About the Book
Build advanced authentication solutions for any cloud or web environment
Active Directory has been transformed to reflect the cloud revolution, modern protocols, and today’s newest SaaS paradigms. This is an authoritative, deep-dive guide to building Active Directory authentication solutions for these new environments. Author Vittorio Bertocci drove these technologies from initial concept to general availability, playing key roles in everything from technical design to documentation. In this book, he delivers comprehensive guidance for building complete solutions. For each app type, Bertocci presents high-level scenarios and quick implementation steps, illuminates key concepts in greater depth, and helps you refine your solution to improve performance and reliability. He helps you make sense of highly abstract architectural diagrams and nitty-gritty protocol and implementation details. This is the book for people motivated to become experts.
Active Directory Program Manager Vittorio Bertocci shows you how to:
- Address authentication challenges in the cloud or on-premises
- Systematically protect apps with Azure AD and AD Federation Services
- Power sign-in flows with OpenID Connect, Azure AD, and AD libraries
- Make the most of OpenID Connect’s middleware and supporting classes
- Work with the Azure AD representation of apps and their relationships
- Provide fine-grained app access control via roles, groups, and permissions
- Consume and expose Web APIs protected by Azure AD
- Understand new authentication protocols without reading complex spec documents
Table of Contents:
Foreword xi
Introduction xiii
Chapter 1: Your first Active Directory app 1
The sample application 1
Prerequisites 1
Microsoft Azure subscription 2
Visual Studio 2015 2
Creating the application 3
Running the application. 4
ClaimsPrincipal: How .NET represents the caller 7
Summary 10
Chapter 2: Identity protocols and application types 11
Pre-claims authentication techniques 12
Passwords, profile stores, and individual applications 12
Domains, integrated authentication, and applications on an intranet 14
Claims-based identity 17
Identity providers: DCs for the Internet 17
Tokens 18
Trust and claims 20
Claims-oriented protocols 20
Round-trip web apps, first-generation protocols 23
The problem of cross-domain single sign-on 23
SAML 25
WS-Federation 27
Modern apps, modern protocols 31
The rise of the programmable web and the problem of access delegation 32
OAuth2 and web applications 33
Layering web sign-in on OAuth 37
OpenID Connect 39
More API consumption scenarios 44
Single-page applications 45
Leveraging web investments in native clients 47
Summary 49
Chapter 3: Introducing Azure Active Directory and Active Directory Federation Services 51
Active Directory Federation Services 52
ADFS and development 53
Getting ADFS 54
Protocols support 55
Azure Active Directory: Identity as a service 56
Azure AD and development 60
Getting Azure Active Directory 61
Azure AD for developers: Components 63
Notable nondeveloper features 65
Summary 67
Chapter 4: Introducing the identity developer libraries 69
Token requestors and resource protectors 69
Token requestors 70
Resource protectors 73
Hybrids 74
The Azure AD libraries landscape 75
Token requestors 76
Resource protectors 81
Hybrids 85
Visual Studio integration 85
AD integration features in Visual Studio 2013 86
AD integration features in Visual Studio 2015 86
Summary 87
Chapter 5: Getting started with web sign-on and Active Directory 89
The web app you build in this chapter 89
Prerequisites 90
Steps 90
The starting project 90
NuGet packages references 92
Registering the app in Azure AD 93
OpenID Connect initialization code 95
Host the OWIN pipeline 95
Initialize the cookie and OpenID Connect middlewares 96
[Authorize], claims, and first run 97
Adding a trigger for authentication 97
Showing some claims 98
Running the app 99
Quick recap 99
Sign-in and sign-out 99
Sign-in logic 100
Sign-out logic 101
The sign-in and sign-out UI 102
Running the app 103
Using ADFS as an identity provider 103
Summary 105
Chapter 6: OpenID Connect and Azure AD web sign-on 107
The protocol and its specifications 107
OpenID Connect Core 1.0 108
OpenID Connect Discovery 108
OAuth 2.0 Multiple Response Type, OAuth2 Form Post Response Mode 109
OpenID Connection Session Management 109
Other OpenID Connect specifications 109
Supporting specifications 109
OpenID Connect exchanges signing in with Azure AD 110
Capturing a trace 110
Authentication request 113
Discovery 119
Authentication 122
Response 123
Sign-in sequence diagram 126
The ID token and the JWT format 127
OpenID Connect exchanges for signing out from the app and Azure AD 134
Summary 136
Chapter 7: The OWIN OpenID Connect middleware 137
OWIN and Katana 137
What is OWIN? 137
Katana 139
OpenID Connect middleware 155
OpenIdConnectAuthenticationOptions 155
Notifications 159
TokenValidationParameters 167
Valid values 168
Validation flags 169
Validators 169
Miscellany 170
More on sessions 171
Summary 172
Chapter 8: Azure Active Directory application model 173
The building blocks: Application and ServicePrincipal 174
The Application 177
The ServicePrincipal object 187
Consent and delegated permissions 189
Application created by a nonadmin user 189
Interlude: Delegated permissions to access the directory 192
Application requesting admin-level permissions 197
Admin consent 200
Application created by an admin user 204
Multitenancy 205
App user assignment, app permissions, and app roles 211
App user assignment 211
App roles 213
Application permissions 216
Groups 219
Summary 221
Chapter 9: Consuming and exposing a web API protected by Azure Active Directory 223
Consuming a web API from a web application 223
Redeeming an authorization code in the OpenID Connect hybrid flow 224
Using the access token for invoking a web API 232
Other ways of getting access tokens 251
Exposing a protected web API 253
Setting up a web API project 253
Handling web API calls 258
Exposing both a web UX and a web API from the same Visual Studio project 265
A web API calling another API: Flowing the identity of the caller and using “on behalf of” 266
Protecting a web API with ADFS “3” 271
Summary 272
Chapter 10: Active Directory Federation Services in Windows Server 2016 Technical Preview 3 273
Setup (for developers) 273
The new management UX 274
Web sign-on with OpenID Connect and ADFS 276
OpenID Connect middleware and ADFS 276
Setting up a web app in ADFS 277
Testing the web sign-on feature 280
Protecting a web API with ADFS and invoking it from a web app 281
Setting up a web API in ADFS 281
Code for obtaining an access token from ADFS and invoking a web API 285
Testing the web API invocation feature 288
Additional settings 289
Summary 292
Appendix: Further reading 293
Index 295
About the Author :
Vittorio Bertocci is principal program manager on the Azure Active Directory team, where he works on the developer experience: Active Directory Authentication Library (ADAL), OpenID Connect and OAuth2 OWIN components in ASP.NET, Azure AD integration in various Visual Studio work streams, and other things he can’t tell you about (yet). Vittorio joined the product team after years as a virtual member in his role as principal architect evangelist, during which time he contributed to the inception and launch of Microsoft’s claims-based platform components (Windows Identity Foundation, ADFS 2.0) and owned SaaS and identity evangelism for the .NET developers community.
Vittorio holds a Master's degree in computer science and began his career doing research on computational geometry and scientific visualization. In 2001 he joined Microsoft Italy, where he focused on the .NET platform and the nascent field of web services security, becoming a recognized expert at the national and European level.
Vittorio is easy to spot at conferences. He has spoken about identity in 23 countries on four continents, from keynote addresses to one-on-one meetings with customers. Vittorio is a regular speaker at Ignite, Build, Microsoft PDC, TechEd (US, Europe, Australia, New Zealand, Japan), TechDays, Gartner Summit, European Identity Conference, IDWorld, OreDev, NDC, IASA, Basta, and many others. At the moment his Channel 9 speaker page at https://channel9.msdn.com/events/speakers/vittorio-bertocci lists 44 recordings.
Vittorio is a published author, both in the academic and industry worlds, and has written many articles and papers. He is the author of Programming Windows Identity Foundation (Microsoft Press, 2010) and coauthor of "A Guide to Claims-Based Identity and Access Control" (Microsoft patterns & practices, 2010) and Understanding Windows Cardspace (Addison-Wesley, 2008). He is a prominent authority and blogger on identity, Azure, .NET development, and related topics: he shares his thoughts at www.cloudidentity.com and via his twitter feed, http://www.twitter.com/vibronet.
Vittorio lives in the lush green of Redmond with his wife, Iwona. He doesn’t mind the gray skies too much, but every time he has half a chance, he flies to some place on the beach, be it the South Pacific or Camogli, his home town in Italy.
