1 / 42

Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300

Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300. Peter Selch Dahl - Sr. IT Architect , Cloud and IT Infrastructure. Empowering users. Enable your users. Protect your data. People-centric approach. User. Devices. Apps. Data. IT.

alva
Download Presentation

Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens - EWUG.DK - Level 200-300

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep Dive into Cloud Identity, Identity Bridging and Cloud Tokens- EWUG.DK - Level 200-300 Peter Selch Dahl - Sr. IT Architect, Cloud and IT Infrastructure

  2. Empowering users Enable your users Protect your data People-centric approach User Devices Apps Data IT Unify your environment

  3. Identity as the control plane Single sign on Simple connection Self-service Windows Server Active Directory SaaS Other Directories Azure Username ••••••••••• Office 365 Public cloud On-premises Cloud Microsoft Azure Active Directory

  4. What is Azure Active Directory? A comprehensive identity and access management cloud solution. It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers It is available in 3 editions: free, Basic and Premium

  5. What is Azure Active Directory? Your Directory on the cloud Centrally managed identities and access. Monitor and protect access to cloud applications. Empower Users

  6. Your Directory on the cloud Connect and Sync on-premises directories with Azure. * Azure Active Directory Connect * PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) Microsoft Azure Active Directory Other Directories

  7. Your Directory on the cloud Connect and Sync on-premises directories with Azure. 2400+ Preintegrated popular SaaS apps. MicrosoftAzure Active Directory SaaS apps Other Directories

  8. Your Directory on the cloud Connect and Sync on-premises directories with Azure. 2500+ Preintegrated popular SaaS apps. Easily publish on-prem web apps via Application Proxy + Custom apps through a rich standards-based platform. Microsoft Azure Identities and applications in one place. SaaS apps Web Apps (Azure Active Directory Application Proxy) Integrated custom apps Other Directories

  9. Centrally managed identities and access Comprehensive identity and access management console. Centralized access administration for preintegrated SaaS apps and other Cloud-based apps. SaaS apps Secure business processes with advanced access management capabilities. IT professional Your cloud apps ready when you are.

  10. Rich standards-based platform for developers • Custom LOB applications can integrate with Azure Active Directory • Sign in to Active Directory-integrated applications with cloud identities • Active Directory-integrated applications can access Office 365 and other web APIs • Applications can extend Azure Active Directory schema • Cross-platform support (iOS, Android, and Windows) • Open Standards • (SAML, OAuth 2.0, OpenID Connect, Odata 3.0) OAuth2 & OpenID Connect SAML WS-Federation REST based Graph API SCIM Microsoft Azure Active Directory

  11. Now the stage is set  - Let’sgetstarted @EWUGDK

  12. Agenda Identity needs of today’s apps Azure Active Directory Scenarios and how they work Special guest Protocols, libraries, and resources

  13. What I willbetalkingabout…. @EWUGDK

  14. Azure AD Authentication Library @EWUGDK

  15. Azure AD Authentication Library @EWUGDK

  16. Introducing MSAL (Microsoft Authentication Library) https://blogs.technet.microsoft.com/ad/2016/03/31/microsoft-identity-at-build-2016/ https://blogs.technet.microsoft.com/ad/2015/08/12/now-in-public-preview-the-converged-microsoft-account-and-azure-active-directory-programming-model/ https://blogs.technet.microsoft.com/ad/2016/02/23/for-developers-the-first-use-cases-of-the-converged-microsoft-account-and-azure-active-directory-programming-model-are-now-ga/ @EWUGDK

  17. We expose hard choices to developers BOTH Azure MSA AAD Office

  18. We expose hard choices to end-users outlook.office.com outlook.com ??? ???

  19. MSAL: Putting it together with the applications @EWUGDK

  20. An organization (e.g. Contoso) has Azure AD tenant Azure AD will only issue tokens to an application registered in the tenant How does an application get registered in a tenant? Registering an Application

  21. Two Cases… • Single tenant application • App for users in a single organization • Admin or user registers app in directory tenant • Sign in at: https://login.windows.net/contoso.com/<protocol> • Multi-tenant application • App for users in multiple organizations • Admin or user registers app in developer’s directory tenant • Admin configures application to be multi-tenant • Sign in at: https://login.windows.net/common/<protocol> • User prompted to consentbased on permissions required by application • Consent registers application in user’s tenant

  22. Consent • Users can consent to apps that access personal information only • Admins must consent to apps that require broader permissions • Admins can consent on behalf of all users in an organization

  23. Microsoft Graph API: Azure AD behind the scenes @EWUGDK

  24. Microsoft Graph API: Azure AD behind the scenes https://azure.microsoft.com/da-dk/documentation/articles/active-directory-graph-api-quickstart/ https://graph.microsoft.io/en-us/changelog# @EWUGDK

  25. Microsoft Graph API: Azure AD behind the scenes Getting Azure AD devicesusing Graph: https://graph.microsoft.com/beta/devices Getting Azure AD information  - Behind the scenes… https://graph.microsoft.io/en-us/docs/api-reference/beta/resources/directoryobject @EWUGDK

  26. Microsoft Identity: Bridging the GAP @EWUGDK

  27. Microsoft Identity: Bridging the GAP @EWUGDK

  28. Microsoft Identity: Bridging the GAP Primary Refresh Token Username Password Windows Server Active Directory PRT OneDrive Username Password TGT Kerberos Ticket Office 365 Dynamics Microsoft Azure Active Directory @EWUGDK Intune

  29. Microsoft Identity: Bridging the GAP SSO Token Windows Server Active Directory Kerberos Ticket PRT OneDrive TGT Office 365 Dynamics Microsoft Azure Active Directory @EWUGDK Intune

  30. AzureAD: PrimaryRefreshTokens @EWUGDK

  31. AzureAD: PrimaryRefreshTokens Dave authenticates to Azure AD as part of logon process Microsoft Azure Active Directory @EWUGDK 10

  32. AzureAD: PrimaryRefreshTokens Primary Refresh Token (PRT) Returned by Azure AD and cached by Windows 10 Microsoft Azure Active Directory @EWUGDK 10

  33. AzureAD: PrimaryRefreshTokens Office 365 Microsoft Azure Active Directory @EWUGDK 10

  34. AzureAD: PrimaryRefreshTokens Here is my PRT can I please have an SSO token for Office 365 Office 365 Microsoft Azure Active Directory @EWUGDK 10

  35. AzureAD: PrimaryRefreshTokens Your PRT checks out so here is the SSO token you have asked for Office 365 Microsoft Azure Active Directory @EWUGDK 10

  36. AzureAD: PrimaryRefreshTokens Here is my Office 365 SSO token give me access please Office 365 Microsoft Azure Active Directory @EWUGDK 10

  37. What’s In A Token? (In Brief) Token also contains Group information

  38. Tokens for all tenants are signed by same key Keys published via metadata https://login.windows.net/common/.well-known/openid-configuration Keys roll on periodic basis Your app must handle Periodically refreshing keys from metadata Handling multiple keys Our samples and libraries do this automatically Azure AD Token Signing Key

  39. AzureAD: Tokens • Kerberos Maximum lifetime for service ticket: • 10 Timer før brugeren skal hente en ny ticket fra domain controlleren intern (Validering): • https://technet.microsoft.com/en-us/library/cc775748(v=ws.10).aspx • Session timeouts for Office 365 • https://support.office.com/en-US/article/Session-timeouts-for-Office-365-37a5c116-5b07-4f70-8333-5b86fd2c3c40?ui=en-US&rs=en-US&ad=US • Modern Authentication • Vi skal på et tidspunkt også have talt ”Modern Authentication” med jer, men jeg ser ikke lige tiden er moden endnu til dette: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/. Det hænger meget sammen med EMS (Conditional Access) • ”Modern Authentication” : http://www.cloudidentity.com/blog/2015/03/20/azure-ad-token-lifetime/ • Basic Authentication • ADFS Token: 8 timer (Det er standard fra Microsoft). @EWUGDK

  40. Questions and Answers Thanks

  41. AzureAD: Azure Association @EWUGDK

More Related