Azure Authentication via Active Directory
| Disadvantage of Active Directory If a company has use the Active Directory of the authentication and the personals are allowed to do home office, therefore they need to use VPN Connection to authenticate to the company’s Active Directory. This isn’t so secure. |
Manage and authentication for mobile and modern devices
Classic active directory cannot manage modern devices with the following features:
- Group policies
- Kerberos or NTLM (works poorly)
- Session based security
What can help us to manage the modern devices:
- Mobile device management
- OpenID connect and OAuth
- Access token and refresh token
Forms-based Authentication
Protocols
WS-Federation
It’s a redírect-based flow. we go to a site and site says we are anonymous, and it redirects us to a authentication provider.
The user can pick an authentication provider and we provide the credential and then we get SAML post back.
SAML looks like XML and it contains what they call a SAML assertion and that establish your identity.
SAMLp
More flexible and supports more structured way to do SAML, more attributes.
OpenID Connect
OpenID Connect & OAuth are not synonymous.
OAuth is about a delegation protocol. For example I say, I’m allowing you to access my application if you match certain criteria. In this case I don’t know about the identity but if you have brown eyes and brown hairs, you are allowed to work with my software.
OpenID Connect says that you have to have minimum set of protocols that also establish your identity. OpenID is not only for web / mobile application. It can be applied to anything.
The following figure demonstrates the OpenID Connect usage for Web Application.
Insert photo here!
Single Page Application
Single Page Application is typically written in JavaScript (OAuth 2.0 Implicit Flow). Using OAuth 2.0 implicit flow and Single Page Application don’t have a secure way of storing long-lasting refresh token.
In OAuth 2.0 implicit flow, we assume that with closing the browser the user is logged out. Therefore OAuth 2.0 is suitable for Single Page Application.
Native Application
Like the applications running on a Mac OS, Linux OS or Windows OS, we use the Authorization Code Grant Flow. Here we have capability of storing long-lasting refresh tokens in a secure, encrypted manner offline.
Azure AD Authorization features
| Azure AD V1 endpoint | Authorization Code Grant Flow It has used authorization code grant flow for mobile apps and desktop applications as well. |
| Azure AD V2 endpoint | Authorization Code Grant Flow It prefers not to use authorization code grant flow for mobile app but only for desktop applications. Proof of key exchange (PKCE) flow It’s for mobile application. |
In practice’s Scenarios
| Web Browser talks to Web App It can be developed with WS-Federation, SAMLP, OpenID Connect. | Sigle Page Application talks to Web API It can be developed with OAuth to implicit flow, so ADAL.JS, MSAL.JS. | Native App talks to Wen API |
| Web Application talks to Web API It uses user credential delegated credentials, or using application’s identity. | Daemon If there’s no authentication opportunity. Daemon can call API registered in Azure AD. |
In practice Implementations
- Provision an Azure AD, Add new user
- Register your application
- Create a MVC Project with the following PowerShell code
- Perform authentication
Create a .Net core MVC project via the PowerShell.
# Create .NetCore MVC Project
$ProjectName="DotNetCorePipeline"
cd C:\YOUR PATH\AuthenticationForDevelopers
new-item -Name $ProjectName -ItemType directory
cd C:\YOUR PATH\AuthenticationForDevelopers\$ProjectName
dotnet new mvc --auth SingleOrg --client-id YOUR CLAINT ID --tenant-id YOUR TENANT ID --domain YOUR DOMAIN NAME --no-https
After creating the project go to project folder and open the project file in Visual Studio and run the project. [More Info about ID Tokens]
Business to Consumer (B2C)
for scenarios, in which the external users are the focus.
- Identities not known ahead time
- Social login may be required ( can be simple username, password authentication, with/without MFA) -> other identity provider like social accounts
- Custome user experience and brand promotion is important -> via collecting information from market
- Keep evrything secure and standard compliance.
In Practice
- Create a B2C Directory (it has two steps. First create a new one. Second assing to Subscription.)
- Register and configure an application
- Create an application that uses Azure AD B2C
Token-based authentication to SQL resources
SQL resources are the following SQL database, SQL warehouse and SQL server. The authentication is possible via AD.
Multi-Factor Authentication
Multi Cloud Solutions 