Azure AD B2C: Application Security Made Easy

Transcript

1. Application Security Azure AD B2C Made Easy

2. About me @SjoukjeZaal https://www.sjoukjezaal.com Sjoukje Zaal Managing Consultant / Azure

   MVP

3. © 2019 Sjoukje Zaal Application Code Demo Flows & Policies

   Demos Identity Providers Demo Customize the UI Demo Step 05 Step 04 Step 03 What & Why Scenario Step 02 Step 01 Agenda

4. © 2019 Sjoukje Zaal What is Azure Active Directory B2C

   Azure Active Directory B2C is a customer identity access management (CIAM) solution. It takes care of the scaling and safety of the authentication platform, monitoring and automatically handles threats.

5. © 2019 Sjoukje Zaal Reliable Integration Secure Highly available Why

   use Azure AD B2C

6. © 2019 Sjoukje Zaal z 8 6 ( Azure AD

   B2C key capabilities 01 Step 02 Step 03 Step 04 Step Standard based authentication OpenID Connect, OAuth 2.0, and SAML Single Sign On With most modern apps Custom branded Customize the user experience Multiple identities Social, enterprise, or local

7. © 2019 Sjoukje Zaal Simple & Secure Minimal application code

   Easy to maintain Enterprise grade security features Flexible Multiple identity providers .NET, iOS, and Android Open standards Benefits for developers

8. © 2019 Sjoukje Zaal Identity providers User interaction Security Default

   Authentication Providers Social Media Identity Providers Custom Identity Providers Sign up / sign in Edit profiles Single Sign On Multi-factor authentication Features

9. © 2019 Sjoukje Zaal Scenario Contoso developed a cloud native

   To-do application which is deployed in Azure. This application is used globally. Contoso has no current identity solution For simplicity, customers of this application need to be able to securely login using their social media credentials. There also should be the option to create an account using an username and password. Contoso wants to use MFA for an extra layer of security. Contoso wants to keep a database with certain customer information for future marketing activities.

10. © 2019 Sjoukje Zaal Web app MVC App for registering

    to-do items Calls Web API Requests Access tokens from Web API Tasks web API Performs CRUD operations Scoped based access control To-do application parts

11. © 2019 Sjoukje Zaal Demo Registering the application

12. © 2019 Sjoukje Zaal Registered the Tasks demo Web API

    Published a read/write scope Added values to web.config files Copied the application IDs from both apps Generated and copied the client secret Registered the demo web app Granted the read and write permissions to the demo web app Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

13. © 2019 Sjoukje Zaal Open Application code Open standards Open

    ID Connect OAuth 2.0 MSAL Microsoft Authentication Library Secure &

14. © 2019 Sjoukje Zaal Demo Application code

15. © 2019 Sjoukje Zaal OWIN libraries Executed the application MSAL

    Step 1 Demo summary Step 2 Step 3

16. © 2019 Sjoukje Zaal x t x b Predefined Reusable

    Custom Attributes Is triggered by the application Flows A primary resource in Azure AD B2C

17. © 2019 Sjoukje Zaal 001 Option 002 Option 003 Option

    004 Option Profile edit MFA Multi-Factor Authentication Sign in / sign up with local or social accounts Self-service password reset When to use flows Y

18. © 2019 Sjoukje Zaal Demo Create a user flow

19. © 2019 Sjoukje Zaal Created a new user flow Selected

    the included fields and returned claims Selected the Identity Provider to enable the flow Step 1 Demo summary Step 2 Step 3

20. © 2019 Sjoukje Zaal x t x b Configuration files

    + custom code Identity Experience Framework XML Standards- based OAuth 2.0, OIDC, SAML Custom policies

21. © 2019 Sjoukje Zaal 001 Option 002 Option 003 Option

    004 Option Use a user store outside Azure AD B2C Validate user provided information with a trusted system by using an API Send a welcome email using your own email service provider Provision a user account in another system at the time of registration When to use custom policies Y

22. © 2019 Sjoukje Zaal Base file Extension file Starter pack

    Relying party files Custom policy artifacts

23. © 2019 Sjoukje Zaal User clicks sign up button application

    B2C endpoint reached Orchestration step 1 Choose an identity provider Orchestration step 2 Gather registration info (e.g. address). Precondition step, can be skipped Orchestration step 3 Verify email, gather preference data. Here, we are going to store user records in Azure Table Storage. Token issued User journeys and orchestration steps

24. © 2019 Sjoukje Zaal Azure Table Storage Storage account Azure

    Function Policy artifacts Demo artifacts

25. © 2019 Sjoukje Zaal Demo Create a custom policy

26. © 2019 Sjoukje Zaal Created a Table Storage account Uploaded

    and tested the custom policy Created the custom policy derived from the starter package Created an Azure Function Created a signing and encryption key Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

27. © 2019 Sjoukje Zaal x t x b Authentication Service

    Security tokens Out-of-the-box providers Client ID & secret Identity providers

28. © 2019 Sjoukje Zaal Demo Configuring an identity provider

29. © 2019 Sjoukje Zaal Registered a new Identity Provider in

    Azure B2C Tested the user flow from the Azure B2C tenant Enabled the Identity Provider in the user flow Added the client id and client secret to the identity provider Step 1 Demo summary Step 2 Step 3 Step 4

30. © 2019 Sjoukje Zaal Merges UI with HTML CORS Visual

    consistency Customize look & feel Page UI customization feature

31. © 2019 Sjoukje Zaal Demo Customize the UI

32. © 2019 Sjoukje Zaal Created a storage account and blob

    container Tested the user flow Updated the user flow Created & uploaded a custom HTML/CSS file Enabled CORS Step 1 Demo summary Step 2 Step 3 Step 4 Step 5

33. © 2019 Sjoukje Zaal 01 02 03 04 05 Not

    Azure AD B2B Apps can be hosted everywhere Migrate with Azure AD Graph API Reporting and Monitoring Language customization b C s h G Wrap up Key takeaways

34. ? any Are there questions?