1 / 40

Identity in the Cloud

Identity in the Cloud. Paul Schaeflein. About Me. Paul Schaeflein, MCPD Schaeflein Consulting http://www.schaeflein.net paul@schaeflein.net @ paulschaeflein Long-time developer and software architect Currently moving sites to the largest SPO tenancy Part of ISC2012 Developer Track.

joelle
Download Presentation

Identity in the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity in the Cloud Paul Schaeflein

  2. About Me • Paul Schaeflein, MCPD • Schaeflein Consulting • http://www.schaeflein.net • paul@schaeflein.net • @paulschaeflein • Long-time developer and software architect • Currently moving sites to the largest SPO tenancy • Part of ISC2012 Developer Track

  3. Vocabulary Lesson

  4. Glossary • App • Application designed to read/write data from remote system • Authentication • Identify the current principal • Authorization • Verify principal has proper permission for operation

  5. Glossary • Cloud App • App hosted on servers off-premises • JSON • JavaScript object notation • JWT • JSON Web Token • OAuth • Open Authentication standard

  6. Glossary • Principal • User or App performing an operation • SAML • Security Assertion Markup Language (XML) • Token • Encoded, signed data representing principal and/or app

  7. Cloud and Azure Glossary http://www.hanselman.com/blog/ACloudAndAzureGlossaryForTheConfused.aspx

  8. Web Application Identity

  9. Common Authentication methods • Integrated Windows NT Authentication • Forms-Based Authentication • .NET Membership • Claims-based Authentication • Default in SharePoint 2013 • ASP.Net Identity • Anonymous

  10. Authenticating Users in the cloud • Integrated NT not usually possible • Unless running a managed cloud • FBA requires management interface creation • Claims-based is gaining traction • Multiple formats, but same concepts • SSO, OAuth, ASP.Net Identity • Anonymous • Well…

  11. Authenticating Apps • Server to Server (S2S) Trust • Uses server certificates • Just like SSL • App ID & Password • Also called Client Secret • Trust Broker • Service and App trust same 3rd-party

  12. App Authorization • Standard for programs accessing remote systems • OAuth2 • http://oauth.net

  13. OAuth Protocol Flow in SharePoint 2013 Authorization Server Resource owner Client Resource Server

  14. OAuth Protocol Flow in SharePoint 2013 ACS Browser App.com SharePoint

  15. OAuth Protocol Flow in SharePoint 2013 ACS Browser App.com SharePoint 1 1) User browses to a SharePoint page with an app part on it

  16. OAuth Protocol Flow in SharePoint 2013 ACS 2 Browser App.com SharePoint 1 2) SharePoint requests a context token

  17. OAuth Protocol Flow in SharePoint 2013 ACS 3 2 Browser App.com SharePoint 1 3) ACS returns a signed context token

  18. OAuth Protocol Flow in SharePoint 2013 ACS 3 2 Browser App.com SharePoint 1 4 POST https://app.com/ … SPAppToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.e… 4) SharePoint renders page with iframe which will POST the context token to App.com

  19. OAuth Protocol Flow in SharePoint 2013 ACS 3 2 Browser App.com SharePoint 1 4 5 5) iframe causes browser to request contents from App.com including the context token

  20. OAuth Protocol Flow in SharePoint 2013 ACS 3 2 6 Browser App.com SharePoint 1 4 5 6) App.com validates the signature on the context token, extracts the auth code, and uses its credentials to request an access token from ACS

  21. OAuth Protocol Flow in SharePoint 2013 ACS 7 3 2 6 Browser App.com SharePoint 1 4 5 7) Windows Azure Access Control Services (ACS) returns an access token

  22. OAuth Protocol Flow in SharePoint 2013 ACS 7 3 2 6 8 Browser App.com SharePoint 1 4 5 8) App.com calls SharePoint CSOM or REST API with access token

  23. OAuth Protocol Flow in SharePoint 2013 ACS 7 3 2 6 8 Browser App.com SharePoint 1 4 9 5 9) SharePoint returns data from CSOM or REST API call

  24. OAuth Protocol Flow in SharePoint 2013 ACS 7 3 2 6 8 Browser App.com SharePoint 1 4 9 5 10 10) App.com returns the iframe contents

  25. OAuth Token Summary ACS Refresh 7 6 8 Browser App.com SharePoint Access 5 Context

  26. Windows Azure Active Directory

  27. Windows Azure Active Directory • Implement single sign-on and single sign-out for enterprise applications and software as a service (SaaS) providers. • Query and manage cloud directory objects, such as users and groups, by using the Graph API. • Integrate with on-premises Active Directory to sync directory data to the cloud and enable single sign-on across on-premises and cloud applications

  28. Windows Azure Active Directory • processed more than 10 Billion authentications in a seven day period • 1.4 million business, schools, government agencies and non-profits • 240 million user accounts in Azure AD from companies and organizations in 127 countries around the world • 14 different data centers • 227 different SaaS solutions (Office 365, SalesForce, Box) Oct 2013: http://blogs.technet.com/b/ad/archive/2013/10/04/an-update-on-dates-pricing-and-sharing-some-cool-data.aspx

  29. Provider-hosted App Identity from SharePoint Roles from SharePoint Scenario 1

  30. Provider-hosted App • SharePoint send context token on app launch • Subsequent pages may not contain token • SharePoint does not authenticate – do you trust SharePoint?

  31. Provider-hosted App with WindowsAzure Active Directory Identity from SharePoint Verified by WAAD Roles from WAAD Scenario 2

  32. Provider-hosted App w/WAAD • Parse the Identity Claim (Login Name) • Requires Read access to Azure Active Directory Tenant • Client ID/Password (Key) • Make sure different web.config entry than SharePoint AppID

  33. Cloud-Hosted Web Application Identity from WAAD Roles from WAAD Scenario 3

  34. Cloud-Hosted Web Application • Configure application for SSO • Identity and Access Tool • Claims-based Authentication • Requires Read Access to Azure Active Directory Tenant • Client ID/Password (Key)

  35. References

  36. WAAD Graph API • Documentation:http://msdn.microsoft.com/library/windowsazure/dn151791.aspx • Graph Explorer:http://graphexplorer.cloudapp.net • Metadata: https://graph.windows.net/contoso.onmicrosoft.com/$metadata

  37. WAAD Graph API Walkthrough • Initial Post: http://blogs.msdn.com/b/aadgraphteam/archive/2013/01/24/walk-through-for-building-a-net-application-for-accessing-windows-azure-active-directory-graph-service.aspx • Update for new capabilitieshttp://blogs.msdn.com/b/aadgraphteam/archive/2013/05/15/announcing-some-new-capabilities-in-azure-active-directory-graph-service.aspx

  38. WCF Data Services • WCF Data Services 5.6 Downloadhttp://msdn.microsoft.com/en-us/library/dn259731(v=vs.113).aspx • Tooling Update blog posthttp://blogs.msdn.com/b/astoriateam/archive/2013/02/18/wcf-data-services-5-3-0-rtw.aspx

  39. WCF Data Services Examples • Calling Service Operations from the WCF Data Services Client: http://blogs.msdn.com/b/writingdata_services/archive/2011/12/14/10146521.aspx • DataServiceContext.Execute(): http://msdn.microsoft.com/en-us/library/hh859932(v=vs.113).aspx • OperationParameter (and derived classes): http://msdn.microsoft.com/en-us/library/system.data.services.client.operationparameter(v=vs.103).aspx

  40. Thank you for attending!(This slide must always be the last slide in your deck)

More Related