WIXLIB

spine .6388”Active Directory has been transformed to reflect the cloud revolution, modern protocols, and today’s newest SaaS paradigms. Thisis an authoritative, deep-dive guide to building Active Directoryauth en tication solutions for these new environments. Author VittorioBertocci drove these technologies from initial concept to generalavailability, playing key roles in everything from technical design todocumentation. In this book, he delivers comprehensive guidancefor building complete solutions. For each app type, Bertocci presentshigh-level scenarios and quick implementation steps, illuminateskey concepts in greater depth, and helps you refine your solutionto improve performance and reliability. He helps you make sense ofhighly abstract architectural diagrams and nitty-gritty protocol andimplementation details. This is the book for people motivated tobecome experts.Active Directory Program Manager Vittorio Bertoccishows you how to: Address authentication challenges in the cloud or on-premises Systematically protect apps with Azure AD and AD Federation Services Power sign-in flows with OpenID Connect, Azure AD, and AD libraries Make the most of OpenID Connect’s middleware and supportingclasses Work with the Azure AD representation of apps and theirrelationships Provide fine-grained app access control via roles, groups, andpermissions Consume and expose Web APIs protected by Azure AD Understand new authentication protocols without reading complexAbout This Book For architects, application designers,developer leads, and security consultants involved in authentication, accesscontrol, or personalization For security and protocol experts whowant to understand how Azure AD usesopen protocols to perform its functions For web developers and users of ASP.NETOWIN and the Active Directory Authentication Library (ADAL)About the AuthorVittorio Bertocci is a Microsoft PrincipalProgram Manager responsible for developer experience related to identity services, both on premises and in the cloud.As Architect Evangelist at Microsoft, hespent several years helping major enterprises build advanced identity solutionsbased on new Microsoft technologies.He frequently speaks at internationalevents such as TechEd, PDC, Build, andIgnite, and he blogs on identity topics at www.cloudidentity.com. His booksinclude Programming Windows IdentityFoundation.Get code samples, includingcomplete apps, at:http://aka.ms/modauth/filesBertoccispec documentsMicrosoftPressStore.comISBN 978-0-7356-9694-55 3 9 9 9Modern Authentication with AzureActive Directory for Web ApplicationsBuild advanced authentication solutions for anycloud or web environmentU.S.A. 39.99Canada 49.99ModernAuthentication withAzure Active Directoryfor Web ApplicationsForeword by Mark E. RussinovichChief Technology Officer, Microsoft AzureProfessionalModern Authentication with AzureActive Directory for Web Applications[Recommended]9780735 6969459780735696945 ModernAuth cover.indd 1Web developmentCelebrating over 30 years!Vittorio Bertocci11/30/2015 8:44:34 AM

Modern Authenticationwith Azure ActiveDirectory for WebApplicationsVittorio BertocciModernAuth PrintBook Final.indb i11/28/2015 11:39:41 AM

PUBLISHED BYMicrosoft PressA Division of Microsoft CorporationOne Microsoft WayRedmond, Washington 98052-6399Copyright 2016 by Vittorio Bertocci. All rights reserved.No part of the contents of this book may be reproduced or transmitted in any form or by any means withoutthe written permission of the publisher.Library of Congress Control Number: 2014954517ISBN: 978-0-7356-9694-5Printed and bound in the United States of America.First PrintingMicrosoft Press books are available through booksellers and distributors worldwide. If you need support relatedto this book, email Microsoft Press Support at mspinput@microsoft.com. Please tell us what you think of thisbook at http://aka.ms/tellpress.This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and informationexpressed in this book, including URL and other Internet website references, may change without notice.Some examples depicted herein are provided for illustration only and are fctitious. No real association orconnection is intended or should be inferred.Microsoft and the trademarks listed at www.microsoft.com on the “Trademarks” webpage are trademarks of theMicrosoft group of companies. All other marks are property of their respective owners.Acquisitions and Developmental Editor: Devon MusgraveProject Editor: John PierceEditorial Production: Rob Nance, John Pierce, and Carrie WicksCopyeditor: John PierceIndexer: Christina Yeager, Emerald Editorial ServicesCover: Twist Creative Seattle and Joel PanchotModernAuth PrintBook Final.indb ii11/28/2015 11:40:18 AM

Ai miei carissimi fratelli e sorelle: Mauro, Franco, Marino,Cristina, Ulderico, Maria, Laura, Guido e Mira—per avermifatto vedere il mondo attraverso altre nove paia d’occhi.ModernAuth PrintBook Final.indb iii11/28/2015 11:40:18 AM

ModernAuth PrintBook Final.indb iv11/28/2015 11:40:18 AM

ContentsForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiChapter 1Your first Active Directory app1The sample application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Microsoft Azure subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Visual Studio 2015 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Creating the application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Running the application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4ClaimsPrincipal: How .NET represents the caller . . . . . . . . . . . . . . . . . . . . . . . 7Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Chapter 2Identity protocols and application types11Pre-claims authentication techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Passwords, profile stores, and individual applications. . . . . . . . . . . .12Domains, integrated authentication, and applications on anintranet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Claims-based identity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Identity providers: DCs for the Internet . . . . . . . . . . . . . . . . . . . . . . . . 17Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Trust and claims . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Claims-oriented protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Round-trip web apps, first-generation protocols . . . . . . . . . . . . . . . . . . . . . 23The problem of cross-domain single sign-on . . . . . . . . . . . . . . . . . . . 23SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25WS-Federation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Modern apps, modern protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31The rise of the programmable web and the problem of accessdelegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32vModernAuth PrintBook Final.indb v11/28/2015 11:40:18 AM

OAuth2 and web applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Layering web sign-in on OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37OpenID Connect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39More API consumption scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Single-page applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Leveraging web investments in native clients . . . . . . . . . . . . . . . . . . . 47Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Chapter 3Introducing Azure Active Directory and ActiveDirectory Federation Services51Active Directory Federation Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52ADFS and development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Getting ADFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54Protocols support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Azure Active Directory: Identity as a service . . . . . . . . . . . . . . . . . . . . . . . . .56Azure AD and development. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Getting Azure Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Azure AD for developers: Components . . . . . . . . . . . . . . . . . . . . . . . .63Notable nondeveloper features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67Chapter 4Introducing the identity developer libraries69Token requestors and resource protectors . . . . . . . . . . . . . . . . . . . . . . . . . . 69Token requestors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Resource protectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Hybrids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74The Azure AD libraries landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Token requestors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Resource protectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Hybrids . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85Visual Studio integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85AD integration features in Visual Studio 2013 . . . . . . . . . . . . . . . . . .86AD integration features in Visual Studio 2015 . . . . . . . . . . . . . . . . . .86Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87viContentsModernAuth PrintBook Final.indb vi11/28/2015 11:40:18 AM