• • • • • WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0

Download Report

Transcript • • • • • WS-Fed, SAML 2.0, OpenID Connect OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 OAuth 2.0 

•
•
•
•
•
WS-Fed, SAML 2.0,
OpenID Connect
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
OAuth 2.0
Today, we announced Azure Active Directory Premium, an
advanced offering that includes IAM capabilities for on-premises,
hybrid and cloud environments. Built on top of the free Azure
AD, provides an additional set of features to empower
enterprises with demanding needs of identity and access
management, such as:
•
•
•
•
•
•
Group-based access assignment for SSO to more than 1200
SaaS apps via “myapps.microsoft.com” and mobile apps
Self-service password reset
Delegated group management
Multi-Factor Authentication
Customized branding
Reporting, alerting, and analytics
Additionally, Azure AD premium offers:
• An Enterprise SLA of 99.9%
• Usage rights to Forefront Identity Manager Server and CALs
1.
2.
3.
4.
WS-Fed, SAML 2.0,
OpenID Connect
Web Browser to
Web App:
WS-Federation,
SAML 2.0,
OpenID Connect
WebApp Service Principal
• App ID URI
• Reply Url
SAML, WS-Fed, or OpenID Connect Endpoint
1. Navigate to site
2. Redirect to directory tenant to sign in (App ID URI)
3. Sign in
4. Send security token to Reply URL
5. Set session
OWIN Auth
Middleware
Windows
Identity
Foundation







https://login.windows.net/contoso.com/<protocol>







https://login.windows.net/common/<protocol>



Claim
Tenant ID
Name
Example
Intended Purpose
81aabdd2-3682-48fd-9efa-2cb2fcea8557
Immutable tenant identifier
[email protected]
Display only
First Name
Stuart
Display only
Last Name
Kwan
Display only
Object ID
b3809430-6c28-4e43-870d-fa7d38636dcd
Immutable security identifier
* Coming soon: group claims and role claims


 https://login.windows.net/common/.well-known/openid-configuration





OAuth 2.0
Native Client to
Web API:
OAuth 2.0
auth code grant,
public client
* Active Directory
Authentication
Library: client-side
helper library that
handles UI prompts,
protocol, caching.
NativeApp SP
• Client ID
• Redirect URI
Impersonation
grant
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
1. Request Auth Code (Client ID, Redirect URI, App ID URI)
2. Sign in
…
User sees
web pop up
ADAL*
3. Return Auth Code to Redirect URI
OWIN Auth
Middleware
Windows
Identity
Foundation
Native Client to
Web API:
OAuth 2.0
auth code grant,
public client
NativeApp SP
• Client ID
• Redirect URI
Impersonation
grant
Authorize Endpoint
* JWT = JSON Web
Token, a JSON-encoded
security token bearing
claims.
WebAPI SP
• App ID URI
Token Endpoint
4. Redeem Auth Code (Auth Code, Client ID, Redirect URI, App ID URI)
5. Return Access Token (JWT*), Refresh Token (JWT*)
ADAL
6. Send Access Token on Authorization Header
OWIN Auth
Middleware
Windows
Identity
Foundation
http://jwt.calebb.net/











Native Client to
Web API:
OAuth 2.0
auth code grant,
public client
*Bonus: “multi-resource
refresh token”can be
used to get access
token to a different
service if delegation
exists
NativeApp SP
• Client ID
• Redirect URI
Impersonation
grant
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
1. Call WebAPI (Access Token in AuthZ Header)
2. Access Token has Expired
3. Request new Access Token (Client ID, Refresh Token*, App ID URI)
ADAL
4. Return Access Token, Refresh Token
5. Call web API with Access Token in AuthZ Header
OWIN Auth
Middleware
Windows
Identity
Foundation






Web App to
Web API:
OAuth 2.0
client credentials
*The application’s
credential can be a
password, or it can be
an assertion (a JWT
token) signed with
private key.
WebApp SP
• Client ID
• Redirect URI
• Credential*
Access
grant
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
1. Signed in, using the web app…
2. Request token (Client ID, Credential, App ID URI)
WIF OWIN
3. Return access token
ADAL
4. Call web API with Access Token in AuthZ Header
WIF OWIN
Web App to
Web API:
OpenID Connect
* ID Token, claims
about the user for
WebApp.
WebApp SP
• Client ID
• Redirect URI
• Credential
Impersonation
grant
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
1. Navigate to site
2. Redirect to sign in and request auth code (Client ID, Redirect URI)
WIF OWIN
3. Sign in
4. Return ID Token* and
Auth Code to Redirect URI
Might require
user consent
ADAL
6. Set session
WIF OWIN
Web App to
Web API:
OpenID Connect
WebApp SP
• Client ID
• Redirect URI
• Credential
Impersonation
grant
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
7. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI)
8. Return access token, refresh token
9. Call web API with Access Token in AuthZ Header
WIF OWIN
ADAL
WIF OWIN







Server to
Web API:
OAuth 2.0
OnBehalfOf
Token Exchange
WebAPI1 SP
• Client ID
• Credential
Impersonation
grant
Authorize Endpoint
WebAPI2 SP
• Client ID
• Credential
Token Endpoint
1. Use the API, passing user’s Access Token…
2. Request token (User’s Access Token, Client ID, Credential)
WIF OWIN
3. Return Access Token, Refresh Token
ADAL
4. Call web API with Access Token in AuthZ Header
WIF OWIN
America’s oldest and largest healthcare services company
Company Founded:
Headquarters:
1833
San Francisco
Fortune 500:
Ranked 14th
Employees:
43,500
Revenue:
Segments:
$122.5 billion
Distribution Solutions
and Technology Solutions
Together with our customers and partners,
we are creating a sustainable future for healthcare. Together we are charting a course to
better health.
Distribution
Solutions
Technology
Solutions
#1 pharmaceutical distributor
in U.S. and Canada
leader in clinical, revenue-cycle and
resource-management solutions
#1 generics distributor
leading RelayHealth claims-processing
and connectivity business
#1 in medical-surgical distribution
to alternate care sites
#1 in medical-management software
and services to payers











https://github.com/orgs/MSOpenTech




http://katanaproject.codeplex.com/
https://github.com/orgs/MSOpenTech
https://github.com/orgs/MSOpenTech
https://github.com/AzureADSamples






http://www.windowsazure.com/en-us/solutions/identity/
Category
Protocol
Native client OAuth 2.0 auth code grant, public client
AD FS
AD FS 3.0
Azure AD
Preview
Web sign-in WS-Federation
SAML 2.0
OpenID Connect
Web to
OAuth 2.0 auth code grant, confidential client
Web API
OAuth 2.0 client credential grant
Server to
OAuth 2.0 on behalf of
Web API
AD FS 2.0+
GA
AD FS 2.0+
GA
Not available Preview
Not available Preview
Not available GA
Not available Preview
Web App to
Web API:
OAuth 2.0
auth code grant,
confidential client
WebApp SP
• Client ID
• Redirect URI
• Credential
delegation
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
1. Signed in, using the web app…
2. Request Auth Code (Client ID, Redirect URI)
WIF OWIN
3. Return Auth Code
Might require
user consent
ADAL
WIF OWIN
Web App to
Web API:
OAuth 2.0
auth code grant,
confidential client*
* Called “confidential
client” because WebApp
uses it’s credentials
when redeeming the
auth code.
WebApp SP
• Client ID
• Redirect URI
• Credential
delegation
Authorize Endpoint
WebAPI SP
• App ID URI
Token Endpoint
4. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI)
5. Return access token, refresh token
6. Call web API with Access Token in AuthZ Header
WIF OWIN
ADAL
WIF OWIN