More Related Content

Similar to DevSum: Azure AD B2C Application security made easy(20)


DevSum: Azure AD B2C Application security made easy

  1. Azure AD B2C: Application security made easy Sjoukje Zaal @SjoukjeZaal #DevSum19
  2. About me Sjoukje Zaal Principal Expert Microsoft / Azure MVP T: @SjoukjeZaal W:
  3. Agenda What is AzureAD B2C andWhy should I use it? 01 Key Benefits and Capabilities • Demo 02 Flows & Policies • Demo 03 Identity Providers • Demo 04 Customize the UI • Demo 05
  4. What is Azure Active Directory B2C? Azure AD B2C is an identity management service that enables you to customize and control how customers interact with your application.
  5. Why use AzureActive Directory B2C? Highly available World wide scaling Secure Reliable
  6. Key Benefits • Minimal application code • Easy to maintain • Enterprise-grade security features Simple & Secure • Multiple Identity Providers • .NET, iOS, and Android • Open standards Flexible
  7. Capabilities Default Authentication Providers Social Media Identity Providers Custom Identity Providers Single Sign On Multi-factor authentication Enables & customize sign up/sign in Edit profiles
  9. Sample application Web App MVC App for registering to-do items Calls Web API RequestsAccess tokens fromWeb API Tasks Web API Performs CRUD operations Scoped based access control
  10. Application Code Open Standards • Open ID Connect • OAuth 2.0 MSAL
  11. Demo Summary 7 Added values to web.config files 6 Copied the application Id’s from both apps 5 Generated and copied the client secret 4 Granted the read and write permissions to the demo web app (client) 3 Registered the demo web app 2 Published a read and write permission for theAPI 1 Registered theTasks demoWeb API
  12. Flows & Policies Is triggered by application Predefined Reusable Custom Attributes User flows Configuration files XML Identity Experience Framework Standards- based OAuth 2.0, OIDC, SAML Custom Policies
  13. When to use user flows Sign-up or sign- in with local or social accounts Self-service password reset Profile edit Multi-Factor Authentication
  14. When to use custom policies Send a welcome email using your own email service provider Provision a user account in another system at the time of registration Use a user store outsideAzure AD B2C Validate user provided information with a trusted system by using an API
  16. Demo Summary 5 Run the application 4 Made changes to the web.config 3 Selected the included fields and returned claims 2 Selected the Identity Provider to enable the flow 1 Created a new user flow
  17. Identity Providers Authentication Service Security tokens Out-of-the-box providers Client Id & Secret
  19. Demo Summary 4 Tested the user flow from the Azure B2C tenant 3 Enabled the Identity Provider in the user flow 2 Added the client id and client secret to the identity provider 1 Registered a new Identity Provider in Azure B2C
  20. Page UI customization feature Customize look and feel Visual Consistency CORS Merges UI with HTML
  22. Demo Summary 6 Tested the user flow 5 Updated the user flow 4 Uploaded the HTML/CSS files to the Blob container 3 Created a custom HTML/CSS file 2 Enabled CORS 1 Created a storage account and blob container
  23. Multi-factor authentication User flow level No code required
  25. Demo Summary 3 Tested the application 2 Enabled Multifactor Authentication (MFA) 1 Openend the user flow settings
  26. Wrap up It’s not Azure B2B App can be hosted everywhere Migrate with Azure AD Graph API Reporting and Monitoring Language customization
  28. And…. Last but not least – don’t forget to evaluate this session in the DevSum app! #DevSum19

Editor's Notes

  1. This interaction includes the sign up, sign in process, and managing the user profiles from customers that use your custom applications.
  2. Use the underlying cloud infrastructure which is designed for high availability which is used by all the other Azure resources as well It offers world wide scaling, Azure B2C scales across all the Azure regions, so the response is fast out of the box. Capable of supporting millions of users and billions of authentications per day.
  3. Easy to maintain: All changes are made inside the Azure portal. It supports multiple types of application, such as iOS, Android, .NET application, for instance, and other types of applications. Azure AD B2C protects your customer identities. Open standards OAuth 2.0
  4. I’ve skipped the step of creating an Azure AD B2C tenant, because this is a very straightforward process. AppID URI Set the AppID URI to demoapi. This AppID URI is a unique identifier representing this particular ASP.NET Web API. The AppID URI is used to construct the scopes that are configured in your ASP.NET Web Application. For example, in this ASP.NET Web API sample, the scope will have the value
  5. Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a application running at one domain have permission to access selected resources from a app at a different domain. Define Scopes for CORS Scopes are used by the web API to implement scope-based access control. Users of the web api need to have read an write permissions in Azure B2C. The published scopes are used to grant the client application permissions to the web app. To call a protected web API from the client application, you need to grant your application permissions to the API.  hoe uitleggen??? uitzoeken
  6. MSAL: Microsoft Authentication Libraries
  7. Uitzoeken waarom Published scopes:
  8. Add the Web Application
  9. Add the Web Application
  10. Add the Web Application
  11. Add the Web Application
  12. Add the Web Application
  13. Add the Web Application
  14. Add the Web Application
  15. Add the Web Application
  16. Add the Web Application
  17. Add the Web Application
  18. User Flows To enable users to sign up, sign in, or manage their profile, you need to create multiple types of user flows inside the Azure B2C tenant. Because you register this inside the tenant, you can reuse these flows in different types of applications. Policies Custom policies are configuration files that define the behavior of your Azure Active Directory (Azure AD) B2C tenant. User flows are predefined in the Azure AD B2C portal for most common identity tasks. Custom policies can be fully edited by an identity developer to complete many different tasks. Identity Experience Framework: Custom policies use the Identity Experience Framework, which is basically a contract that is used that reduces the complexity of identity federation. The complexity is reduced to a single trust relationship and a single metadata exchange. Standards: OAuth 2.0 which is an authorization framework, OIDC which stands for OpenID Connect, which is an authentication layer on top of OAuth 2.0, and SAML (Security Assertion Markup Language) which is It’s an open standard that provides both authentication and authorization. (
  20. Policies Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. So for instance, you have a scenario where during the registration process, you want to user account to be added to your CRM system as well. For this, you need to create a custom policy, because this is not part of the standard predefined user flows.
  21. Is a predefined user flow that is going to be configured for this type of application
  22. Is a predefined user flow that is going to be configured for this type of application
  23. An identity provider is a service that authenticates customer identities and issues security tokens. In Azure AD B2C, you configure a number of identity providers in your tenant, such as a Microsoft account, Facebook, or Amazon among others. To configure an identity provider in your Azure AD B2C tenant, you must record the application identifier or client identifier and the password or client secret from the identity provider application that you create. This identifier and password are then used to configure your application.
  24. Most of the HTML and CSS content that's presented to customers is controllable. By using the page UI customization feature, you customize the look and feel of any policy. You maintain brand and visual consistency between your application and Azure AD B2C by using this customization feature. Azure AD B2C runs code in the customer's browser and uses a modern approach called Cross-Origin Resource Sharing (CORS). Azure AD B2C code in a browser uses a modern and standard approach to load custom content from a URL that you specify in a user flow. Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from other domains. First, you specify a URL in a policy with customized HTML content. Azure AD B2C merges UI elements with the HTML content that's loaded from your URL and then displays the page to the customer. You send parameters to Azure AD B2C in a query string. By passing the parameter to your HTML endpoint, the page content is dynamically changed. For example, you change the background image on the Azure AD B2C sign-up or sign-in page based on a parameter that you pass from your web or mobile application.