1602-Azure AD – “legacy” MS AD

Introduction

Main questions to answer

Two basic questions to answer:

TL;DR

MS AAD developer’s Guide

Documentation describing how to integrate with AAD.

https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/ 

Protocols supported:

Azure Active Directory Graph API: Use the Azure Active Directory Graph API to programmatically access Azure Active Directory through REST API endpoints. Note that AAD Graph API is also accessible through Microsoft Graph, a unified API that enables access to multiple Microsoft cloud service APIs through a single REST API endpoint, and with a single access token.

Authentication protocols

SAML 2.0 protocol reference: The SAML 2.0 protocol enables applications to provide a single sign-on experience to their users.

OAuth 2.0 protocol reference: You can use the OAuth 2.0 protocol to authorize access to web applications and web APIs in your Azure Active Directory tenant.

OpenID Connect 1.0 protocol reference: The OpenID Connect 1.0 protocol extends OAuth 2.0 for use as an authentication protocol.

WS-Federation 1.2 protocol reference: The WS-Federation 1.2 protocol is specified in the Web Services Federation Version 1.2 Specification.

Supported token and claim types: You can use this guide to understand and evaluate the claims in the SAML 2.0 and JSON Web Tokens (JWT) tokens.

But according to later video presentations, strategic protocols are OAuth and OpenID Connect.

Video Presentation: Product orientation / direction IDaaS

What

https://azure.microsoft.com/en-us/documentation/videos/build-2015-azure-active-directory-identity-management-as-a-service-for-modern-applications/ 

Stuart Kwan Principal Pgm Mgr

Legacy “As Is” AD vs AAD IDaaS

AD == “Active Directory”

AAD == “Azure Active Directory”

Functional improvements, advantages of moving to cloud AAD:

Benefits of AAD integration

Security Monitoring by MS, alerts (premium) generated when:

Corporate cloud apps can be “single-tenant” i.e. for our company only.

MS is still architecting / building AAD. Eg

AD admin in organization that accepted the app can see:

Integrated function

MS has middleware libraries in major languages to do “heavy lifting” client-side e.g. verify token signing, refresh tokens.

AAD designed to handle AuthN in various places for “modern” apps architectures to preserve user’s identity across the full pipeline. Eg. Mobile app → docusign web app –> corporate Sharepoint →sign document → return document to Sharepoint

Strategic protocols / API support

Strategic protocols are:

API support

No LDAP support in AAD.

Rather MS Graph REST API with JSON or XML response. ODATA V3.0 and soon V4.0 compatible.

ADAL

Both client-side and server-side libraries to do these authentication flows

Server side support a bit thin.

Futures

Key Vault

IDaaS for Applications

Free level and consumption pricing

AAD Join


Video presentation: Developing Native applications

Introduction

https://azure.microsoft.com/documentation/videos/build-2015-develop-modern-native-applications-with-azure-active-directory/ 

Basically mobile orientation iOS / Android, but also Win

OAuth-A or OAuth-T only used in mobile applications.

Multi-refresh resource token (AAD-only extension)

Win 10 specifics

Win7

Win10

AAD one identity provider (if I understood correctly)

Universal App API runs across all devices

Could also use Win7-style app on Win10. In this case would use ADAL

ADAL

Available on many platforms eg .Net, Java, IOS, Android, NodeJS. Python coming.

Open Source https://github.com/AzureAD includes community contributions

Consistent primitives, native programming models.

Features

ADAL.NET for Desktop

Persistent cache / sandbox:

Xamarin

Run same C# code across various eg Mac, Android

Apache Cordova Plugin for ADAL


Video presentation: Developing Web applications with AAD

Web app architectures

Basic building blocks

To secure round-trip web apps:

Need to register the app.

Other comments

MS extension of OpenID (“OpenID Connect”) is complex:

Tokens are tied into specific web sites.

Protecting own API with AAD

Single Page Apps and AAD

(Fairly kludgy patch)