Azure Active Directory - An Introduction for Developers
Download as pptx, pdf1 like1,723 views
This document provides an overview of consulting and training services from Wintellect related to Azure Active Directory. It describes that Wintellect offers both consulting services to help build software as well as on-site, virtual and on-demand training courses taught by Microsoft experts. The document includes an agenda for an introduction to Azure Active Directory for developers that will cover topics like adding authentication to an ASP.NET MVC app and calling secured APIs from various client applications.
![Consulting/Training
Get to know the basic concepts of distributed application
authentication
Get familiar with the lay-of-the-land of the AAD Samples
See if your needs [align with || can be slightly pivoted to align with] the
concepts shown in the AAD Samples, and then use them as a roadmap
If you’re a .NET developer, focus on leveraging the ASP.NET OWIN
(“Katana”) middleware components in your applications (unless you are
already moving forward to vNext)
$0.05 of Advice](https://image.slidesharecdn.com/azureactivedirectorydevintro-share-150123225757-conversion-gate02/85/Azure-Active-Directory-An-Introduction-for-Developers-22-320.jpg)
Azure Active Directory - An Introduction for Developers
- 1. Consulting/Training Azure Active Directory An Introduction for Developers
- 2. Consulting/Training John Garland Microsoft MVP Windows Platform Development Member Microsoft Azure Insider Azure Mobile Services Advisory Board Author Windows Store Apps Succinctly Co-Author Programming the Windows Runtime by Example MCPD Azure, Windows Developer, Windows Phone MCTS Silverlight [email protected] @dotnetgator Wintellect Principal Consultant
- 3. Consulting/Training consulting Wintellect helps you build better software, faster, tackling the tough projects and solving the software and technology questions that help you transform your business. Architecture, Analysis and Design Full lifecycle software development Debugging and Performance tuning Database design and development training Wintellect's courses are written and taught by some of the biggest and most respected names in the Microsoft programming industry. Learn from the best. Access the same training Microsoft’s developers enjoy Real world knowledge and solutions on both current and cutting edge technologies Flexibility in training options – onsite, virtual, on demand Wintellect is the only company that offers the combined value of world class consulting services along with onsite, virtual and on-demand developer training. We help companies build better software, faster, helping you maximize and protect your consulting and training investments through ongoing knowledge transfer. who we are About Wintellect
- 4. Consulting/Training A Simple Demo – Adding Authentication to an ASP.NET MVC Application An Overview of Azure Active Directory The Developer Story Background – Integrating an Application’s Authentication with Azure Active Directory Demo – Working with the Azure Active Directory Graph API Demo – Calling a Secured Web API from a Secured Web App Demo – Calling a Secured Web API from a Native Client Application Wrapup Agenda
- 5. Consulting/Training Securing MVC Web Application Content with Azure Active Directory
- 6. Consulting/Training Created an app entry in an Azure Active Directory tenant (and some users) Used the OWIN middleware to add authentication support to the MVC Web App Configured the OWIN middleware to know about the AD app What Have We Seen?
- 7. Consulting/Training Identity & Access Management as a Service You decide who the users are, what information is stored, who can get at it, who can manage it, and what apps can use it. Microsoft is responsible for keeping it all running. Standalone, but can be synced with on-premises AD 3 Editions: Free, Basic, Premium Application integration via support for several standard authentication protocols (SAML 2.0, WS-Federation, Open ID Connect) Azure Active Directory – What Is It?
- 8. Consulting/Training No Object Limit No Object Limit No Limit Adv Security Reports Yes (Advanced)** Premium + Basic Features Group-based access management/provisioning Yes Yes Self-Service Password Reset for cloud users Yes Yes Company Branding (Logon Pages/Access Panel customization) Yes Yes SLA Yes (99.9%) Yes (99.9%)
- 9. Consulting/Training Designed for “The Cloud” (as opposed to being retrofitted/adapted) REST Graph API with OData syntax for queries (instead of LDAP) Synchronize OR Connect to on-prem AD (ADFS is optional) via AAD Connect Sync User attributes synced using Identity Sync Services (includes a password hash) Authentication completes against AAD Connect User attributes synced vis Identity Sync Services Authentication passed back to local AD via ADFS and is completed locally Synchronize OR Connect to external SaaS applications Azure Active Directory != Windows Active Directory
- 10. Consulting/Training Company Branding for Sign-In Screen Active Directory Application Proxy Access Control Services 2.0 Multi-Factor Authentication Security Reporting and Alerts License Management Leverage Single Sign On with 2400+ 3rd party apps in the Azure AD App Gallery Etc… But Wait, There’s More!
- 11. Consulting/Training Applications Entities that rely on AAD for Authentication Configuration Values: ClientID – Unique ID (GUID) for an application Application ID URI - Sent to AAD to indicate the what the caller wants a token for ReplyURL - For web API or web application, the location to which Azure AD will send the authentication response Redirect URI – For an OAuth 2.0 request, a unique identifier to which Azure AD will redirect the user-agent Domains Default <tenant>.onmicrosoft.com A default domain is created with your Azure Subscription for managing Azure Management Access Can also provision custom domain names, use tenant ID, or use the “custom” tenant Users Create in portal, via AAD PowerShell cmdlet, or via sync Azure Active Directory Development Terminology
- 12. Consulting/Training First Step – Stand up some middleware in front of the server Intercept requests and redirect if necessary to an Identity Provider (IdP). The IdP issues a token back to the client (browser, app), which is provided to the server that is hosting the secured resource. The Server verifies the token with the IdP and – if valid – allows the request to continue. Later Additional logic can request more information about the verified identity and check to determine the resource in question can be accessed. Fundamentals of Token-Based Web Authentication
- 13. Consulting/Training OpenID Auth Code Authentication Flow 1 – Request Resource 2 – Redirect to IdP 3–RequestCode 4-Challenge/Response 5–ReturnanAccessCode 6 – Send Auth Code To Server 9: Relying Party (eg – Your Web App) Client (eg – Your Web Browser) Identity Provider (IdP) (eg – Azure Active Directory) OAuth-A OAuth-T
- 14. Consulting/Training Then - Windows Identity Foundation (WIF) API for building claims-aware applications Configuration heavy, older tech, a product of a different era (WS-Fed) Authentication tooling in ASP.NET VS2013 Projects leverages WIF Now - “Katana” – Microsoft’s ASP.NET OWIN implementation. WS-Fed, OpenID Connect MUCH simpler to work with Hopefully VS Projects will get significant OWIN tooling “SOON” ASP.NET Authentication Middleware
- 15. Consulting/Training Azure AD Graph Client Library Wraps the REST API for Azure Active Directory - Access objects such as Users, Groups, Contacts, Tenant Information, Roles, Applications, Permissions OAuth 2.0 Support, supports both Client Credentials and Authorization Code flow Does not depend on ADAL, but often used together AD Authentication Library (ADAL) Authenticate users to AD and obtain access tokens for securing API calls Manage token caching & lifetime Works with Azure AD, Windows Server ADFS for Windows Server 2012 R2, and ACS Available for .NET, Windows Store (WinRT), Node.js V3.0 (Pre) is a PCL with support for WinRT, Xamarin iOS, Xamarin Android) Tools for Working with Azure Active Directory
- 16. Consulting/Training Calling the Graph API from an Authenticated MVC Web Site Endpoint
- 17. Consulting/Training The previous example looked at Securing one or more endpoints of an ASP.NET MVC app Using parts of the work done to authenticate the MVC App endpoint to also access the Azure AD Graph Now What If The Web App needs to call a secured Web API? As the App? As the User? A Native Client App needs to call the same secured Web API? Now What If…
- 18. Consulting/Training Flowing authentication from a Web App to a Web Service Calling the same Web Service from a Native Client Application
- 19. Consulting/Training Using OWIN Middleware to add AAD-based authentication to an MVC Web App endpoint Using Web App authentication credentials to call the AAD Graph API Using Web App authentication credentials to call a Web API service as both a user and an app Calling a Web API that requires authentication from a Native App What Have We Seen
- 20. Consulting/Training APIs and Sample Code Azure AD Authentication Library for .NET - http://msdn.microsoft.com/en- us/library/azure/jj573266.aspx Azure AD Graph API - http://msdn.microsoft.com/en- us/library/azure/hh974476.aspx Azure Active Directory Code Samples - http://msdn.microsoft.com/en- us/library/azure/dn646737.aspx Claims A Guide to Claims-Based Identity and Access Control (2nd Edition) - http://msdn.microsoft.com/en- us/library/ff423674.aspx Azure Active Directory Videos Channel 9 AAD Series - http://channel9.msdn.com/Series/Wind ows-Azure-Active-Directory TechEd Europe 2014 - http://channel9.msdn.com/Events/TechE d/Europe/2014?tag=microsoft-azure- active-directory Resources
- 21. Consulting/Training Native Clients WPF calling Web API WinRT Calling WebAPI Call Web API, calling another WebAPI Xamarin – Multiple OS’s Headless calling Web API Daemons (Services) Calling WebAPI (Password & Certificate) .NET Web Apps Call via OpenID Connect & WS-Fed App calls Web API via OpenID Connect, OAuth2 (App & User Identities) SPAs JavaScript client calling to .NET service Calling Azure AD Graph API RBAC via Groups and Roles Azure AD Samples And many more…
- 22. Consulting/Training Get to know the basic concepts of distributed application authentication Get familiar with the lay-of-the-land of the AAD Samples See if your needs [align with || can be slightly pivoted to align with] the concepts shown in the AAD Samples, and then use them as a roadmap If you’re a .NET developer, focus on leveraging the ASP.NET OWIN (“Katana”) middleware components in your applications (unless you are already moving forward to vNext) $0.05 of Advice
Editor's Notes
- #8: NOTE – “Free” is not (currently) limited to Dev/Test as some other Free service tiers are
- #9: Source: “Azure AD Explained” talk from TechEd EU 2014 Azure AD Premium Trial - 100 user licenses for 90 days
- #11: License management is currently limited to seats for Enterprise Mobility Suite (Intune, Azure AD RMS, Azure AD Premium), Azure AD Premium, Azure AD Basic, Office 365
- #14: http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps Also Vittorio at TE-EU 1/2 – Anonymous request results in a 302, with a redirect to the IdP 3 – Authenticate starts with request for an access code, which usually results in a challenge page (logon page). 4/5 - When the challenge is met, the access code is issued 6 – The request is then remade, passing along the code 7/8 – The server then requests a token, using the code as “collateral”, and if the Code is OK, a pair of tokens (A & R) are returned 9 – A Cookie is issued to the browser to establish use for the session
- #15: WIF - Formerly known as “Geneva” Opinion – VS2013 & WIF Authentication tooling is simply horrible – a cacophony of web.config entries, “mystery method” overrides, a database of dubious usefulness, and a whole lot of ceremony.