Presentation is loading. Please wait.

Presentation is loading. Please wait.

Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Published byGarry Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION."— Presentation transcript:

1 Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Develop Modern Web Applications with Azure Active Directory
Build 2014 4/16/2017 2-753 Develop Modern Web Applications with Azure Active Directory Vittorio Bertocci @vibronet Principal Program Manager © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3 Web Apps, Web API, Single Page Apps…
Build 2015 4/16/2017 4:49 PM Web Apps, Web API, Single Page Apps… OpenID Connect MW Web APP ADAL .NET OAuth2MW Web API OAuth2MW Web API ADAL JS ADAL .NET ADAL* …Azure AD has your back. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Agenda Sign In with OpenId Connect Invoke Web API from a Web App
Build 2014 4/16/2017 Agenda Sign In with OpenId Connect Invoke Web API from a Web App Single Page Apps (SPAs) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Azure AD by the Numbers 86%
Azure AD manages identity data for >5 M organizations 86% of Fortune 500 companies on Microsoft Cloud (Azure, O365, CRM Online and PowerBI) More than 500 M objects hosted on Azure Active Directory 1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active directory

6 Sign Users In with OpenId Connect
Build 2014 4/16/2017 Sign Users In with OpenId Connect © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Roundtrip apps and AAD SAML WS-Fed OAuth-A OAuth-T OpenID Connect MW
Fabrikam.onmicrosoft.com OpenID Connect MW Web APP

8 Securing Roundrip Web Apps (1/2)
Add interception layer to enforce protocol compliance ASP.NET OWIN Security Components WS-Federation OpenId Connect  “Legacy”: Windows Identity Foundation in.NET 4.5

9 Securing Roundrip Web Apps (2/2)
Many possible entry points VS2013 Create a new ASP.NET project, choose “Organizational Account” VS2015 Create a new ASP.NET project, choose “Work & School Account” OR Right click on project, choose Configure Azure AD Authentication Both VS versions, or any other IDE Clone sample from follow readme

10 Registering your app in Azure AD (1/2)
Azure AD will NOT issue tokens for unknown apps Various options Azure Portal Visual Studio tools

11 DEMO OpenId Connect and VS2015

12 Authentication Middleware
Basic usage: [optional] add session management middleware add protocol middleware specify protocol coordinates via Options [optional] inject custom logic via Notifications

13 Minimal configuration
Startup.Auth.cs: app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType); app.UseCookieAuthentication(new CookieAuthenticationOptions { }); app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { Client_Id = "d71c88d1-f3d3-47e bc9af9a991", Authority = " }); Resource: [Authorize] Resource

14 Basic OM UseOpenIdConnectAuthentication extension method
OpenIdConnectAuthenticationOptions class TokenValidationParameters class OpenIdConnectAuthenticationNotifications class HttpContext.GetOwinContext().Authentication.Challenge( new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType); HttpContext.GetOwinContext().Authentication.SignOut( OpenIdConnectAuthenticationDefaults.AuthenticationType, CookieAuthenticationDefaults.AuthenticationType);

15 OpenIdConnectOptions
Notable: Authority ClientId RedirectUri PostLogoutRedirectUri TokenValidationParameters Notifications

16 OpenId Connect Notifications

17 TokenValidationParameters
Notable: *Validator AudienceValidator IssuerValidator LifetimeValidator *Validate ValidateIssuer ValidateAudience ValidateLifetime ValidateIssuerSigningKey SaveSigninToken

18 Invoke Web API from a Web App
Build 2014 4/16/2017 Invoke Web API from a Web App © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19 Web Sign on + OAuth2 OAuth-T OAuth-A OAuth2MW Web API OpenID Connect
Web APP ADAL .NET

20 The Web API call pattern
Request a code at sign in time Redeem the code with ADAL save tokens in persistent cache When you need to access a resource Initialize ADAL with the same cache you used earlier Ask for the token you need via AcquireTokenSilent Upon failure, provide the user with UX for triggering reauth

21 Registering your app in Azure AD (2/2)
Azure AD will NOT issue tokens to an app for a given resource if the app did not declare its intent to do so

22 Redeem an Authorization Code
AuthorizationCodeReceived = (context) => { var code = context.Code; ClientCredential credential = new ClientCredential(clientId, appKey); string userObjectID = context.AuthenticationTicket.Identity.FindFirst(objIdClaimType).Value; AuthenticationContext authContext = new AuthenticationContext(Authority, new NaiveSessionCache(userObjectID)); AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId); return Task.FromResult(0); }

23 DEMO Invoke a Web API from a Web App

24 Other mid-tier topologies
Client Credentials OnBehalfOf

25 Graph API RESTful interface to Azure Active Directory
Tenant Specific – queries are scoped to individual tenant context Programmatic access to directory objects such as Users, Groups, Contacts, Tenant Information, Roles Access relationships: members, memberOf, manager, directReports Requests use standard HTTP methods GET, POST, PATCH, DELETE to create, read, update, and delete Response support JSON, XML, standard HTTP status codes Compatible with OData V3 OAuth 2.0 for authentication, role-based assignment for app and user authorization

26 Query Format Graph URL (static) Tenant of interest – can be tenant’s verified domain or objectId. Specific entity type, such as users, groups, contacts, tenantDetails, roles, applications, etc. eq ‘WA’ API version – “1.5” is the Supported GA version Optional Odata query arguments: $filter, $top

27 Protecting Your Own API with AAD
Big OAuth2 providers issue tokens for their own resources Facebook for the Facebook Graph, AAD for the Graph, Azure management, Office… In addition, Azure AD allows you to secure your own API Easy as 1-2-3 Add an entry for your API in your AAD tenant Define which permissions your app recognizes Add middleware in front of your API to validate AAD access tokens

28 ASP.NET OWIN Security Components for AAD
OWIN middleware which automates Acquiring signing keys and issuer values Searching for a JWT in the request Validating it according to signature, issuer and audience value Integrated in the VS2013 Web API templates Very simple setup: public void ConfigureAuth(IAppBuilder app) { app.UseWindowsAzureActiveDirectoryBearerAuthentication( new WindowsAzureActiveDirectoryBearerAuthenticationOptions Audience = “ Tenant = “contoso.onmicrosoft.com" }); }

29 Single Pages Applications (SPAs)
Build 2014 4/16/2017 Single Pages Applications (SPAs) © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Single Page Apps and AAD
OAuth-T OAuth-A OAuth2MW Web API <HTML/JS> ADAL JS

31 ADAL JavaScript AngularJS module offering
AAD sign in support in few lines of code Current user info Secure Web API invocation via JS/CORS The implicit grant is strictly opt-in for AAD apps

32 DEMO ADAL JS and Single Page Apps
Build 2014 4/16/2017 DEMO ADAL JS and Single Page Apps © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33 Web Apps, Web API, Single Page Apps…
Build 2015 4/16/2017 4:49 PM Web Apps, Web API, Single Page Apps… OpenID Connect MW Web APP ADAL .NET OAuth2MW Web API OAuth2MW Web API ADAL JS ADAL .NET ADAL* …Azure AD has your back. © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34 Resources Improve your skills by enrolling in our free cloud development courses at the Microsoft Virtual Academy. Try Microsoft Azure for free and deploy your first cloud solution in under 5 minutes! Easily build web and mobile apps for any platform with AzureAppService for free.

35

Download ppt "Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION."

Similar presentations

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
(Rob) Contoso photo Contoso ? Contoso photo Contoso.

(Rob) Contoso photo Contoso ? Contoso photo Contoso.
SYNC DEMO “We bought Grandma a new TV. This is what my Dad did to her remote.”

SYNC DEMO “We bought Grandma a new TV. This is what my Dad did to her remote.”
4/15/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/15/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio

Patterns & practices Symposium 2013 Windows Azure Active Directory Vittorio
Personal storage in the cloud Redirection support in Service Pack 1.

Personal storage in the cloud Redirection support in Service Pack 1.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every day.
Web sign-in using OpenID Connect Office API access.

Web sign-in using OpenID Connect Office API access.
Active Directory federation user provisioning.

Active Directory federation user provisioning.
Build 2015 4/17/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /17/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
Vienna/Austria Authenticate as entitled user or app for the individual service Authenticate as entitled user for our web portal Decide what.

Vienna/Austria Authenticate as entitled user or app for the individual service Authenticate as entitled user for our web portal Decide what.
Conditional access DirectAccess & automatic VPN Desktop Virtualization.

Conditional access DirectAccess & automatic VPN Desktop Virtualization.
“We bought Grandma a new TV. This is what my Dad did to her remote.”

“We bought Grandma a new TV. This is what my Dad did to her remote.”
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.

Resource App Resource App Resource authorization server authorization endpoint token endpoint A A R.
Authenticate user AuthenticationContext aCtx = new AuthenticationContext(“https://sts.contoso100.com/adfs); AuthenticationResult.

Authenticate user AuthenticationContext aCtx = new AuthenticationContext(“ AuthenticationResult.
Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.

Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.

Similar presentations

Ads by Google