Slide 1

Slide 1 text

Authentifizierung und Single Sign-On für Mobile, Web & Desktop Anwendungen

Slide 2

Slide 2 text

Authentication scenarios for mobile Applications* The Microsoft Technology Stack** Corporate vs Customer facing Applications *WS-Federation, OpenID Connect, OAuth2 **AD, ADFS, AAD, ADAL, Katana Agenda

Slide 3

Slide 3 text

Classic Intranet Scenario VPN

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Bridging the Gap – On Premise ADFS Web Application Proxy

Slide 6

Slide 6 text

Cloud sync AAD

Slide 7

Slide 7 text

Typical Application Scenarios Browser Native app Server app Web application Web API Web API Web API

Slide 8

Slide 8 text

Protocols Browser Native app Server app Web application Web API Web API Web API WS-Fed, SAML 2.0, OpenID Connect OAuth2 OAuth2 OAuth2 OAuth2 OAuth2 OAuth2

Slide 9

Slide 9 text

1. Browser to Web Application Browser Web application WS-Fed, SAML 2.0, OpenID Connect

Slide 10

Slide 10 text

Browser WebApp ADFS / AAD WebApp Service Principal •  App ID URI •  Reply Url 1. Navigate to site 2. Redirect to token service 3. Sign in 4. Send security token to Reply URL 5. Set session Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint Katana

Slide 11

Slide 11 text

Authentication Middleware for ASP.NET WS-Federation OpenID Connect JSON Web Tokens Cookies Katana

Slide 12

Slide 12 text

OpenID Connect – Request GET /authorize ?client_id=app1 &scope=openid profile &redirect_uri=https://app.com/cb &response_type=id_token &response_mode=form_post

Slide 13

Slide 13 text

OpenID Connect – Response POST /callback

Slide 14

Slide 14 text

JSON Web Tokens (JWT) {      "typ":  "JWT",      "alg":  "HS256"   }   {      "iss":  "https://login.windows.net",      "exp":  1340819380,      "aud":  "app1",            "sub":  "182jmm199",      "email":  "[email protected]",      "email_verified":  true,      "amr":  "password",      "auth_time":  12340819300   }   Header Claims eyJhbGciOiJub25lIn0.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMD.4MTkzODAsDQogImh0dHA6Ly9leGFt   Header Claims Signature

Slide 15

Slide 15 text

2. Native Client to Web API Native app Web API OAuth 2.0

Slide 16

Slide 16 text

WebAPI ADFS / AAD 1. Request Authorization Code Native Client to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP •  Client ID •  Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Sign in 3. Return Authorization Code to Redirect URI User sees web pop up … Katana WebAPI SP •  App ID URI

Slide 17

Slide 17 text

  GET  https://login/adfs/oauth2/authorize   ?response_type=code   &resource=https://myservice   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/      <<  Stuff  happens  here  to  sign  the  user  in...  >>     302  Found  http://myclient/   ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-­‐_cqhsBff…   Authorization Code Request/Response

Slide 18

Slide 18 text

Web-based Name/Password 2FA Kerberos (ADFS) Client Certificates (ADFS) Authentication Methods

Slide 19

Slide 19 text

NativeApp 4. Redeem Authorization Code Native Client to Web API: OAuth 2.0 auth code grant, public client Authorize Endpoint Token Endpoint ADAL 5. Return Access Token, Refresh Token 6. Send Access Token on Authorization Header WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

Slide 20

Slide 20 text

POST  https://login/adfs/oauth2/token   grant_type=authorization_code   &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm…   &client_id=fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d   &redirect_uri=http://myclient/   &resource=https://myservice       200  OK   {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…",   "token_type":"Bearer",   "expires_in":"3599",   "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…",   Token Request/Response

Slide 21

Slide 21 text

{      "typ":  "JWT",  "alg":  "RS256",  "x5t":  "NGTFvdK-­‐fythEuLwjpwAJOM9n-­‐A”   }.   {    "aud":  "http://myService",    "iss":  "https://sts.windows.net/81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557/",    "iat":  1396468289,  "nbf":  1396468289,  "exp":  1396472189,  "ver":  "1.0",    "tid":  "81aabdd2-­‐3682-­‐48fd-­‐9efa-­‐2cb2fcea8557",    "oid":  "b3809430-­‐6c28-­‐4e43-­‐870d-­‐fa7d38636dcd",    "upn":  "[email protected]",    "sub":  "vl4OHydFcvAhqoncJsINb8E6KaAEzJH2D5iKKnZZy-­‐A",    "family_name":  "Baier",    "given_name":  "Dominick",    "appid":  "fb715b0e-­‐3ca9-­‐45b8-­‐9928-­‐2329a776b42d",   }   Example AAD JWT Access Token (shortened) http://jwt.io/

Slide 22

Slide 22 text

Active Directory Authentication Library Open Source Client Library for Desktop .NET Windows RT Windows Phone iOS/Android Native iOS/Android Xamarin ADAL https://github.com/AzureAD

Slide 23

Slide 23 text

ADAL supports token caching (extensible) Token renewal via existing logon session Refresh tokens Token Lifetime Management

Slide 24

Slide 24 text

Native Client to Web API: Refresh Tokens NativeApp Authorize Endpoint Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token with Refresh Token 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header 1. Call WebAPI (Access Token in AuthZ Header) WebAPI Katana ADFS / AAD NativeApp SP •  Client ID •  Redirect URI WebAPI SP •  App ID URI

Slide 25

Slide 25 text

Brand new ADAL.js library (preview) familiar programming interface, AngularJS support.. Support for OAuth2 “Implicit Flow” simplified flow – no server back-end required currently AAD only What about SPAs? http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/

Slide 26

Slide 26 text

3. Web Application to Web API Browser Web application Web API

Slide 27

Slide 27 text

Web App calls Web API using own identity Trusted Subsystem design OAuth2 client credential flow or code flow Web App calls Web API using user identity OpenID Connect and/or OAuth2 code flow Options

Slide 28

Slide 28 text

WebAPI Web App to Web API: OAuth 2.0 client credentials 1. Signed in, using the web app… Browser WebApp 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Authorize Endpoint Token Endpoint Katana ADAL Katana

Slide 29

Slide 29 text

WebAPI Web App to Web API: Delegation with OpenID Connect Browser WebApp 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token and Auth Code to Redirect URI 6. Set session Authorize Endpoint Token Endpoint Might require user consent AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI Katana ADAL Katana

Slide 30

Slide 30 text

Web App to Web API: Delegation with OpenID Connect Browser WebApp WIF OWIN 7. Request access token 8. Return access token, refresh token 9. Call web API with Access Token in AuthZ Header Authorize Endpoint Token Endpoint ADAL WebAPI WebApp Katana ADAL Katana AAD NativeApp SP •  Client ID •  Credential WebAPI SP •  App ID URI

Slide 31

Slide 31 text

AD traditionally geared towards corporate identities ADFS & AAD are protocol / infrastructure extensions What about customer identities & applications? Where to store identities? What about social logins? B2B vs B2C

Slide 32

Slide 32 text

B2B & B2C Hybrid Architecture ADFS Customer Accounts AAD Thinktecture IdentityServer https://github.com/thinktecture/Thinktecture.IdentityServer.v3

Slide 33

Slide 33 text

ADFS (2012R2) Azure AD IdentityServer v3 Type Domain joined SaaS Standalone WS-Federation yes yes yes WS-Trust yes no no OAuth2 Code Flow yes yes yes Resource Owner Flow no yes yes Implicit Flow no yes yes Client Credentials Flow no yes yes Social Logins no no yes OpenID Connect no yes yes Saml2p yes yes no Price Model Part of Windows Server Freemium Free (OSS) http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx Feature Matrix (non exhaustive)

Slide 34

Slide 34 text

© 2014 Microsoft Corporation. All rights reserved. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Vielen Dank [email protected] http://leastprivilege.com @leastprivilege