Advertisement
DevSum: Azure AD B2C Application security made easy
May. 23, 2019•0 likes•758 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Internet
The slides for my session at DevSum at May 23, 2019
Sjoukje ZaalFollow
Advertisement
Advertisement
Advertisement
Recommended
Azure AD B2C – integration in a bankKseniia Lvova
Introduction to Azure AD and Azure AD B2CJoonas Westlin
Understanding Azure ADNew Horizons Ireland
Azure role based access control (rbac)Srikanth Kappagantula
Azure Identity and access managementDinusha Kumarasiri
Azure Active Directory - An IntroductionVenkatesh Narayanan
DevSum: Azure AD B2C Application security made easy
- Azure AD B2C: Application security made easy Sjoukje Zaal @SjoukjeZaal szaal@outlook.com #DevSum19
- About me Sjoukje Zaal Principal Expert Microsoft / Azure MVP T: @SjoukjeZaal W: https://www.sjoukjezaal.com
- Agenda What is AzureAD B2C andWhy should I use it? 01 Key Benefits and Capabilities • Demo 02 Flows & Policies • Demo 03 Identity Providers • Demo 04 Customize the UI • Demo 05
- What is Azure Active Directory B2C? Azure AD B2C is an identity management service that enables you to customize and control how customers interact with your application.
- Why use AzureActive Directory B2C? Highly available World wide scaling Secure Reliable
- Key Benefits • Minimal application code • Easy to maintain • Enterprise-grade security features Simple & Secure • Multiple Identity Providers • .NET, iOS, and Android • Open standards Flexible
- Capabilities Default Authentication Providers Social Media Identity Providers Custom Identity Providers Single Sign On Multi-factor authentication Enables & customize sign up/sign in Edit profiles
- DEMO 1: REGISTERING THE APPLICATION
- Sample application Web App MVC App for registering to-do items Calls Web API RequestsAccess tokens fromWeb API Tasks Web API Performs CRUD operations Scoped based access control
- Application Code Open Standards • Open ID Connect • OAuth 2.0 MSAL
- Demo Summary 7 Added values to web.config files 6 Copied the application Id’s from both apps 5 Generated and copied the client secret 4 Granted the read and write permissions to the demo web app (client) 3 Registered the demo web app 2 Published a read and write permission for theAPI 1 Registered theTasks demoWeb API
- Flows & Policies Is triggered by application Predefined Reusable Custom Attributes User flows Configuration files XML Identity Experience Framework Standards- based OAuth 2.0, OIDC, SAML Custom Policies
- When to use user flows Sign-up or sign- in with local or social accounts Self-service password reset Profile edit Multi-Factor Authentication
- When to use custom policies Send a welcome email using your own email service provider Provision a user account in another system at the time of registration Use a user store outsideAzure AD B2C Validate user provided information with a trusted system by using an API
- DEMO 2: CREATING A USER FLOW
- Demo Summary 5 Run the application 4 Made changes to the web.config 3 Selected the included fields and returned claims 2 Selected the Identity Provider to enable the flow 1 Created a new user flow
- Identity Providers Authentication Service Security tokens Out-of-the-box providers Client Id & Secret
- DEMO 3: CONFIGURING AN IDENTITY PROVIDER
- Demo Summary 4 Tested the user flow from the Azure B2C tenant 3 Enabled the Identity Provider in the user flow 2 Added the client id and client secret to the identity provider 1 Registered a new Identity Provider in Azure B2C
- Page UI customization feature Customize look and feel Visual Consistency CORS Merges UI with HTML
- DEMO 4: CUSTOMIZETHE UI
- Demo Summary 6 Tested the user flow 5 Updated the user flow 4 Uploaded the HTML/CSS files to the Blob container 3 Created a custom HTML/CSS file 2 Enabled CORS 1 Created a storage account and blob container
- Multi-factor authentication User flow level No code required
- DEMO 5: ENABLING MFA
- Demo Summary 3 Tested the application 2 Enabled Multifactor Authentication (MFA) 1 Openend the user flow settings
- Wrap up It’s not Azure B2B App can be hosted everywhere Migrate with Azure AD Graph API Reporting and Monitoring Language customization
- QUESTIONS?
- And…. Last but not least – don’t forget to evaluate this session in the DevSum app! #DevSum19
Editor's Notes
- This interaction includes the sign up, sign in process, and managing the user profiles from customers that use your custom applications.
- Use the underlying cloud infrastructure which is designed for high availability which is used by all the other Azure resources as well It offers world wide scaling, Azure B2C scales across all the Azure regions, so the response is fast out of the box. Capable of supporting millions of users and billions of authentications per day.
- Easy to maintain: All changes are made inside the Azure portal. It supports multiple types of application, such as iOS, Android, .NET application, for instance, and other types of applications. Azure AD B2C protects your customer identities. Open standards OAuth 2.0
- I’ve skipped the step of creating an Azure AD B2C tenant, because this is a very straightforward process. AppID URI Set the AppID URI to demoapi. This AppID URI is a unique identifier representing this particular ASP.NET Web API. The AppID URI is used to construct the scopes that are configured in your ASP.NET Web Application. For example, in this ASP.NET Web API sample, the scope will have the value https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi#Using-your-own-Azure-AD-B2C-Tenant
- https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi#Using-your-own-Azure-AD-B2C-Tenant Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell a browser to let a application running at one domain have permission to access selected resources from a app at a different domain. Define Scopes for CORS Scopes are used by the web API to implement scope-based access control. Users of the web api need to have read an write permissions in Azure B2C. The published scopes are used to grant the client application permissions to the web app. To call a protected web API from the client application, you need to grant your application permissions to the API. https://www.w3.org/TR/cors/ hoe uitleggen??? uitzoeken
- MSAL: Microsoft Authentication Libraries
- Uitzoeken waarom Published scopes: https://www.w3.org/TR/cors/
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- Add the Web Application
- User Flows To enable users to sign up, sign in, or manage their profile, you need to create multiple types of user flows inside the Azure B2C tenant. Because you register this inside the tenant, you can reuse these flows in different types of applications. Policies Custom policies are configuration files that define the behavior of your Azure Active Directory (Azure AD) B2C tenant. User flows are predefined in the Azure AD B2C portal for most common identity tasks. Custom policies can be fully edited by an identity developer to complete many different tasks. Identity Experience Framework: Custom policies use the Identity Experience Framework, which is basically a contract that is used that reduces the complexity of identity federation. The complexity is reduced to a single trust relationship and a single metadata exchange. https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-trustframeworks-defined-ief-custom Standards: OAuth 2.0 which is an authorization framework, OIDC which stands for OpenID Connect, which is an authentication layer on top of OAuth 2.0, and SAML (Security Assertion Markup Language) which is It’s an open standard that provides both authentication and authorization. (https://spin.atomicobject.com/2016/05/30/openid-oauth-saml/)
- https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-custom-attr https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies
- Policies Policies fully describe identity experiences such as sign-up, sign-in, or profile editing. So for instance, you have a scenario where during the registration process, you want to user account to be added to your CRM system as well. For this, you need to create a custom policy, because this is not part of the standard predefined user flows.
- Is a predefined user flow that is going to be configured for this type of application
- Is a predefined user flow that is going to be configured for this type of application
- An identity provider is a service that authenticates customer identities and issues security tokens. In Azure AD B2C, you configure a number of identity providers in your tenant, such as a Microsoft account, Facebook, or Amazon among others. To configure an identity provider in your Azure AD B2C tenant, you must record the application identifier or client identifier and the password or client secret from the identity provider application that you create. This identifier and password are then used to configure your application.
- Most of the HTML and CSS content that's presented to customers is controllable. By using the page UI customization feature, you customize the look and feel of any policy. You maintain brand and visual consistency between your application and Azure AD B2C by using this customization feature. Azure AD B2C runs code in the customer's browser and uses a modern approach called Cross-Origin Resource Sharing (CORS). Azure AD B2C code in a browser uses a modern and standard approach to load custom content from a URL that you specify in a user flow. Cross-origin resource sharing (CORS) allows restricted resources on a web page to be requested from other domains. First, you specify a URL in a policy with customized HTML content. Azure AD B2C merges UI elements with the HTML content that's loaded from your URL and then displays the page to the customer. You send parameters to Azure AD B2C in a query string. By passing the parameter to your HTML endpoint, the page content is dynamically changed. For example, you change the background image on the Azure AD B2C sign-up or sign-in page based on a parameter that you pass from your web or mobile application.
- https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-language-customization
Advertisement