Azure Active Directory - An Introduction for Developers

Azure Active Directory - An Introduction for Developers

• 1.
  Consulting/Training Azure Active Directory AnIntroduction for Developers
• 2.
  Consulting/Training John Garland Microsoft MVPWindows Platform Development Member Microsoft Azure Insider Azure Mobile Services Advisory Board Author Windows Store Apps Succinctly Co-Author Programming the Windows Runtime by Example MCPD Azure, Windows Developer, Windows Phone MCTS Silverlight jgarland@wintellect.com @dotnetgator Wintellect Principal Consultant
• 3.
  Consulting/Training consulting Wintellect helps youbuild better software, faster, tackling the tough projects and solving the software and technology questions that help you transform your business.  Architecture, Analysis and Design  Full lifecycle software development  Debugging and Performance tuning  Database design and development training Wintellect's courses are written and taught by some of the biggest and most respected names in the Microsoft programming industry.  Learn from the best. Access the same training Microsoft’s developers enjoy  Real world knowledge and solutions on both current and cutting edge technologies  Flexibility in training options – onsite, virtual, on demand Wintellect is the only company that offers the combined value of world class consulting services along with onsite, virtual and on-demand developer training. We help companies build better software, faster, helping you maximize and protect your consulting and training investments through ongoing knowledge transfer. who we are About Wintellect
• 4.
  Consulting/Training  A SimpleDemo – Adding Authentication to an ASP.NET MVC Application  An Overview of Azure Active Directory  The Developer Story  Background – Integrating an Application’s Authentication with Azure Active Directory  Demo – Working with the Azure Active Directory Graph API  Demo – Calling a Secured Web API from a Secured Web App  Demo – Calling a Secured Web API from a Native Client Application  Wrapup Agenda
• 5.
  Consulting/Training Securing MVC WebApplication Content with Azure Active Directory
• 6.
  Consulting/Training  Created anapp entry in an Azure Active Directory tenant (and some users)  Used the OWIN middleware to add authentication support to the MVC Web App  Configured the OWIN middleware to know about the AD app What Have We Seen?
• 7.
  Consulting/Training  Identity &Access Management as a Service  You decide who the users are, what information is stored, who can get at it, who can manage it, and what apps can use it.  Microsoft is responsible for keeping it all running.  Standalone, but can be synced with on-premises AD  3 Editions: Free, Basic, Premium  Application integration via support for several standard authentication protocols (SAML 2.0, WS-Federation, Open ID Connect) Azure Active Directory – What Is It?
• 8.
  Consulting/Training No Object LimitNo Object Limit No Limit Adv Security Reports Yes (Advanced)** Premium + Basic Features Group-based access management/provisioning Yes Yes Self-Service Password Reset for cloud users Yes Yes Company Branding (Logon Pages/Access Panel customization) Yes Yes SLA Yes (99.9%) Yes (99.9%)
• 9.
  Consulting/Training  Designed for“The Cloud” (as opposed to being retrofitted/adapted)  REST Graph API with OData syntax for queries (instead of LDAP)  Synchronize OR Connect to on-prem AD (ADFS is optional) via AAD Connect  Sync  User attributes synced using Identity Sync Services (includes a password hash)  Authentication completes against AAD  Connect  User attributes synced vis Identity Sync Services  Authentication passed back to local AD via ADFS and is completed locally  Synchronize OR Connect to external SaaS applications Azure Active Directory != Windows Active Directory
• 10.
  Consulting/Training  Company Brandingfor Sign-In Screen  Active Directory Application Proxy  Access Control Services 2.0  Multi-Factor Authentication  Security Reporting and Alerts  License Management  Leverage Single Sign On with 2400+ 3rd party apps in the Azure AD App Gallery  Etc… But Wait, There’s More!
• 11.
  Consulting/Training  Applications  Entitiesthat rely on AAD for Authentication  Configuration Values:  ClientID – Unique ID (GUID) for an application  Application ID URI - Sent to AAD to indicate the what the caller wants a token for  ReplyURL - For web API or web application, the location to which Azure AD will send the authentication response  Redirect URI – For an OAuth 2.0 request, a unique identifier to which Azure AD will redirect the user-agent  Domains  Default <tenant>.onmicrosoft.com  A default domain is created with your Azure Subscription for managing Azure Management Access  Can also provision custom domain names, use tenant ID, or use the “custom” tenant  Users  Create in portal, via AAD PowerShell cmdlet, or via sync Azure Active Directory Development Terminology
• 12.
  Consulting/Training  First Step– Stand up some middleware in front of the server  Intercept requests and redirect if necessary to an Identity Provider (IdP).  The IdP issues a token back to the client (browser, app), which is provided to the server that is hosting the secured resource.  The Server verifies the token with the IdP and – if valid – allows the request to continue.  Later  Additional logic can request more information about the verified identity and check to determine the resource in question can be accessed. Fundamentals of Token-Based Web Authentication
• 13.
  Consulting/Training OpenID Auth CodeAuthentication Flow 1 – Request Resource 2 – Redirect to IdP 3–RequestCode 4-Challenge/Response 5–ReturnanAccessCode 6 – Send Auth Code To Server 9: Relying Party (eg – Your Web App) Client (eg – Your Web Browser) Identity Provider (IdP) (eg – Azure Active Directory) OAuth-A OAuth-T
• 14.
  Consulting/Training  Then -Windows Identity Foundation (WIF)  API for building claims-aware applications  Configuration heavy, older tech, a product of a different era (WS-Fed)  Authentication tooling in ASP.NET VS2013 Projects leverages WIF  Now - “Katana” – Microsoft’s ASP.NET OWIN implementation.  WS-Fed, OpenID Connect  MUCH simpler to work with  Hopefully VS Projects will get significant OWIN tooling “SOON” ASP.NET Authentication Middleware
• 15.
  Consulting/Training Azure AD GraphClient Library  Wraps the REST API for Azure Active Directory - Access objects such as Users, Groups, Contacts, Tenant Information, Roles, Applications, Permissions  OAuth 2.0 Support, supports both Client Credentials and Authorization Code flow  Does not depend on ADAL, but often used together AD Authentication Library (ADAL)  Authenticate users to AD and obtain access tokens for securing API calls  Manage token caching & lifetime  Works with Azure AD, Windows Server ADFS for Windows Server 2012 R2, and ACS  Available for .NET, Windows Store (WinRT), Node.js  V3.0 (Pre) is a PCL with support for WinRT, Xamarin iOS, Xamarin Android) Tools for Working with Azure Active Directory
• 16.
  Consulting/Training Calling the GraphAPI from an Authenticated MVC Web Site Endpoint
• 17.
  Consulting/Training  The previousexample looked at  Securing one or more endpoints of an ASP.NET MVC app  Using parts of the work done to authenticate the MVC App endpoint to also access the Azure AD Graph  Now What If  The Web App needs to call a secured Web API? As the App? As the User?  A Native Client App needs to call the same secured Web API? Now What If…
• 18.
  Consulting/Training Flowing authentication froma Web App to a Web Service Calling the same Web Service from a Native Client Application
• 19.
  Consulting/Training  Using OWINMiddleware to add AAD-based authentication to an MVC Web App endpoint  Using Web App authentication credentials to call the AAD Graph API  Using Web App authentication credentials to call a Web API service as both a user and an app  Calling a Web API that requires authentication from a Native App What Have We Seen
• 20.
  Consulting/Training  APIs andSample Code  Azure AD Authentication Library for .NET - http://msdn.microsoft.com/en- us/library/azure/jj573266.aspx  Azure AD Graph API - http://msdn.microsoft.com/en- us/library/azure/hh974476.aspx  Azure Active Directory Code Samples - http://msdn.microsoft.com/en- us/library/azure/dn646737.aspx  Claims  A Guide to Claims-Based Identity and Access Control (2nd Edition) - http://msdn.microsoft.com/en- us/library/ff423674.aspx  Azure Active Directory Videos  Channel 9 AAD Series - http://channel9.msdn.com/Series/Wind ows-Azure-Active-Directory  TechEd Europe 2014 - http://channel9.msdn.com/Events/TechE d/Europe/2014?tag=microsoft-azure- active-directory Resources
• 21.
  Consulting/Training  Native Clients WPF calling Web API  WinRT Calling WebAPI  Call Web API, calling another WebAPI  Xamarin – Multiple OS’s  Headless calling Web API  Daemons (Services)  Calling WebAPI (Password & Certificate)  .NET Web Apps  Call via OpenID Connect & WS-Fed  App calls Web API via OpenID Connect, OAuth2 (App & User Identities)  SPAs  JavaScript client calling to .NET service  Calling Azure AD Graph API  RBAC via Groups and Roles Azure AD Samples And many more…
• 22.
  Consulting/Training  Get toknow the basic concepts of distributed application authentication  Get familiar with the lay-of-the-land of the AAD Samples  See if your needs [align with || can be slightly pivoted to align with] the concepts shown in the AAD Samples, and then use them as a roadmap  If you’re a .NET developer, focus on leveraging the ASP.NET OWIN (“Katana”) middleware components in your applications (unless you are already moving forward to vNext) $0.05 of Advice
• 23.
  Consulting/Training Thank You