenantID)); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode( code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)),
credential, graphResourceID);
string signedInUserID = context.ClaimsIdentity.FindFirst(ClaimTypes.NameIdentifier).Value; db.TokenCache.Add(F(signedInUserID, result )); db.SaveChanges(); return Task.FromResult(0); },
Resource: recipient of a token WS-Federation, SAML, OpenId Connect sign in Implemented via WIF, OWIN ASP.NET components
Client: token requestor [to access another resource] OAuth2
With its own application identity (client credential grant) With a delegation from a user (authorization code grant for
confidential clients) On behalf of a user (see this)
Implemented via Active Directory Authentication Library
Roles an app can play
If you make an app multi-tenant, it can be used from tenants other than your own Restrictions apply
The first time a caller attempts access: he/she will be prompted to consent to the permissions the app requires Upon approval, the app will be provisioned in his/her tenant
Two consent flows: Admin consent – the admin consents for the app to be used by all of
the users in his/her tenant User consent – a user consents for the app as an individual
Multitenant Apps in AAD
Consent Flowdeveloper.onmicrosoft.comcontoso.onmicrosoft.com
WebApp 1
Requires:
Sign in as user
WebApp 1
?
WebApp 1
Sign in as userDirectory write
Endpoint for late-bound tenant authentication: https://login.windows.net/common.
Each tenant will present tokens with its own Issuer value You must modify the default validation pipeline to account for that
Integrate consent in your onboarding process How to ensure that the caller is a legitimate customer of yours?
Writing a Multitenant Web App
A Multitenant SaaS AppCustomized onboarding and sign in logic
DEMO
Helps developers to quickly integrate with the Graph API makes it easy to call the Graph API, supporting both basic (e.g. getusers)
and more complex queries (e.g. batched requests). preview version (version 0.9) available as Nuget
https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/
Samples apps on GitHub. OSS GA soon after //BUILD
Working with the Graph API: Graph Library
ADAL sourcehttps://github.com/orgs/MSOpenTech
ASP.NET OWIN components: http://katanaproject.codeplex.com/
Sampleshttps://github.com/orgs/AzureADSamples
Get your hands dirty!
Today, we announced Azure Active Directory Premium, an advanced offering that includes IAM capabilities for on-premises, hybrid and cloud environments. Built on top of the free Azure AD, provides an additional set of features to empower enterprises with demanding needs on identity and access management, such as:
• Group-based access assignment for SSO to more than 1200 SaaS apps via “myapps.microsoft.com” or mobile apps.
• Self-service password reset• Delegated group management• Multi-Factor Authentication • Customized branding • Reporting, alerting, and analytics
Additionally, Azure AD premium offers:• An Enterprise SLA of 99.9%• Usage rights to Forefront Identity Manager
Server and CALs
Azure Active Directory Premium
Active Directory Reimagined
Your Feedback is Important
Fill out an evaluation of this session and help shape future events.
Scan the QR code to evaluate this session on your mobile device.
You’ll also be entered into a daily prize drawing!
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.