Sofia Event Center 14-15 May 2014 Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps Radi Atanassov SharePoint MCM & MVP OneBit Software
About Me
About Me Radi Atanassov SharePoint 2010 MCM SharePoint Server MVP OneBit Software Web Platform User Group Twitter: @RadiAtanassov E-mail: radi@sharepoint.bg
Agenda Identity & Access Windows Azure Active Directory DEMO: ASP.NET MVC & WS-Fed for SSO DEMO: Query the directory with the Graph API
Identity & Access Introduction
Our world is changing. Cloud
Today we are: Cloud Cloud Cloud first. Mobile first. Social
Identity & Access Web App Another Web App Service Collaboration IM/Video Mail, Tasks & Calendar
Identity & Access Identity Provider App Relying Party
Identity & Access Identity Provider App Relying Party Relying Party 2
Many Token Formats SAML JWT Kerberos Ticket Custom
Tokens & Validation Well formed Intended format Validity Not tampered with (signature) Intended Authority Signature verification Trusted, unique issuer Current Application Correct Audience
Many Protocols & Standards SAML-P WS-Federation OAuth OpenID Connect
SAML vs. WS-Federation Both support SSO, metadata exchange, trust, the claims terminology, the concept of federated identity, sign out, pseudonyms Both are confusing Both are OASIS standards SAML-P Older, widespread Only supports SAML Assertions WS-Federation Pushed by MS Supports many tokens + SAML Much more functional
OpenID Connect vs OAuth 2.0 OpenID Connect OAuth 2.0 Identity Providers Authentication Community driven, open source project No abstraction, direct & lightweight SSO solution Authorization Permit Site A to access Site B on your behalf Defines what you can do once access is allowed
Enterprise Security Flexibility and features similar to the Web world Cross-system data exchange Single sign-on is a key requirement Push for standards Attention to security
Practical Architecture Design & develop a single sign-on system Choose how to authenticate your users Spot & discuss security risks Cloud, mobile and App trends are pushing this Huge in the enterprise Huge in the consumer App space Not getting any easier!
Architecture Decisions Where are your users stored? What authentication handshaking will you use? What tokens will you use? What is the hosting platform and application framework/language? What are the business rules/security requirements? ASP.NET: which ASP.NET library?
ASP.NET Library History Forms Authentication (ASP.NET Membership) Nothing to do with any standard SSO: requires a subdomain, no cross domain Windows Authentication NTLM & Kerberos ASP.NET Simple Membership a membership system for ASP.NET Web Pages ASP.NET Universal Providers Built on top of ASP.NET Membership ASP.NET & Windows Identity Foundation Custom
ASP.NET Identity 2.0 One system for all ASP.NET frameworks Hybrid-friendly, standards-based, cross-framework, cross-platform Easy to enhance profile data & schema Easier unit testing Claims-aware Role Manager API Easy API for social login providers WAAD implementation OWIN Microsoft.AspNet.Identity.*
ADAL.NET Active Directory Authentication Library for.net 2.0 System.IdentityModel.Clients.ActiveDirectory API & helper classes for Active Directory, ADFS, WAAD Has support for JWT, SAML, OAuth Token acquisition, refreshing, storage Good for non-web applications
.NET 4.5 & WIF
Windows Azure Active Directory Introduction
Windows Azure Active Directory Dirsync On-premises Directory Graph API SAML-P WS-Fed OAuth 2.0 Metadata
Windows Azure Active Directory
Windows Azure Active Directory Cloud Windows Azure Active Directory Cloud App Exchange Online On-premises Active Directory Federation Services (STS) On-premises Active Directory Web Portal SharePoint
Buildings Apps with SSO DEMO
Questions??? Share your feedback for this particular session and for the overall conference experience at http://aka.ms/intouch EMAIL: radi@sharepoint.bg