A presentation at a technology meetup.
Roy Kim will walk through various access scenarios and capabilities using Azure AD services and features to access SharePoint 2013/2016 server. This will include a comparison between AD Connect + Azure Application Proxy to publish an internal SharePoint application and 3rd Party Auth0 to assist in federating Azure AD and SSO integration. And also the recently supported Azure AD SAML 1.1 Token.
Roy will go through a demo, its architecture, and commentary of pros and cons. At the end you will have a good understanding of the technology capabilities to determine supporting access and user management scenarios.
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Azure AD App Proxy Login Scenarios with an On Premises Applications - TSPUG
1. Azure AD Login Scenarios
with SharePoint 2013/2016
Azure AD, Azure Application Proxy,
AD Connect,
AAD Non-Gallery AppMay 16, 2017
Roy Kim
@RoyKimYYZ
www.roykim.ca
2. Roy Kim
Independent Consultant
15+ years work experience in consulting for enterprise
applications involving SharePoint, Azure, Office 365 and
.NET development
Microsoft MVP
University of Toronto – Computer Science graduate
rkim@roykim.ca
Twitter: @roykimYYZ
Blog: roykim.ca
Slideshare: www.slideshare.netroykimtoronto
About Me
3. Azure AD Overview
Publishing with Azure Application Proxy and Azure AD Connect
Azure AD with Auth0 SSO Broker
Azure AD with Extranet User Manager
Publishing SP with Azure AD Non-Gallery App with SAML Claims
Azure AD Features
Q&A
Agenda
4. Use cases
External Access
Azure AD App Proxy
3rd Party SSO Brokers
Single Sign On
Conditional Access
Sign In and Audit Logs
Identity and Access Management to Applications
5. Client
•Desktop, Native
Mobile
•Browser Web Apps
•Server, Console apps
Identity
•Corporate AD/LDAP
•Application
username/password
•Internet social
accounts
Sign In &
Authentication
Protocol
•Windows / Kerberos
•OpenID Connect,
OAuth
•SAML, WS-Fed
•Certificate /
Password-less
•and more
Web Application
•Claims Aware
•Standard / Non
claims aware
Authentication Stack
Some of the pieces of an authentication stack
.. can get complex ..
7. Azure AD
Azure AD
Multi-tenant
Platform as a Service
Identity management service. Azure AD combines core directory services,
advanced identity governance,
Application access management
Azure AD B2B
A feature of Azure AD. That is to add a 'guest' user type
In simplified terms, any active email address that is either ‘wrapped’ by a
Microsoft Account or is any Azure AD account
Azure AD B2C
Authenticate with:
Social Accounts (such as Facebook, Google, LinkedIn, and more)
Enterprise Accounts (using open standard protocols, OpenID Connect or SAML)
Local Accounts (email address and password, or username and password)
Azure AD and Azure AD B2C are separate product offerings and cannot
coexist in the same tenant.
A tenant represents a collection of identities to be used with relying party
applications.
7
9. Properties of an AAD B2B collaboration user
9
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-user-properties
i.e. AAD Account
Non-typical cases
11. Evaluating 4 Architecture Patterns
Let’s evaluate three architectural patterns with some demos!
11
Azure AD Application
Proxy with Windows
Authentication
Azure AD + 3rd Party
Auth0 Single Sign On
cloud broker
claims based
authentication
3rd Party Extranet User
Manager as the Identity
Provider
claims based
authentication
Azure AD Enterprise Non-
Gallery Application
SAML claims based
authentication
12. 12
AZURE APPLICATION PROXY
Azure Application Proxy
Remote Access
Single Sign-on experience
Windows Integrated Authentication / Kerberos
Constrained Delegation
Install App Proxy connector in internal network
AD Connect
Sync on-prem AD accounts to Azure AD tenant.
Note: Not the other way around.
Install AD Connect in internal network
13. 13
AZURE APPLICATION PROXY + AAD CONNECT
On-Premises Network OR
Azure IaaS Virtual Network
Azure AD Connect
Azure
Active Directory
Azure Application
Proxy Connector
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users *
Azure PaaS Services
AD Users
MS Access Panel
myapps.microsoft.com
Enterprise Applications
Microsoft Account
Azure AD
Tenant
SP DB
Sync
Outbound
443
Internet
User
My SharePoint App
Azure
Active Directory
Partner Azure
AD Tenant
access
invite
invite
https://roykimspublishedsharepoint-
spb2b.msappproxy.net/
* Guest users wouldn’t be able to access the on-premises application
14. 14
AZURE APPLICATION PROXY DEMO
User Authentication Scenarios
Access points
Application sign in Url
MS Access Panel – https://myapps.microsoft.com
Employees login with their corporate credentials.
No OOTB automatic external user sign-up (AD B2B).
Need to create starting from on-premises AD. But not IT support friendly.
Note: There used to be user write back from Azure AD to on-premises
AD.
External user sign in (AD B2B)
Self Service Password Reset for employee accounts
IT/Application Admin responsibility
Add new external user (AD B2B guest user)
15. 15
AZURE APPLICATION PROXY SUMMARY
Pros
Easily publish on-premises application without added ADFS and
Web Application Proxy
Cons
Adding Azure AD guest users requires on-prem AD account added
with same domain.
There used to be user write-back in AAD Connect
Good fit for organizations that just want to easily publish on-premises
Applications with limited Azure AD B2B requirements.
16. 16
AUTH0 SSO BROKER
Auth0
Authenticate and authorize apps and APIs with any
identity provider running on any stack on any device or
cloud
Platform as a Service
Single Sign On Broker
No need for ADFS.
Require application public end point to support ‘Reply
Url’ where the application expects to receive the SAML
token.
Alternatives: OneLogin, Okta, Ping Identity, AWS Cognito,
EUM
Gartner’s IAM Magic Quadrant 2017
17. 17
AUTH0 SSO BROKER
On-Premises Network OR
Azure IaaS Virtual Network
Enterprise Connection
- Azure AD tenant
Azure PaaS Services
Users
Auth0 (3rd Party PaaS)
Auth0
Claims
Provider
Client
- SharePoint App
Registration
- Auth0 Login Page
SSO Integration
- SharePoint
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
MS Access Panel
myapps.microsoft.com
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
‘SPB2C’
Enterprise Applications
Published SharePoint App
DMZ
1 Direct access
2 Redirect
direct internet access
18. 18
AUTH0 SSO BROKER
Pros
Single Sign On
Role based access with role claim
Support SAML 1.1 to work SharePoint Server. Also supports
SAML 2.0, Open ID, Oauth, etc.
No need for WAP and ADFS
Cons
Added licensing cost
May lose its competitive value if Azure AD grows in its
capabilities
19. 19
EXTRANET USER MANAGER
Extranet User Manager
https://www.extranetusermanager.com
Delegated external user management
Self-registration
Local SQL accounts or federation with Microsoft Azure AD, Microsoft
accounts, Facebook, and Google
Password management and Multi-Factor Authentication
Azure App Service or on premise IIS hosting
20. 20
EXTRANET USER MANAGER
On-Premises Network OR
Azure IaaS Virtual Network
Enterprise Connection
- Azure AD tenant
Azure PaaS Services
Users
EUM (3rd Party PaaS)
EUM Trusted
Identity
Provider
Client
- SharePoint App
Registration
- EUM Login Page
SSO Integration
- SharePoint
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
MS Access Panel
myapps.microsoft.com
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
‘SPB2C’
Enterprise Applications
Published SharePoint App
DMZ
1 Direct access
2 Redirect
direct internet access;
Or ideally via any
proxy
21. 21
EXTRANET USER MANAGER
Pros
Single Sign On
Role based access with role claim
Support SAML 1.1 to work SharePoint Server. Also supports Open ID
Connect
No need for WAP and ADFS
Cons
Added licensing cost
22. 22
AZURE AD NON-GALLERY APP WITH SAML 1.1 TOKEN
Configure single sign-on with on-premises applications
As an Azure AD App that is not part of the gallery
No need to write code.
Generates a certificate for the app to establish trust with
AAD
Require Azure AD Premium license
No need for WAP and ADFS
References:
Using Azure AD for SharePoint Server Authentication
Azure Active Directory claims provider for SharePoint 2013 and 2016
View project on GitHub
Understanding WS-Federation
23. 23
AZURE AD NON-GALLERY APP (ALTERNATE DESIGN)
On-Premises Network; OR
Azure IaaS Virtual Network
Azure PaaS Services
Users
Web Application:
Azure AD Trusted
Identityy Provider
SP DB
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
sts
MS Access Panel
myapps.microsoft.com
Enterprise Application
SP App (non-gallery)
- SAML 1.1 token issuance policy
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
direct internet access;
Or ideally via any
proxy
24. 24
AZURE AD NON-GALLERY APP
Pros
Single Sign On
The ability to grant permissions to users or in a group; there
by, access a role claim
No need for ADFS and Web App Proxy
Cons
Added configuration for SAML based authentication with
SAML 1.1 token support with a PowerShell script.
25. 25
AZURE AD NON-GALLERY APP (ALTERNATE DESIGN)
On-Premises Network; OR
Azure IaaS Virtual Network
Azure PaaS Services
Users
Claims
Provider
SP DB
ADFS
Azure
Active Directory
Work account
Microsoft account
AAD Users
Synced AD Users
Guest Users
sts
MS Access Panel
myapps.microsoft.com
Enterprise Application
SP App (non-gallery)
Azure
Active Directory
Partner Azure
AD Tenant
Microsoft Account
Azure AD
Tenant
Web App
Proxy
Will not work since
requires SAML 1.1
token *
* Should be able to federate and trust Azure AD with SAML 1.1 token issuance policy
* I need to test
Advantage: Able to protect SharePoint app within corporate fire wall and
publish with Azure App Proxy
Azure Application
Proxy Connector
26. To provide secure sign-in and authorization for their services.
Any application that wants to use the capabilities of Azure AD must first be
registered in an Azure AD tenant
Azure AD Applications
27. Portal of all Azure AD Applications including Office 365
- Per AD Directory
Access Panel Applications
28. Portal of all Azure AD Applications including Office 365
Per AD Directory
Azure AD APP Self Service
29. AZURE AD - CONDITIONAL ACCESS
Policy: For Azure AD App ‘SP SAML’, require MFA
if guest user, outside of trusted IP locations, device is iOS or windows,
client app is browser or native app