ID URI • Reply Url 1. Navigate to site 2. Redirect to token service 3. Sign in 4. Send security token to Reply URL 5. Set session Web Browser to Web App: WS-Federation, SAML 2.0, OpenID Connect SAML, WS-Fed, or OpenID Connect Endpoint Katana
to Web API: OAuth 2.0 auth code grant, public client NativeApp NativeApp SP • Client ID • Redirect URI Authorize Endpoint Token Endpoint ADAL 2. Sign in 3. Return Authorization Code to Redirect URI User sees web pop up … Katana WebAPI SP • App ID URI
&redirect_uri=http://myclient/ << Stuff happens here to sign the user in... >> 302 Found http://myclient/ ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-‐_cqhsBff… Authorization Code Request/Response
Token Endpoint ADAL 2. Access Token has Expired 3. Request new Access Token with Refresh Token 4. Return Access Token, Refresh Token 5. Call web API with Access Token in AuthZ Header 1. Call WebAPI (Access Token in AuthZ Header) WebAPI Katana ADFS / AAD NativeApp SP • Client ID • Redirect URI WebAPI SP • App ID URI
Support for OAuth2 “Implicit Flow” simplified flow – no server back-end required currently AAD only What about SPAs? http://www.cloudidentity.com/blog/2014/10/28/adal-javascript-and-angularjs-deep-dive/
1. Signed in, using the web app… Browser WebApp 2. Request token (Client ID, Credential, App ID URI) 3. Return access token 4. Call web API with Access Token in AuthZ Header *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. AAD NativeApp SP • Client ID • Credential WebAPI SP • App ID URI Authorize Endpoint Token Endpoint Katana ADAL Katana
Browser WebApp 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) 3. Sign in 4. Return ID Token and Auth Code to Redirect URI 6. Set session Authorize Endpoint Token Endpoint Might require user consent AAD NativeApp SP • Client ID • Credential WebAPI SP • App ID URI Katana ADAL Katana
Standalone WS-Federation yes yes yes WS-Trust yes no no OAuth2 Code Flow yes yes yes Resource Owner Flow no yes yes Implicit Flow no yes yes Client Credentials Flow no yes yes Social Logins no no yes OpenID Connect no yes yes Saml2p yes yes no Price Model Part of Windows Server Freemium Free (OSS) http://blogs.technet.com/b/ad/archive/2014/09/15/azure-active-directory-basic-is-now-ga.aspx Feature Matrix (non exhaustive)
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Vielen Dank [email protected] http://leastprivilege.com @leastprivilege