Securing Windows Store applications and REST services with Active Directory

Securing Windows Store applicationsand REST services with Active DirectoryVittorio Bertocci - @vibronetPrincipal Program Manager3-518

Building a Modern Business App

Resource

App

Resource

Access resources outside of the corporate network.Handle authentication and session mechanics.Apply access policies on non-domain joined devices.

Tackle those, and you’ve got yourself a nice business app.

Checklist

Access resources outside of the corporate network

REST, OAuth2

App Resource

authorization serverauthorization

endpointtoken

endpoint

A

A

R4

Windows Azure Active Directory

Contoso’s On-Premises Directory

AM

Windows Azure Active Directory

Dir S

ync

Contoso’s tenant

SAML-P

WS-Federation

Metadata

OAuth2Management Portal

Graph API

Registration• Today - via

Graph Explorer• Soon - via

Windows Azure Portal

Clients and Resources in Windows Azure AD

App Resource

App Resource

Demo

ADFS in Windows Server 2012 R2

New! OAuth2 code grantResources represented as classic Relying Party Trust entriesClients registered via PowerShell• No permission table entry necessary

Support for JWT formatNew! Registered devices authenticationMore details later in the session

Demo

Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens

Handle authentication and session mechanics.Apply access policies on non-domain joined devices.

Tackle those, and you’ve got yourself a nice business app.

Checklist

Handle authentication and session mechanics

Windows Azure Authentication Library (AAL)Helps developers to add authentication capabilities to rich client appsUser authentication experienceObtaining tokensToken lifecycle management (caching, automatic token refresh, etc)Assisted authority discovery Works with both Windows Azure AD and Windows Server 2012 R2 ADFSShips out of band as NuGet package.NET and Windows Store in developer preview• details here• download from VS2012 or here

AAL is a Windows Runtime Component

Windows Azure Authentication Library

OS

Windows Runtime (WinRT)

AAL for Windows Store .WINMD

C#Windows Store App

JS/HTML5Windows Store AppApplication

System

Essential AAL Usage (C#)AuthenticationContext aCtx = new AuthenticationContext("https://login.windows.net/contoso.onmicrosoft.com");

AuthenticationResult result = await authorizationContext.AcquireTokenAsync("http://host.com/shipmentservice", clientID);

Authenticate the user to get a token

HttpClient httpClient = new HttpClient();httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);//...

Use the token to invoke a REST service

Demo

Notes on User ExperienceAAL wraps the WebAuthenticationBroker API in WinRTNew in Windows 8.1: built-in account selection experienceSee Karanbir’s session later today (3-113)

Demo

AAL for Windows Store offers a persistent token cache

AAL CacheValueKey

Authority

ClientID

Resource

User

AccessToken

RefreshToken

Expiration

ValueKey

Authority

ClientID

Resource

User

AccessToken

RefreshToken

Expiration

AAL Cache[authority],resource,

clientid, user

matching cache entry?

valid access token?

refresh token?

success?success?

return cache entry

use the refresh token to refresh the access

token

prompt the user via WebAuthenticationBrok

er

cache access token, refresh

token, validity

replace cache entry

return error info

YES

NOYES

YES

YES

NO

NO

NO

YES

NO

Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens

Handle authentication and session mechanics.Use the Windows Azure Authentication Library.Apply access policies on non-domain joined devices.

Tackle those, and you’ve got yourself a nice business app.

Checklist

Apply access policies on non-domain joined devices

Workplace-join in Windows 8.1Especially useful foruser-owned devicesDevices incapable of joining a domainAllows administrator to apply access control policies in a wide range of scenariosWorkplace-join ability available directly in Windows 8.1

Workplace Join Mechanics

25

IT can publish access to corporate resources with the Web Application Proxy based on device awareness and the users identity. Multi-factor authentication can be used through Windows Azure Active Authentication.

Users can register BYO devices for single sign-on and access to corporate data with Workplace Join. As part of this, a certificate is installed on the device

Users can enroll devices which configure the device for management with Windows Intune. The user can then use the Company Portal for easy access to corporate applications

As part of the registration process, a new device object is created in Active Directory, establishing a link between the user and their device

Data from Windows Intune is sync with Configuration Manager which provides unified management across both on-premises and in the cloud

On the clientEnsure your app manifest has the right capabilities• WebAuthenticationBroker should be invoked in

SSO modeIn AAL: you should use the AcquireTokenAsync(resource, clientid) overload

In ADFSServer-wide: enable device authenticationPer-RP: Add device-related issuance authorization rules

Some constraints about how authentication should take place to apply device-aware access policies

Using Device Authentication Info to Drive Access

Demo

Access resources outside of the corporate network.Use OAuth2.• Register client app and resources in Active Directory• Get and use access tokens

Handle authentication and session mechanics.Use the Windows Azure Authentication Library.Apply access policies on non-domain joined devices.Use Windows 8.1 Workplace-join and ADFS rules.

Tackle those, and you’ve got yourself a nice business app.

Checklist

In summary

all you need to build great modern business app

App

Resource

Windows AzureAuthentication Library

ResourcesWindows Azure AD homeWindow Server AD homeWindows Azure and Windows Server AD Team BlogWindows azure AD Walkthroughs

Find me:On twitter - @vibronetOn the web – www.cloudidentity.com

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!