Aug 5, 2013 12:36:41 PM
The Power of Windows Azure: Identity Access and Federation with Cloud Identity

Based on Microsoft online article http://www.windowsazure.com/en-us/services/identity/, Windows Azure empowers with secure, enterprise ready identity and access management for the cloud.

  • Windows Azure Active Directory
  • Integrate with your on-premises active directory
  • Offer access control for you applications
  • Build social connections across the enterprise
  • Provide single sign-on across your cloud applications
  • Pre-integrated application access enhancements (Preview)
    • Windows Azure Mobile Services
    • Windows Azure Active Authentication (Preview)

Let’s walk through the following four cloud identity access and federation scenarios which demonstrate how Windows Azure Identity technology empowers best-practice cloud integration solutions with OAuth2 (Authorization Code and Implicit grant flows in the scenarios, Client Credentials with Windows Azure Access and Control Service, JWT with SharePoint Online new App Model and Graph API – not shown in the scenario), SAML, WS-Federation (Passive in the scenario and Active), Graph API, Mobile and Web App, REST, ADFS, Office365, Social Identity Providers, third party App API (such as AAD and Google App directory synchronization, not shown in the scenario), and event ID-TOKEN of OpenID Connect if you pay attention to the scenario 1.

Scenario 1 – Graph API and Client App with OAuth2 Authorization Code Grant Flow

  1. The user accesses the Client App.
  2. The Client App redirects request to OAuth2 Authorization service for Access Token
  3. Authorization service redirects request to Sign-In STS for authenticating user
  4. The user signs in with Windows Azure Active organization ID
  5. The Sign-In STS issues the authentication token to Authorization service
  6. The Authorization service issues authorization code to Client App

http://<client-app-url>?code=AgAAAAAAf_ZCy7KzPg7iR6C3VIKPO2zI4EZaP4C6....

7. The Client App submits authorization code to Authorization Server for OAuth2 access token

POST https://login.windows.net/common/oauth2/token

grant_type=authorization_code&client_id=<client-app-id>&redirect_uri=<client-app-url>&client_secret=<client-key>&code=AgAAAAAAf_ZCy7KzPg7iR6C3VIKPO2zI4EZaP4C6….

8. The Client App receives OAuth2 access token

{

"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1….",

"token_type":"Bearer",

"expires_in":"28799",

"expires_on":"1374051298",

"multi_resource":true,

"refresh_token":"AgAAAAAAEU1fnhQZ832bVHuQfLSPZfh…",

"scope":"62e90394-69f5-4237-9190-012177145e10",

"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJh…..9.“

}

9. The Client App invokes Graph API call to retrieve user information, passing the OAuth2 access token in the HTTP Authorization header.

https://graph.windows.net/me?api-version=2013-04-05

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng

10. The Client App receives the user information

{

"odata.metadata":"https://graph.windows.net/myorganization/$metadata#directoryObjects/

Microsoft.WindowsAzure.ActiveDirectory.User/@Element",

"odata.type":"Microsoft.WindowsAzure.ActiveDirectory.User",

"objectType":"User",

"objectId":"9e3c71d1-6972-4f48-a117-d808a7abf19c",

"accountEnabled":true,

"displayName":"test user",

"userPrincipalName":"test@xxxx.onmicrosoft.com"

}

Scenario 2 – Pre-Integrated Application Access with Google App for Business

1. The user accesses Application Access panel

https://account.activedirectory.windowsazure.com/applications/default.aspx

2. The user gets redirected to Sign-In STS

3. The user signs in with Windows Azure Active organization ID

4. The user clicks Google App for Business access

https://account.activedirectory.windowsazure.com/applications/redirecttoapplication.aspx?Operation=SignIn&applicationId=01303a13-8322-4e06-bee5-80d612907131&ApplicationConstName=googleapps&FederatedAuthentication=true

5. Windows Azure issues SAML 2.0 SAMLResponse to Google App

POST https://www.google.com/a/<google-app-domain>/acs

<samlp:Response ID="_6935dfb6-11c7-4859-8063-4b7c495ef871" Version="2.0" IssueInstant="2013-07-28T23:46:34.772Z" Destination="https://www.google.com/a/solesoul.net/acs" InResponseTo="id257e68d977b340e89705a873ea626e9d" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

….

<Assertion ID="_d420e5e1-4d40-4718-b404-215ff0e0b4bb" IssueInstant="2013-07-28T23:46:34.772Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">

<Issuer>https://sts.windows.net/<tenant-id>/</Issuer>

<Subject><NameID>user@test.com</NameID>….</Subject>…

<Audience>http://google.com</Audience></AudienceRestriction>....

<AttributeStatement>

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">

<AttributeValue>test</AttributeValue>

</Attribute>

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">

<AttributeValue>user</AttributeValue>

</Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">

<AttributeValue>user@<google-app-domain></AttributeValue>

</Attribute>

<Attribute Name="http://schemas.microsoft.com/identity/claims/tenantid">

<AttributeValue>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</AttributeValue>

</Attribute>

<Attribute Name="http://schemas.microsoft.com/identity/claims/objectidentifier">

<AttributeValue>9e3c71d1-6972-4f48-a117-d808a7abf19c</AttributeValue>

</Attribute>

<Attribute Name="http://schemas.microsoft.com/identity/claims/identityprovider">

<AttributeValue>https://sts.windows.net/<tenant-id>/</AttributeValue>

</Attribute>

</AttributeStatement>

<AuthnStatement AuthnInstant="2013-07-28T23:45:01.000Z" …>

</Assertion>

</samlp:Response>

6. Google App consumes the SAML token and launch the landing page

Scenario 3 – Azure Mobile Service with Android Mobile App and Facebook

  1. User clicks Mobile App for accessing Contact information from Azure Mobile Service
  2. The Mobile App starts OAuth2 Implicit Grant flow with Facebook
  3. The Mobile App and then Azure Mobile Service receive the OAuth2 access token

access_token=CAACjMY5EUnIBAMZBadVhspVyKAW…Mu26YnSHvbhJEuwZD&expires=5183999

4. Azure Mobile Service retrieves User Information from Facebook, passing access token

https://graph.facebook.com/me?access_token=CAACjMY5EUnIBAMZBadVhspVyK...Mu26YnSHvbhJEuwZD

{

"id":"1000000xxxxxxxx",

"name":"Test User",

"updated_time":"2013-05-22T20:06:32+0000“

}

5. Mobile App gets authenticationToken from Azure Mobile Service

{

"user":{"userId":"Facebook:1000000xxxxxxxx"},

"authenticationToken":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX…-QwWhRjFHBOEqPAcsXoLqjENoY“

}

6. App retrieves Contact information list by passing X-ZUMO-AUTH token

GET https://<tenant-mobile-service-name>.azure-mobile.net/tables/Contact

X-ZUMO-INSTALLATION-ID: 3959a7fd-9af5-4145-b35b-1d5d7e2f5e8d

X-ZUMO-AUTH: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6MH0…..qPAcsXoLqjENoY

7. App adds new contact to Contact List with HTTP POST

POST https://jakeoauthmvc.azure-mobile.net/tables/Contact

X-ZUMO-AUTH: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCI…sfwkqr-QwWhRjFHBOEqPAcsXoLqjENoY

…..

8. App updates Telephone number of first contact

PATCH https://jakeoauthmvc.azure-mobile.net/tables/Contact/1

X-ZUMO-AUTH: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCI…sfwkqr-QwWhRjFHBOEqPAcsXoLqjENoY

….

9. App deletes first contact

DELETE https://jakeoauthmvc.azure-mobile.net/tables/Contact/1

X-ZUMO-AUTH: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCI…sfwkqr-QwWhRjFHBOEqPAcsXoLqjENoY

HTTP/1.1 204 No Content

Scenario 4 – Office 365 Service and On-Premise ADFS

  1. The user accesses the Web-based Office 365 service.
  1. The Office 365 service redirects request to Sign-In STS
  1. The user signs in with UPN
  1. The Sign-In STS redirects request to On-Premise ADFS based on UPN
  1. The user signs in with On-Premise AD
  1. The On-Premise ADFS presents the token to the Sign-In STS
  1. The Sign-In STS transforms the token and then issues a new token to the Office 365 service.
  1. The Office 365 service validates the new token and then applies the necessary access control checks before allowing the user access to the service.