1 / 28

SharePointintersection Session SP29 Securing your cloud applications with Azure Active Directory

SharePointintersection Session SP29 Securing your cloud applications with Azure Active Directory. Paul Schaeflein Schaeflein Consulting. About Me. Solutions Architect Trainer Hockey fan http://www.schaeflein.net/blog. Glossary. App

hanzila
Download Presentation

SharePointintersection Session SP29 Securing your cloud applications with Azure Active Directory

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SharePointintersectionSession SP29Securing your cloud applications with Azure Active Directory Paul Schaeflein Schaeflein Consulting

  2. About Me • Solutions Architect • Trainer • Hockey fan • http://www.schaeflein.net/blog

  3. Glossary • App • Application designed to read/write data from remote system • Authentication • Identify the current principal • Authorization • Verify principal has proper permission for operation • Cloud App • App hosted on servers off-premises • JSON • JavaScript object notation

  4. Glossary • JWT • JSON Web Token • OAuth • Open Authentication standard • Principal • User or App performing an operation • SAML • Security Assertion Markup Language (XML) • Token • Encoded, signed data representing principal and/or app

  5. Cloud and Azure Glossary • http://www.hanselman.com/blog/ACloudAndAzureGlossaryForTheConfused.aspx

  6. Web Application Identity

  7. Common Authentication methods • Integrated Windows NT Authentication • Forms-Based Authentication • .NET Membership • Claims-based Authentication • Default in SharePoint 2013 • Anonymous

  8. Authenticating Users in the cloud • Integrated NT not usually possible • Unless running a managed cloud  • FBA requires management interface creation • Claims-based is gaining traction • Multiple formats, but same concepts • Anonymous • Well…

  9. Authenticating Apps • Server to Server (S2S) Trust • Uses server certificates • Just like SSL • App ID & Password • Also called Client Secret • Trust Broker • Service and App trust same 3rd-party

  10. App Authorization • Standard for programs accessing remote systems • OAuth2 • http://oauth.net

  11. OAuth Protocol Flow in SharePoint 2013 1 SharePoint authenticates user using claims 2 Content Server SharePoint 2013 Web Server SharePoint requests context token for user 3 ACS returns context token 2 1 4 SharePoint pass context token to User 3 4 5 User POSTS to app passing context token • User • desktop computer • laptop computer • mobile device • tablet or iPad Authentication Server Trusted ACS server that authenticates applications and creates OAuth tokens Client app is able to pull refresh token out of context token. Client app then passes refresh token to ACS to request OAuth token 6 8 9 7 ACS returns OAuth token to client app 5 6 Client App Web Server running remote app code Client App makes CSOM/REST calls to SharePoint site passing OAuth token 8 7 10 9 SharePoint returns site content to app 10 Client App returns HTML to user device

  12. Windows Azure Active Directory

  13. Windows Azure Active Directory • Implement single sign-on and single sign-out for enterprise applications and software as a service (SaaS) providers. • Query and manage cloud directory objects, such as users and groups, by using the Graph API. • Integrate with on-premises Active Directory to sync directory data to the cloud and enable single sign-on across on-premises and cloud applications

  14. Windows Azure Active Directory • processed more than 10 Billion authentications in a seven day period • 1.4 million business, schools, government agencies and non-profits • 240 million user accounts in Azure AD from companies and organizations in 127 countries around the world • 14 different data centers • 227 different SaaS solutions (Office 365, SalesForce, Box) Oct 2013: http://blogs.technet.com/b/ad/archive/2013/10/04/an-update-on-dates-pricing-and-sharing-some-cool-data.aspx

  15. Scenario 1 Provider-hosted App Identity from SharePoint Roles from SharePoint

  16. Provider-hosted App • SharePoint send context token on app launch • Subsequent pages may not contain token • SharePoint does not authenticate – do you trust SharePoint?

  17. Scenario 2 Provider-hosted App with WindowsAzure Active Directory Identity from SharePoint Verified by WAAD Roles from WAAD

  18. Provider-hosted App w/WAAD • Parse the Identity Claim (Login Name) • Requires Read access to Azure Active Directory Tenant • Client ID/Password (Key) • Make sure different web.config entry than SharePoint AppID

  19. Scenario 3 Cloud-Hosted Web Application Identity from WAAD Roles from WAAD

  20. Cloud-Hosted Web Application • Configure application for SSO • Identity and Access Tool • Claims-based Authentication • Requires Read Access to Azure Active Directory Tenant • Client ID/Password (Key)

  21. References

  22. WAAD Graph API • Documentation:http://msdn.microsoft.com/library/windowsazure/dn151791.aspx • Graph Explorer:http://graphexplorer.cloudapp.net • Metadata: https://graph.windows.net/contoso.onmicrosoft.com/$metadata

  23. WAAD Graph API Walkthrough • Initial Post: http://blogs.msdn.com/b/aadgraphteam/archive/2013/01/24/walk-through-for-building-a-net-application-for-accessing-windows-azure-active-directory-graph-service.aspx • Update for new capabilitieshttp://blogs.msdn.com/b/aadgraphteam/archive/2013/05/15/announcing-some-new-capabilities-in-azure-active-directory-graph-service.aspx

  24. WCF Data Services • WCF Data Services 5.6 Downloadhttp://msdn.microsoft.com/en-us/library/dn259731(v=vs.113).aspx • Tooling Update blog posthttp://blogs.msdn.com/b/astoriateam/archive/2013/02/18/wcf-data-services-5-3-0-rtw.aspx

  25. WCF Data Services Examples • Calling Service Operations from the WCF Data Services Client: http://blogs.msdn.com/b/writingdata_services/archive/2011/12/14/10146521.aspx • DataServiceContext.Execute(): http://msdn.microsoft.com/en-us/library/hh859932(v=vs.113).aspx • OperationParameter (and derived classes): http://msdn.microsoft.com/en-us/library/system.data.services.client.operationparameter(v=vs.103).aspx

  26. Paul Schaeflein • paul@schaeflein.net • http://www.schaeflein.net/blog • @paulschaeflein

  27. Don’t forget to enter your evaluation of this session using EventBoard! Thank you! Questions?

More Related