You are previewing Modern Authentication with Azure Active Directory for Web Applications.
O'Reilly logo
Modern Authentication with Azure Active Directory for Web Applications

Book Description

Build advanced authentication solutions for any cloud or web environment

Active Directory has been transformed to reflect the cloud revolution, modern protocols, and today’s newest SaaS paradigms. This is an authoritative, deep-dive guide to building Active Directory authentication solutions for these new environments. Author Vittorio Bertocci drove these technologies from initial concept to general availability, playing key roles in everything from technical design to documentation. In this book, he delivers comprehensive guidance for building complete solutions. For each app type, Bertocci presents high-level scenarios and quick implementation steps, illuminates key concepts in greater depth, and helps you refine your solution to improve performance and reliability. He helps you make sense of highly abstract architectural diagrams and nitty-gritty protocol and implementation details. This is the book for people motivated to become experts.

Active Directory Program Manager Vittorio Bertocci shows you how to:

  • Address authentication challenges in the cloud or on-premises

  • Systematically protect apps with Azure AD and AD Federation Services

  • Power sign-in flows with OpenID Connect, Azure AD, and AD libraries

  • Make the most of OpenID Connect’s middleware and supporting classes

  • Work with the Azure AD representation of apps and their relationships

  • Provide fine-grained app access control via roles, groups, and permissions

  • Consume and expose Web APIs protected by Azure AD

  • Understand new authentication protocols without reading complex spec documents

  • Table of Contents

    1. Title Page
    2. Copyright Page
    3. Dedication Page
    4. Contents
    5. Foreword
    6. Introduction
    7. Acknowledgments
    8. Chapter 1. Your first Active Directory app
      1. The sample application
      2. Prerequisites
        1. Microsoft Azure subscription
        2. Visual Studio 2015
      3. Creating the application
      4. Running the application
      5. ClaimsPrincipal: How .NET represents the caller
      6. Summary
    9. Chapter 2. Identity protocols and application types
      1. Pre-claims authentication techniques
        1. Passwords, profile stores, and individual applications
        2. Domains, integrated authentication, and applications on an intranet
      2. Claims-based identity
        1. Identity providers: DCs for the Internet
        2. Tokens
        3. Trust and claims
        4. Claims-oriented protocols
      3. Round-trip web apps, first-generation protocols
        1. The problem of cross-domain single sign-on
        2. SAML
        3. WS-Federation
      4. Modern apps, modern protocols
        1. The rise of the programmable web and the problem of access delegation
        2. OAuth2 and web applications
        3. Layering web sign-in on OAuth
        4. OpenID Connect
        5. More API consumption scenarios
        6. Single-page applications
        7. Leveraging web investments in native clients
      5. Summary
    10. Chapter 3. Introducing Azure Active Directory and Active Directory Federation Services
      1. Active Directory Federation Services
        1. ADFS and development
        2. Getting ADFS
        3. Protocols support
      2. Azure Active Directory: Identity as a service
        1. Azure AD and development
        2. Getting Azure Active Directory
        3. Azure AD for developers: Components
        4. Notable nondeveloper features
      3. Summary
    11. Chapter 4. Introducing the identity developer libraries
      1. Token requestors and resource protectors
        1. Token requestors
        2. Resource protectors
        3. Hybrids
      2. The Azure AD libraries landscape
        1. Token requestors
        2. Resource protectors
        3. Hybrids
      3. Visual Studio integration
        1. AD integration features in Visual Studio 2013
        2. AD integration features in Visual Studio 2015
      4. Summary
    12. Chapter 5. Getting started with web sign-on and Active Directory
      1. The web app you build in this chapter
        1. Prerequisites
        2. Steps
      2. The starting project
      3. NuGet packages references
      4. Registering the app in Azure AD
      5. OpenID Connect initialization code
        1. Host the OWIN pipeline
        2. Initialize the cookie and OpenID Connect middlewares
      6. [Authorize], claims, and first run
        1. Adding a trigger for authentication
        2. Showing some claims
        3. Running the app
      7. Quick recap
      8. Sign-in and sign-out
        1. Sign-in logic
        2. Sign-out logic
        3. The sign-in and sign-out UI
        4. Running the app
      9. Using ADFS as an identity provider
      10. Summary
    13. Chapter 6. OpenID Connect and Azure AD web sign-on
      1. The protocol and its specifications
        1. OpenID Connect Core 1.0
        2. OpenID Connect Discovery
        3. OAuth 2.0 Multiple Response Type, OAuth2 Form Post Response Mode
        4. OpenID Connection Session Management
        5. Other OpenID Connect specifications
        6. Supporting specifications
      2. OpenID Connect exchanges signing in with Azure AD
        1. Capturing a trace
        2. Authentication request
        3. Discovery
        4. Authentication
        5. Response
        6. Sign-in sequence diagram
        7. The ID token and the JWT format
      3. OpenID Connect exchanges for signing out from the app and Azure AD
      4. Summary
    14. Chapter 7. The OWIN OpenID Connect middleware
      1. OWIN and Katana
        1. What is OWIN?
        2. Katana
      2. OpenID Connect middleware
        1. OpenIdConnectAuthenticationOptions
        2. Notifications
      3. TokenValidationParameters
        1. Valid values
        2. Validation flags
        3. Validators
        4. Miscellany
      4. More on sessions
      5. Summary
    15. Chapter 8. Azure Active Directory application model
      1. The building blocks: Application and ServicePrincipal
        1. The Application
        2. The ServicePrincipal object
      2. Consent and delegated permissions
        1. Application created by a nonadmin user
        2. Interlude: Delegated permissions to access the directory
        3. Application requesting admin-level permissions
        4. Admin consent
        5. Application created by an admin user
        6. Multitenancy
      3. App user assignment, app permissions, and app roles
        1. App user assignment
        2. App roles
        3. Application permissions
      4. Groups
      5. Summary
    16. Chapter 9. Consuming and exposing a web API protected by Azure Active Directory
      1. Consuming a web API from a web application
        1. Redeeming an authorization code in the OpenID Connect hybrid flow
        2. Using the access token for invoking a web API
        3. Other ways of getting access tokens
      2. Exposing a protected web API
        1. Setting up a web API project
        2. Handling web API calls
        3. Exposing both a web UX and a web API from the same Visual Studio project
        4. A web API calling another API: Flowing the identity of the caller and using “on behalf of”
        5. Protecting a web API with ADFS “3”
      3. Summary
    17. Chapter 10. Active Directory Federation Services in Windows Server 2016 Technical Preview 3
      1. Setup (for developers)
      2. The new management UX
      3. Web sign-on with OpenID Connect and ADFS
        1. OpenID Connect middleware and ADFS
        2. Setting up a web app in ADFS
        3. Testing the web sign-on feature
      4. Protecting a web API with ADFS and invoking it from a web app
        1. Setting up a web API in ADFS
        2. Code for obtaining an access token from ADFS and invoking a web API
        3. Testing the web API invocation feature
        4. Additional settings
      5. Summary
    18. Appendix: Further reading
    19. Index
    20. About the author
    21. Code Snippets