Cloud-based Identity for Applications
advertisement
Cloud-based Identity for Applications GRDevDay March 21, 2015 About Me Solutions Architect Trainer Hockey fan http://www.schaeflein.net/blog Hackathon 2015 Agenda Identity Concepts Cloud-based Identity Management Authentication and Authorization Identity Concepts Glossary App Application designed to read/write data from remote system Authentication Identify the current principal Authorization Verify principal has proper permission for operation Cloud App App hosted on servers off-premises JSON JavaScript object notation Glossary JWT JSON Web Token OAuth Open Authentication standard Principal User or App performing an operation SAML Security Assertion Markup Language (XML) Token Encoded, signed data representing principal and/or app Security Principals Users Groups “Service Accounts” Application Authentication & Authorization What is Authentication (AuthN)? The process of verifying a principal’s identity. What is Authorization (AuthZ)? Determines which resources the principal can access. AuthN/AuthZ Roles (Legacy) Authentication and Authorization roles Phase Infrastructure Application Authorization Allowed to execute function? Start Logon Authentication Logon Valid? Common Authentication methods Integrated Windows NT Authentication Forms-Based Authentication .NET Membership ASP.NET Identity Claims-based Authentication Anonymous Authenticating Users in the cloud Integrated NT not usually possible Unless running a managed cloud FBA requires management interface creation Is your code secure? Your password storage container? Claims-based is current standard Multiple formats, but same concepts Anonymous Well… Authenticating Apps Server to Server (S2S) Trust Uses server certificates Just like SSL App ID & Password Also called Client Secret Trust Broker (Claims) Service and App trust same 3rd-party Claims in real life Form I-9 Purchasing Alcohol Login with Facebook Cloud-Based Identity Management On-premises directory in DMZ High-Risk Cloud Directory Azure AD Minimal control over password policy/requirements Federated Identity Used by SaaS Azure AD “relies on” on-premises directory Full control over authentication Password policy Logon policy (device, time of day, etc.) Cloud-Based Identity Management Maintain principals in cloud UI Synchronize from on-premises Azure AD Roadmap Azure AD Connect Based on FIM Auth Protocols & Code Libraries Authenticating Users Externalize authentication No more ASP.NET Membership Authentication delegated to an Identity Provider (IdP) IdP issues a token that contains claims Claims are used in Authorization decisions Authenticating Users - Protocols WS-FED SAML format (Security Assertion Markup Language) Providers Azure Access Control Services Active Directory Federation Services (AD FS) OpenID Connect JWT format Providers Azure Active Directory (Azure AD) Social Networks Authenticating Users – Libraries WF-FED / SAML Windows Identity Foundation (WIF) System.IdentityModel & System.Security.Claims namespaces (4.5) Identity & Access Control in VS2012 OpenID Connect ADAL (Active Directory Authentication Library) Builds on top of WIF Both managed and javascript libraries VS Tooling is a bit behind Authenticating Apps Authenticating Apps Standard for programs accessing remote systems OAuth2 http://oauth.net What is OAuth 2.0? Simple mechanism to grant a third party access to a user’s resources without sharing the user’s password. Cross platform app authorization Internet Standard supported by Azure, Facebook, Google, Twitter, and more OAuth 2.0 Actors Client: application requesting access to a user’s resources Resource Owner: the user who can grant rights to the application Resource Server: the server hosting the protected resources and exposing a web-based API Authorization Server – server issuing tokens OAuth 2.0 Actors in Office 365 Client: SharePoint app, Azure web application, Windows 8 app Resource Owner: individual or administrator with an Organizational Account in Azure Active Directory Resource Server: SharePoint, Exchange Authorization Server: Azure Access Control Services Application Principals Client ID is used to uniquely identify applications Client Secret is used to authenticate token requests OAuth 2.0 Tokens Context Token Information about the Resources Owner and Client that can be used to get an Access Token later. Refresh Token A token used to get an Access Token from the Authorization Server. Access Token A token passed to the Resource Server authorizing the Client to access resources. Authorization Code A code that can be used to register an app on-the-fly. Bearer Tokens OAuth 2.0 Access Tokens are unbound tokens (a.k.a, “Bearer Tokens”) • An Access Token can be used by any application that possesses it • Always use SSL – OAuth design depends on it! • Never expose tokens in JavaScript or allow them to be accessed by client-side debugging tools • If an Access Token is compromised, damage is limited by expiration • If a Refresh Token is compromised, damage is limited because the Client ID and Client Secret are required to get an Access Token from a Refresh Token. OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs User accesses Web application AzureWeb Site (Client) End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) End User (Resource Owner) Redirected to AAD SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) End User (Resource Owner) Consent dialog displayed SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) Grant access using Consent Dialog End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) Auth Code returned and user redirected End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) Auth Code, App Id,App Secret sent End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) Access and Refresh Tokens returned End User (Resource Owner) SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) End User (Resource Owner) AccessToken presented Along with request SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) OAuth 2.0 Flow Office 365 APIs AzureWeb Site (Client) End User (Resource Owner) Response returned SharePoint Online (Resource Server) Azure Active Directory (Authorization Server) Demo References Azure Active Directory Documentation http://azure.microsoft.com/enus/documentation/services/active-directory/ Samples https://github.com/AzureADSamples Azure Active Directory Authentication Libraries https://msdn.microsoft.com/enus/library/azure/dn151135.aspx AAD Graph API Documentation: http://msdn.microsoft.com/library/windowsazure/dn 151791.aspx Graph Explorer: http://graphexplorer.cloudapp.net Metadata: https://graph.windows.net/contoso.onmicrosoft.com/$me tadata AAD Graph API Walkthrough Initial Post: http://blogs.msdn.com/b/aadgraphteam/archive/2013/01 /24/walk-through-for-building-a-net-application-foraccessing-windows-azure-active-directory-graphservice.aspx Update for new capabilities http://blogs.msdn.com/b/aadgraphteam/archive/2013/05 /15/announcing-some-new-capabilities-in-azure-activedirectory-graph-service.aspx Open Web Interface for .NET http://owin.org OWIN and Katana in ASP.NET http://www.asp.net/aspnet/overview/owin-and-katana OpenID Connect Specification http://openid.net/connect/ Samples https://www.pingidentity.com/en/resources/articles/open id-connect.html https://developers.google.com/accounts/docs/OpenIDCo nnect Cloud Identity in .Net Dominick Baier http://leastprivilege.com/ Brock Allen http://brockallen.com/ Thank You! paul@schaeflein.net http://www.schaeflein.net/blog You can find me at:
