Bertocci Vittorio. - Modern Authentication with Azure Active Directory for Web Applications

Vittorio Bertocci

PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399

Copyright 2016 by Vittorio Bertocci. All rights reserved.

No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher.

Library of Congress Control Number: 2014954517
ISBN: 978-0-7356-9694-5

Printed and bound in the United States of America.

First Printing

Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Support at .

This book is provided as-is and expresses the authors views and opinions. The views, opinions and information expressed in this book, including URL and other Internet website references, may change without notice.

Some examples depicted herein are provided for illustration only and are fctitious. No real association or connection is intended or should be inferred.

Microsoft and the trademarks listed at www.microsoft.com on the Trademarks webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.

Acquisitions and Developmental Editor: Devon Musgrave
Project Editor: John Pierce
Editorial Production: Rob Nance, John Pierce, and Carrie Wicks
Copyeditor: John Pierce
Indexer: Christina Yeager, Emerald Editorial Services
Cover: Twist Creative Seattle and Joel Panchot

Ai miei carissimi fratelli e sorelle: Mauro, Franco, Marino,
Cristina, Ulderico, Maria, Laura, Guido e Miraper avermi
fatto vedere il mondo attraverso altre nove paia docchi.

What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:

microsoft.com/learning/booksurvey

The purpose of an application is to take input from users or other applications and produce output that will be consumed by those same users or applications or by other ones. Thats true of a website that gains input from a click on a link and sends back the content of the requested page as output; a middle tier that processes database requests queued from a front end, executing them by sending input to a database; or a cloud service that gets input from a mobile application to look up nearby friends. Given this, a fundamental question faced in the design of every application is, Who is sending the input and should the application process it to produce the resulting output? Put another way: every application must decide on an identity system that represents users and other applications, a means by which to validate an applications or users claimed identity, and a way to determine what outputs the user or application is allowed to produce.

These decisions will determine how easily users and applications can interact with an application, what functionality they can take advantage of to secure and manage their identities and credentials, and how much work the application developer must do to enable these capabilities, which are known as authentication and authorization. The ideal answers make it possible for users and applications to use their preferred identities, whether from Facebook, Gmail, or their enterprise; for the application to easily configure the access rights for authorized users; and for the application to rely on other services as much as possible to do the heavy lifting. Identity and access control, while key to an applications utility, are not the core value an application delivers, so developers shouldnt spend any more time on this area than they have to. Why create a database of users and worry about which algorithm to use to encrypt the users passwords if you can take advantage of a service thats built for doing just that, with industry-leading security and management?

Microsoft Azure Active Directory (Azure AD) is arguably the heart of Microsofts cloud platform. All Microsoft cloud services, including Microsoft Azure, Microsoft Xbox Live, and Microsoft Office 365, use Azure AD as their identity provider. And because Azure AD is a public cloud service, application developers can also take advantage of its capabilities. If an application relies on Azure AD as its identity provider, it can rely on Azure AD APIs to provision users, rely on Azure AD to manage their passwords, and even give users the ability to use multifactor authentication (MFA) to securely authenticate to the application. For application developers wanting to integrate with businesses, including the many that are already using Azure AD, Azure AD has the most flexible and comprehensive support of any service for integrating Active Directory and LDAP identities. Fueled by enterprise adoption of Office 365, Azure AD is already a connection point for hundreds of millions of business and organizational identities, and its growing fast.

Using Azure AD for the most common scenarios is easy, thanks to the open source developer libraries, tooling, and guidance available on Microsoft Azures GitHub organization. Going beyond the basics, however, requires a good understanding of modern authentication flowsspecifically OAuth2 and OpenID Connectand concepts such as a relying party and tokens, federation, role-based access control, a provisioned application, and service principles. If youre new to these protocols and terms, the learning curve can seem daunting. Even if youre not, knowing the most efficient way to use Azure AD and its unique capabilities is important, and its worthwhile understanding whats available to you.

Theres no better book than Modern Authentication with Azure Active Directory for Web Applications to help you make your application take full advantage of Azure AD. Ive known Vittorio Bertocci since I started in Azure five years ago, and Ive watched his always popular and highly rated Microsoft TechEd, Build, and Microsoft Ignite conference presentations to catch up with the latest developments in Azure AD. Hes a master educator and one of Microsofts foremost experts on identity and access control.

This book will guide you through the essentials of authentication protocols, decipher the disparate terminology applied to the subject, tell you how to get started with Azure AD, and then present concrete examples of applications that use Azure AD for their authentication and authorization, including how they work in hybrid scenarios with Active Directory Federation Services (ADFS). With the information and insights Vittorio shares, youll be able to efficiently create modern cloud applications that give users and administrators the flexibility and security of Microsofts cloud and the convenience of using their preferred identities.

Mark Russinovich
Chief Technology Officer, Microsoft Azure

Its never a good idea to use the word modern in the title of a book.

Growing up, one of the centerpieces of my familys bookshelf was a 15-tomes-strong encyclopedia titled Nuovissima Enciclopedia (Very new encyclopedia), and I always had a hard time reconciling the title with the fact that it was 10 years older than me.

I guarantee that the content in this book will get old faster than those old volumescloud and development technologies evolve at a crazy paceand yet I could not resist referring to the main subject of the book as modern authentication.