GRDevDay March 21, 2015 Cloud-based Identity for Applications

About Me Solutions Architect Trainer Hockey fan

Hackathon 2015

Agenda Identity Concepts Cloud-based Identity Management Authentication and Authorization

Identity Concepts

Glossary App Application designed to read/write data from remote system Authentication Identify the current principal Authorization Verify principal has proper permission for operation Cloud App App hosted on servers off-premises JSON JavaScript object notation

Glossary JWT JSON Web Token OAuth Open Authentication standard Principal User or App performing an operation SAML Security Assertion Markup Language (XML) Token Encoded, signed data representing principal and/or app

Security Principals Users Groups “Service Accounts” Application

Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access.

AuthN/AuthZ Roles (Legacy)

Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication.NET Membership ASP.NET Identity Claims-based Authentication Anonymous

Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well…

Authenticating Apps Server to Server (S2S) Trust Uses server certificates Just like SSL App ID & Password Also called Client Secret Trust Broker (Claims) Service and App trust same 3 rd -party

Claims in real life Form I-9 Purchasing Alcohol Login with Facebook

Cloud-Based Identity Management On-premises directory in DMZ High-Risk Cloud Directory Azure AD Minimal control over password policy/requirements Federated Identity Used by SaaS Azure AD “relies on” on-premises directory Full control over authentication Password policy Logon policy (device, time of day, etc.)

Cloud-Based Identity Management Maintain principals in cloud UI Synchronize from on-premises Azure AD Roadmap Azure AD Connect Based on FIM

Auth Protocols & Code Libraries

Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions

Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks

Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries VS Tooling is a bit behind

Authenticating Apps

Standard for programs accessing remote systems OAuth2

Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password. Cross platform app authorization Internet Standard supported by Azure, Facebook, Google, Twitter, and more What is OAuth 2.0?

Client: application requesting access to a user’s resources Resource Owner: the user who can grant rights to the application Resource Server: the server hosting the protected resources and exposing a web- based API Authorization Server – server issuing tokens OAuth 2.0 Actors

Client: SharePoint app, Azure web application, Windows 8 app Resource Owner: individual or administrator with an Organizational Account in Azure Active Directory Resource Server: SharePoint, Exchange Authorization Server: Azure Access Control Services OAuth 2.0 Actors in Office 365

Client ID is used to uniquely identify applications Client Secret is used to authenticate token requests Application Principals

Context Token Information about the Resources Owner and Client that can be used to get an Access Token later. Refresh Token A token used to get an Access Token from the Authorization Server. Access Token A token passed to the Resource Server authorizing the Client to access resources. Authorization Code A code that can be used to register an app on-the-fly. OAuth 2.0 Tokens

OAuth 2.0 Access Tokens are unbound tokens (a.k.a, “Bearer Tokens”) An Access Token can be used by any application that possesses it Always use SSL – OAuth design depends on it! Never expose tokens in JavaScript or allow them to be accessed by client-side debugging tools If an Access Token is compromised, damage is limited by expiration If a Refresh Token is compromised, damage is limited because the Client ID and Client Secret are required to get an Access Token from a Refresh Token. Bearer Tokens

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server)

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) User accesses Web application

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Redirected to AAD

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Consent dialog displayed

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Grant access using Consent Dialog

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code returned and user redirected

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Auth Code, App Id, App Secret sent

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access and Refresh Tokens returned

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Access Token presented Along with request

OAuth 2.0 Flow Office 365 APIs End User (Resource Owner) Azure Active Directory (Authorization Server) Azure Web Site (Client) SharePoint Online (Resource Server) Response returned

Demo

References

Azure Active Directory Documentation us/documentation/services/active-directory/ us/documentation/services/active-directory/ Samples Azure Active Directory Authentication Libraries us/library/azure/dn aspx us/library/azure/dn aspx

AAD Graph API Documentation: aspx aspx Graph Explorer: Metadata: tadata tadata

AAD Graph API Walkthrough Initial Post: /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx /24/walk-through-for-building-a-net-application-for- accessing-windows-azure-active-directory-graph- service.aspx Update for new capabilities /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx /15/announcing-some-new-capabilities-in-azure-active- directory-graph-service.aspx

Open Web Interface for.NET OWIN and Katana in ASP.NET

OpenID Connect Specification Samples id-connect.html nnect id-connect.html nnect

Cloud Identity in.Net Dominick Baier Brock Allen

Thank You! You can find me at: