windows server active directory intranet managed access managed identities integrated business apps
TRANSCRIPT
Securing Applications Using Windows Azure Active DirectoryDushyant Gill
WAD-B306
Omnipresence of Windows Server ADThe magic of Kerberos, Secure Channel/Domain Join, Windows Integrated Auth and LDAP.
Windows Server Active
Directory
Intranet
Managed Access
Managed Identities
Integrated Business
Apps
Omnipresence of Windows Server AD
Windows Server Active
Directory
Intranet
Managed Access
Managed Identities
Integrated Business
Apps
SAAS you buy
SAAS you build
Windows Azure Active DirectoryOn-premise and cloud identities managed as one• Identity Lifecycle
Management• Single Sign-on• Authorization
using directory data
Windows Server Active
Directory
On-Premises
SAAS you build
SAAS you sell
Windows Azure Active
Directory
Other Microsoft Services
Office 365
3rd Party SAAS you
buy
DirSync
Windows Azure Active Directory
Small Businesses
AD/ADFS
Medium/LargeEnterprises
AD/LDAPShibboleth
Schools & Universities
Windows Azure AD
Directory Tenant 1
Directory Tenant 2
Directory Tenant n
.
.
.
SAML2.0
WS-Federation
Federation Metadata
OAuth2.0
REST basedDirectory Graph API
No on premise AD
Identities managed
in the cloud
Identities managed on premise
Directory information
synchronized to cloud
SSO with Password Hash Sync
SSO with Federation with
ADFS/WSFed
SSO with Federation with
Shibboleth/SAML2.0
Web Applications
Web APIs
Rich Client Apps
Single Tenant / Multi Tenant SAAS
Applications
Admin Consent / Application
Install
History, Strength and Pace of Innovation
• 4 Years of R&D Investment: Identity underpinning of Office365, Dynamic CRM and Windows Azure
• 2.9 Million Organizations Served (as of April 2013)
• 265 Billion Authentication Requests Processed (as of April 2013)
15-Apr-13 15-Jun-13
4/15Windows Azure AD General Availability
4/22OAuth and Client Library preview for Rich Clients 5/21
PHP and Node.JSserver-side
5/10Proxy for
REST Services
6/3Password Sync GA,
Windows Server Preview6/7
JWT Token Handler GAADAL.Net Preview
6/11Multi-Factor Auth GA
6/14Simplified sign-in with
multiple accounts
Demo Scenario: Application Registration
1. Application Registration
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
Registers App
Registers App
Demo Scenario: Web Single Sign-On
1. Application Registration
2. Web Single Sign-on
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
User from developer’sOrganization
Sign on
Web Single Sign-onUser’s Browser
ResourceWeb App
1 HTTP GET https://resource.com
2
HTTP 302 REDIRECT https://login.windows.net/<tenant>/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fresource.com&wct=2013-06-19T03%3a20%3a02Z
https://login.windows.net/<tenant>/saml2?SAMLRequest=jZFNS8NA…&RelayState=http…
Windows Azure AD
HTTP GEThttps://login.windows.net/<tenant>/wsfed?wa=wsignin1.0&wtrealm=https%3a%2f%2fresource.com&wct=2013-06-19T03%3a20%3a02Z
https://login.windows.net/<tenant>/saml2?SAMLRequest=jZFNS8NA…&RelayState=http… 3User
Authentication
4HTTP 200 OK<form method=“POST” action=“https://resource.com”> <input type=“hidden“ name=“wa” …> <input type=“hidden“ name=“wresult” …>
<form method=“POST” action=“https://resource.com”> <input type=“hidden” name=“SAMLResponse” <input type=“hidden” name=“RelayState”
HTTP POST https://resource.comwa=wsignin1.0&wresult=token
SAMLResponse=token
5HTTP 302 REDIRECT https://resource.comCookie=Auth Cookie
6 HTTP GET https://resource.comCookie=Auth Cookie
7 HTTP 200 OK
Single Sign-on TokenName ID
Tenant ID
Object Identifier
Name
Audience
Federation Metadata
SAML-P Related
SAML SSO URLSAML Logout URL
Token Signing Key
WS-Fed Related
WS-Fed SSO & Signout URL
EntityID
Demo Scenario: Web Single Sign-On
1. Application Registration
2. Web Single Sign-on
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
User from developer’sOrganization
Sign on
Demo Scenario: Sign-out
1. Application Registration
2. Web Single Sign-on
3. Sign-out
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
User from developer’sOrganization
Sign out
Single Sign-outUser’s Browser
ResourceWeb App
1 User initiates sign-out
2
HTTP 302 REDIRECT https://login.windows.net/<tenant>/wsfed?wa=wsignout1.0&wtrealm=https%3a%2f%2fresource.com&wreply=https%3a%2f%2fresource.com
https://login.windows.net/<tenant>/saml2?SAMLRequest=jZFNS8NA…&Signature= … &SigAlg=…
Clear Cookie
Windows Azure AD
HTTP GEThttps://login.windows.net/<tenant>/wsfed?wa=wsignout1.0&wtrealm=https%3a%2f%2fresource.com&wreply=https%3a%2f%2fresource.com
https://login.windows.net/<tenant>/saml2?SAMLRequest=jZFNS8NA…&Signature= … &SigAlg=…
3Sign-out Broadcast
4HTTP 302 REDIRECThttps://resource.com/signoutURL
https://resource.com/signoutURL?SAMLResponse=…&Signature=… &SignAlg=…
HTTP GET https://resource.com/signoutURL
https://resource.com/signoutURL?SAMLResponse=…&Signature=… &SignAlg=…
5 HTTP 200 OK
Demo Scenario: Sign-out
1. Application Registration
2. Web Single Sign-on
3. Sign-out
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
User from developer’sOrganization
Sign out
Demo Scenario: Multi-Tenant App
1. Application Registration
2. Web Single Sign-on
3. Sign-out4. Multi-
Tenant App
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
Multi Tenant App
Designates App to be Externally Available
Demo Scenario: Admin Consent
1. Application Registration
2. Web Single Sign-on
3. Sign-out4. Multi-
Tenant App5. Applicatio
n Install/Admin Consent
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
Multi Tenant App
Customer’s Windows Azure AD
(Identity Provider 2)
Customer (Tenant
Administrator)
SAML2.0
WS-Federation
Federation Metadata
Consents to Application
Install
Administrator Consent FlowTenant Admin
SAASApp
1 Administrator initiates application install
2
HTTP 302 REDIRECT https://account.activedirectory.windowsazure.com/Consent.aspx?ClientID=eb74…&RequestedPermissions=DirectoryReaders&ConsentReturnURL=https%3a%...
Windows Azure AD
4HTTP 302 REDIRECThttps://appConsentReturnURL?Consent=Granted&TenantId=82869…
HTTP GEThttps://account.activedirectory.windowsazure.com/Consent.aspx?ClientID=eb74…&RequestedPermissions=DirectoryReaders&ConsentReturnURL=https%3a%... 3Authentication &
Consent UI
HTTP GEThttps://appConsentReturnURL?Consent=Granted&TenantId=82869…
AAD provisions app service principal in the tenant. The app service principal is assigned permissions per Tenant Admin’s consent.
SAAS application completes on-boarding the new customer/organization
Demo Scenario: Admin Consent
1. Application Registration
2. Web Single Sign-on
3. Sign-out4. Multi-
Tenant App5. Applicatio
n Install/Admin Consent
Developer’s Organization’s
Windows Azure AD(Identity Provider)
Single Tenant App 1
ASP.net Web App
Single Tenant App 2
PhP Web App
Developer
(Relying Parties)
SAML2.0
WS-Federation
Federation Metadata
Multi Tenant App
Customer’s Windows Azure AD
(Identity Provider 2)
Customer (Tenant
Administrator)
SAML2.0
WS-Federation
Federation Metadata
Consents to Application
Install
Evaluate this session
Scan this QR code to evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.