■
■ Objective 5.2: Configure a virtual network
■
■ Objective 5.3: Modify network configuration
■
■ Objective 5.4: Design and implement a communication strategy
■
■ Objective 5.5: Monitor communication
■
■ Objective 5.6: Implement caching
Objective 5.1: Integrate an app with Azure Active Directory
Azure Active Directory (Azure AD) provides a cloud-based identity management service for application authentication, Single Sign-On (SSO), and user management. Azure AD can be used for the following core scenarios:
■
■ A standalone cloud directory service
■
■ Corporate access to Software-as-a-Service (SaaS) applications with directory synchronization
■
■ SSO between corporate and SaaS applications
■
■ Application integration for SaaS applications using a number of protocols
■
■ User management through a Graph API
In this section, you learn about the protocols used to set up your directory; how to integrate applications with Azure AD, including WS-Federation, SAML-P, and OAuth; and how to query the user directory with the Graph API.
MORE INFO AZURE AD DOCUMENTATION
You can find the Azure AD documentation at http://azure.microsoft.com/en-us/
documentation/services/active-directory/.
This objective covers how to:
■
■ Create a directory
■
■ Manage users
■
■ Integrate applications
■
■ Query the directory using the Graph API
Creating a directory
MORE INFO USING WINDOWS POWERSHELL TO MANAGE AZURE AD
You might want to manage some aspects of Azure AD with Windows PowerShell. For ex- ample to initialize the deployment, you would create applications, permissions, users, and groups. For more information, see http://msdn.microsoft.com/library/azure/jj151815.aspx.
Creating a directory (existing portal)
To create a directory using the management portal, follow these steps:
1. Navigate to the management portal accessed via https://manage.windowsazure.com.
2. Click New on the command bar, and select New, App Services, Active Directory, Directory, Custom Create.
3. In the Add Directory dialog box that opens (see Figure 5-1), make sure Create New Directory is selected from the drop-down list, supply a name and domain name for the directory, and select your region.
FIGURE 5-1 The Add Directory dialog box
Objective 5.1: Integrate an app with Azure Active Directory CHAPTER 5 315 4. Click the check mark to close the dialog box and to create the directory. This might
take a few minutes.
Creating a directory (Preview portal)
At the time of this writing, the Preview portal does not support any Azure AD features.
Managing users
You can provision users in your Azure AD directory a number of ways:
■
■ Create, edit, and delete users from the management portal
■
■ Use the Graph API to manage users in your directory
■
■ Sync users from an existing Windows Server Active Directory
NOTE AZURE AD CONNECT
Azure Active Directory Connect (Azure AD Connect) is currently in preview and includes features that were previously released as DirSync and Azure AD Sync.
MORE INFO DIRECTORY INTEGRATION
For additional information on directory integration, Azure AD Sync, and Azure AD Connect see http://msdn.microsoft.com/en-us/library/azure/jj573653.aspx.
Creating users (existing portal)
You can create new users from the existing portal by following these steps:
1. Navigate to the directory from the management portal accessed via https://manage.
windowsazure.com.
2. Click the Users tab, and then click Add User on the command bar.
3. In the Add User dialog box, select New User In Your Organization, and provide a unique username prefix. The full username will become the prefix followed by @ and the fully qualified domain name. For example:
user1@solexpaad.onmicrosoft.com
Click the right arrow to move to the next page.
4. Provide a first, last, and display name for the new user. Leave User selected as the role.
Click the right arrow.
5. Generate a temporary password for this user. The user will be asked to change the pass- word on first login. You can optionally email this password to the user’s email address.
6. Click the check mark to close the dialog box and to add the user to your directory.
NOTE MANAGING USERS
It is impractical to manually create users through the management portal for most scenar- ios. Instead, you are likely to write code that provisions and manages users, with a custom interface as needed, using the Graph API.
MORE INFO MULTI-FACTOR AUTHENTICATION
Azure AD makes it easy to enable multi-factor authentication for users in your directory.
For additional information, see http://azure.microsoft.com/en-us/documentation/services/
multi-factor-authentication/.
Assigning administrative roles
You can choose from a number of pre-defined organizational roles for users you create in a directory. Most users are assigned the user role, which means they are not granted any additional administrative permissions for managing the directory. Outside of the user role, there are five administrator roles available:
■
■ Global administrator
■
■ Billing administrator
■
■ Service administrator
■
■ User administrator
■
■ Password administrator
When you create a new user, you can choose from these roles. You can also use the management portal to modify the organizational role of an existing user.
MORE INFO ADMINISTRATOR ROLES
For additional information about directory administrator roles, see http://msdn.microsoft.
com/en-us/library/azure/dn468213.aspx.
Creating and assigning groups (existing portal)
You can create groups for a directory and assign users to those groups. This is useful for application authorization scenarios.
1. Navigate to the directory from the management portal accessed via https://manage.
windowsazure.com.
2. Click the Groups tab, and click Add Group on the command bar.
3. In the Add Group dialog box, provide a name and description for the group. Click the check mark to create the group.
Objective 5.1: Integrate an app with Azure Active Directory CHAPTER 5 317 4. From the list of groups on the Groups tab (see Figure 5-2), click a group to select it.
FIGURE 5-2 The Groups tab for a directory with a list of existing groups
5. Click Add Members on the command bar.
6. In the Add Members dialog box, click the Users tab, and select one of the users to assign to a group.
7. After assigning one or more users to the group, click the check mark to save the changes.
NOTE GROUP HIERARCHY
You can assign a child group to a parent group to create a hierarchy of groups so that a parent group can include users that belong to multiple child groups.
MORE INFO USER MANAGEMENT
For additional information about managing users from the management portal, see http://msdn.microsoft.com/en-us/library/azure/hh967609.aspx.
Integrating applications
There are several common scenarios for application integration with Azure AD, including the following:
■
■ Users sign in to browser-based applications
■
■ Browser-based applications call Web APIs from JavaScript
■
■ Users sign in to mobile applications that call Web APIs
■
■ Asynchronous server applications call Web APIs
For the first scenario, you can choose from a few protocols: WS-Federation, SAML-P, or OpenID Connect. OpenID Connect is the recommended path because it is the most modern protocol available. The other three scenarios can be implemented using OAuth 2.0 flows, though this is not a strict requirement.
MORE INFO AUTHENTICATION SCENARIOS
See the following reference for a review of these key authentication scenarios with related sample applications: http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx.
The following steps are involved in application integration scenarios with Azure AD:
1. Create your Azure AD directory. This is your tenant.
2. Create your application.
3. Register the application with Azure AD with information about your application.
4. Write code in your application to satisfy one of the scenarios for user authentication or token requests to call APIs.
5. Receive protocol-specific responses to your application from Azure AD, including a valid token for proof of authentication or for authorization purposes.
In this section, you’ll learn how to register an application in the management portal, learn how to find integration endpoints for each protocol, and receive an overview of the relation- ship between your applications and the protocol.
MORE INFO AZURE AD CODE SAMPLES
Integration between applications and Azure AD involves selecting a protocol for user au- thentication and for specific application authorization scenarios and choosing components for your application platform to simplify working with protocols. The following reference has many authentication and authorization samples to help you apply the review in this section to code, illustrating the most common integration scenarios: http://msdn.microsoft.
com/en-us/library/azure/dn646737.aspx.
Registering an application (existing portal)
You can manually add an application using the existing portal by following these steps:
1. Navigate to the directory from the management portal accessed via https://manage.
windowsazure.com.
2. Select the Applications tab, and click Add on the command bar.
3. In the Add Application dialog box, click Add An Application My Organization Is Developing.
4. In the Add Application dialog box, provide a friendly name for the application, and select Web Application and/or Web Api. Click the right arrow to continue to the next screen.
5. For Sign-On URL, provide the URL to your application.
Objective 5.1: Integrate an app with Azure Active Directory CHAPTER 5 319 6. For App ID URI, provide a unique URL that will identify your application. This does not
have to be a live endpoint, but it must be in the form of a URL and be unique across all of your applications.
7. Click the check mark to add the application registration.
8. Navigate to the Configure tab to view these settings and customize additional settings such as the following:
■
■ Uploading a logo for login branding
■
■ Indicating if the application is single or multi-tenant
■
■ Managing keys for OAuth scenarios
■
■ Setting additional permissions
NOTE REPLY URL AND APPLICATION ID
The sign-on URL is used as the reply URL for browser-based scenarios so that the response from user authentication can be sent to your application. You should provide the URL that will process this response for this value. You can optionally use the same value for your ap- plication ID URI since it is a well-formed URL and would likely be unique across your Azure AD tenant applications.
Viewing integration endpoints (existing portal)
Azure AD exposes endpoints for many protocols including:
■
■ WS-Federation metadata and sign-on endpoints
■
■ SAML-P sign-on and sign-out endpoints
■
■ OAuth 2.0 token and authorization endpoints
■
■ Azure AD Graph API endpoints To view these endpoints, do the following:
1. Navigate to the directory from the management portal accessed via https://manage.
windowsazure.com.
2. Select the Applications tab, and click View Endpoints on the command bar.
3. The dialog box (see Figure 5-3) lists protocol endpoints, such as the following:
https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/
federationmetadata/2007-06/federationmetadata.xml
https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/wsfed https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/saml2 https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/saml2 https://graph.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/oauth2/
token?api-version=1.0
https://login.windows.net/4a3779e5-8c00-478d-b2cd-7be06a8b236e/oauth2/
authorize?api-version=1.0
FIGURE 5-3 A list of protocol endpoints for an Azure AD tenant
EXAM TIP
You can substitute the tenant identifier with the tenant name for protocol endpoint URLs.
See, for example, https://login.windows.net/solexpaad.onmicrosoft.com/wsfed.
MORE INFO AZURE AD PROTOCOLS
For more information about each of these protocols, see http://msdn.microsoft.com/en-us/
library/azure/dn151124.aspx.
Integrating with WS-Federation
WS-Federation is an identity protocol used for browser-based applications. For example, WS-Federation integration with Azure AD might follow steps like this:
1. Users navigate to your application.
2. Your application redirects anonymous users to authenticate at Azure AD, sending a WS-Federation protocol request that indicates the application URI for the realm parameter. The URI should match the App ID URI shown in the single sign-on settings (see Figure 5-4):
Objective 5.1: Integrate an app with Azure Active Directory CHAPTER 5 321 FIGURE 5-4 Single sign-on settings for an Azure AD tenant
3. The request is sent to your tenant WS-Federation endpoint, for example:
https://login.windows.net/solexpaad.onmicrosoft.com/wsfed
4. The user is presented with a login page, unless he or she already has a valid cookie for the Azure AD tenant.
5. When authenticated, a SAML token is returned in the HTTP POST to the application URL with a WS-Federation response. The URL to use is specified in the single sign-on settings as the Reply URL.
6. The application processes this response, verifies the token is signed by a trusted issuer (Azure AD), and confirms that the token is still valid.
7. The application can optionally use claims in the token to personalize the application experience for the logged in user.
8. The application can optionally query Azure AD for groups for authorization purposes.
NOTE FEDERATION METADATA
WS-Federation exposes two endpoints, one for metadata and one for sign-in and sign-out.
The metadata endpoint exposes the standard federation metadata document that many identity tools know how to consume to discover the address of the sign-in and sign-out endpoint, the certificate required to validate signatures in a response, and other endpoints available at the service, such as SAML-P endpoints. If you use the metadata endpoint, your application should dynamically receive updates, such as new certificates used by the service. The sign-in and sign-out endpoint expects parameters indicating the purpose of the request.
MORE INFO WS-FEDERATION SAMPLE
For more information on integrating an ASP.NET MVC application using the OWIN framework to handle WS-Federation requests and responses, see https://github.com/
AzureADSamples/WebApp-WSFederation-DotNet.
Integrating with SAML-P
SAML 2.0 Protocol (SAML-P) can be used like WS-Federation to support user authentication to browser-based applications. For example, SAML-P integration with Azure AD might follow steps like this:
1. Users navigate to your application.
2. Your application redirects anonymous users to authenticate at Azure AD, sending a SAML-P request that indicates the application URI for the ConsumerServiceURL element in the request.
3. The request is sent to your tenant SAML2 endpoint, for example:
https://login.windows.net/solexpaad.onmicrosoft.com/saml2
4. The user is presented with a login page, unless he or she already has a valid cookie for the Azure AD tenant.
5. When authenticated, a SAML-P response is returned in the HTTP POST to the applica- tion URL. The URL to use is specified in the single sign-on settings as the Reply URL.
This response contains a SAML2 token.
6. The application processes this response, verifies the token is signed by a trusted issuer (Azure AD), and confirms that the token is still valid.
7. The application can optionally use claims in the token to personalize the application experience for the logged in user.
8. The application can optionally query Azure AD for groups for authorization purposes.
NOTE SAML-P ENDPOINTS
SAML-P support in Azure AD includes a sign-on and sign-out endpoint, and they are both the same URL. The protocol describes how to format each request so that the endpoint knows which action is requested.
MORE INFO SAML PROTOCOL
SAML-P tools are not provided as part of the .NET Framework libraries; however, there are a few third-party libraries available for building applications based on this protocol.
Typically, support for SAML-P becomes important when you are integrating other SaaS applications with your Azure AD because some applications do not support WS-Federation or OpenID Connect. For more information on SAML-P and Azure AD, see http://msdn.
microsoft.com/en-us/library/azure/dn195591.aspx.
Objective 5.1: Integrate an app with Azure Active Directory CHAPTER 5 323
Integrating with OpenID Connect
OAuth 2.0 is an authorization protocol and is not used for classic browser-based authenti- cation scenarios. OpenID Connect (OIDC) is an identity protocol that extends OAuth 2.0 to provide a mechanism for authenticating users. With OIDC, you can provide a modern ap- proach to identity in your web applications that redirects the user to authenticate in a similar fashion to WS-Federation and SAML-P, as follows:
1. Users navigate to your application.
2. Your application redirects anonymous users to authenticate at Azure AD, sending an OpenID Connect authentication request that indicates the application URI for the client_id element in the request. The client_id can be found in your configuration properties for the directory (see Figure 5-5):
FIGURE 5-5 Client ID configuration for an Azure AD tenant
3. The request is sent to your tenant OAuth authorize endpoint, for example:
https://login.windows.net/solexpaad.onmicrosoft.com/oauth2/authorize?api- version=1.0
4. The user is presented with a login page, unless he or she already has a valid cookie for the Azure AD tenant.
5. When authenticated, a response is returned in the HTTP POST to the application URL.
The URL to use is specified in the single sign-on settings as the Reply URL, and this value should match the redirect_uri element in the request. The response contains a JSON Web Token (JWT).
6. The application processes this response, verifies the token is signed by a trusted issuer (Azure AD), and confirms that the token is still valid.
7. The application can optionally use claims in the token to personalize the application experience for the logged in user.
8. The application can optionally query Azure AD for groups for authorization purposes.
NOTE OAUTH ENDPOINTS
Azure AD exposes two OAuth endpoints: one for token requests and one for authoriza- tion requests typical of OAuth 2.0. Frameworks that build OpenID Connect and OAuth requests usually use a well-known OpenID metadata endpoint at the identity service to discover which endpoint to send requests to. This metadata endpoint looks something like https://login.windows.net/solexpaad.onmicrosoft.com/.well-known/openid-configuration.
MORE INFO OPENID CONNECT SAMPLE
For more information on integrating an ASP.NET MVC application using the OWIN framework to handle OpenID Connect requests and responses, see https://github.com/
AzureADSamples/WebApp-WSFederation-DotNet.
Integrating with OAuth
OAuth 2.0 is typically useful in scenarios where user consent is required to access resources, but it can also be employed to request tokens for server side client applications. In both cases, your application must supply a client identifier and a key (secret) when requesting a token from the OAuth token endpoint.
To generate a key for your application, complete the following steps:
1. Navigate to the directory from the management portal accessed via https://manage.
windowsazure.com.
2. Click the Applications tab, and select the application you want to grant access to request tokens via OAuth.
3. Scroll to the Keys section. Select a duration of one or two years for the key to be valid.
Click Save on the command bar, and then the key appears.
4. Copy the key somewhere safe; it will not be presented again.
5. You can now use the client_id and key (secret) to perform OAuth token requests from your application.
The following section, “Querying directories with the Graph API,” covers an example of an OAuth token request authorizing an application to use the Graph API.
MORE INFO OAUTH TOKEN REQUEST SAMPLES
The following samples illustrate authorizing users and applications for OAuth token requests:
■
■ https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-UserIdentity- DotNet
■
■ https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity- DotNet
Querying directories with the Graph API
Using the Graph API, you can interact with your Azure AD tenant to manage users, groups, and more. If the application is limited to read access only, query activity will be allowed. With read and write access, the application can perform additional management activities:
■
■ Add, update, and delete users and groups