Browser Web application Web API Native app Server

Browser Web application Web API Native app Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

Browser Native app WS-Fed, SAML 2. 0, Open. ID Connect OAuth 2. 0 Web application OAuth 2. 0 Web API Server app OAuth 2. 0 Standard-based, http-based protocols for maximum platform reach

Today, we announced Azure Active Directory Premium, an advanced offering that includes IAM capabilities for on-premises, hybrid and cloud environments. Built on top of the free Azure AD, provides an additional set of features to empower enterprises with demanding needs of identity and access management, such as: • • • Group-based access assignment for SSO to more than 1200 Saa. S apps via “myapps. microsoft. com” and mobile apps Self-service password reset Delegated group management Multi-Factor Authentication Customized branding Reporting, alerting, and analytics Additionally, Azure AD premium offers: • An Enterprise SLA of 99. 9% • Usage rights to Forefront Identity Manager Server and CALs

1. 2. 3. 4.

WS-Fed, SAML 2. 0, Open. ID Connect Browser Web application

Web Browser to Web App: WS-Federation, SAML 2. 0, Open. ID Connect Contoso. com directory tenant Web. App Service Principal • App ID URI • Reply Url SAML, WS-Fed, or Open. ID Connect Endpoint 1. Navigate to site Web. App 2. Redirect to directory tenant to sign in (App ID URI) 3. Sign in OWIN Auth Middleware Browser 4. Send security token to Reply URL 5. Set session Windows Identity Foundation

§ § https: //login. windows. net/contoso. com/<protocol> § § § § https: //login. windows. net/common/<protocol>

Claim Tenant ID Name Example Intended Purpose 81 aabdd 2 -3682 -48 fd-9 efa-2 cb 2 fcea 8557 Immutable tenant identifier skwan@skwantoso. com Display only First Name Stuart Display only Last Name Kwan Display only Object ID b 3809430 -6 c 28 -4 e 43 -870 d-fa 7 d 38636 dcd Immutable security identifier * Coming soon: group claims and role claims

§ § § https: //login. windows. net/common/. well-known/openid-configuration § § §

OAuth 2. 0 Native app Web API

Native Client to Web API: OAuth 2. 0 auth code grant, public client * Active Directory Authentication Library: client-side helper library that handles UI prompts, protocol, caching. Contoso. com directory tenant Native. App SP • Client ID • Redirect URI Impersonation grant Authorize Endpoint Token Endpoint 1. Request Auth Code (Client ID, Redirect URI, App ID URI) 2. Sign in Native. App Web. API SP • App ID URI … User sees web pop up ADAL* 3. Return Auth Code to Redirect URI Web. API OWIN Auth Middleware Windows Identity Foundation

Native Client to Web API: OAuth 2. 0 auth code grant, public client Contoso. com directory tenant Native. App SP • Client ID • Redirect URI Impersonation grant Authorize Endpoint * JWT = JSON Web Token, a JSON-encoded security token bearing claims. Native. App Web. API SP • App ID URI Token Endpoint 4. Redeem Auth Code (Auth Code, Client ID, Redirect URI, App ID URI) 5. Return Access Token (JWT*), Refresh Token (JWT*) ADAL 6. Send Access Token on Authorization Header Web. API OWIN Auth Middleware Windows Identity Foundation

http: //jwt. calebb. net/

Native Client to Web API: OAuth 2. 0 auth code grant, public client *Bonus: “multi-resource refresh token”can be used to get access token to a different service if delegation exists Contoso. com directory tenant Native. App SP • Client ID • Redirect URI Impersonation grant Authorize Endpoint Web. API SP • App ID URI Token Endpoint 1. Call Web. API (Access Token in Auth. Z Header) Web. API 2. Access Token has Expired Native. App ADAL 3. Request new Access Token (Client ID, Refresh Token*, App ID URI) 4. Return Access Token, Refresh Token 5. Call web API with Access Token in Auth. Z Header OWIN Auth Middleware Windows Identity Foundation

Web application Browser Web API

Web App to Web API: OAuth 2. 0 client credentials *The application’s credential can be a password, or it can be an assertion (a JWT token) signed with private key. Contoso. com directory tenant Web. App SP • Client ID • Redirect URI • Credential* Access grant Authorize Endpoint Web. API SP • App ID URI Token Endpoint 1. Signed in, using the web app… Web. App 2. Request token (Client ID, Credential, App ID URI) WIF OWIN 3. Return access token Browser ADAL 4. Call web API with Access Token in Auth. Z Header Web. API WIF OWIN

Web App to Web API: Open. ID Connect * ID Token, claims about the user for Web. App. Contoso. com directory tenant Web. App SP • Client ID • Redirect URI • Credential Impersonation grant Authorize Endpoint Web. API SP • App ID URI Token Endpoint 1. Navigate to site 2. Redirect to sign in and request auth code (Client ID, Redirect URI) WIF OWIN 3. Sign in Browser 4. Return ID Token* and Auth Code to Redirect URI Web. App Might require user consent ADAL 6. Set session Web. API WIF OWIN

Web App to Web API: Open. ID Connect Contoso. com directory tenant Web. App SP • Client ID • Redirect URI • Credential Impersonation grant Authorize Endpoint Web. API SP • App ID URI Token Endpoint 7. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI) Web. App 8. Return access token, refresh token Browser 9. Call web API with Access Token in Auth. Z Header WIF OWIN ADAL Web. API WIF OWIN

Native app Web API Server app Web API

Server to Web API: OAuth 2. 0 On. Behalf. Of Token Exchange Contoso. com directory tenant Web. API 1 SP • Client ID • Credential Impersonation grant Authorize Endpoint Web. API 2 SP • Client ID • Credential Token Endpoint 1. Use the API, passing user’s Access Token… Web. API 1 Native app 2. Request token (User’s Access Token, Client ID, Credential) WIF OWIN 3. Return Access Token, Refresh Token ADAL Web app 4. Call web API with Access Token in Auth. Z Header Web. API 2 WIF OWIN

America’s oldest and largest healthcare services company Company Founded: Headquarters: Fortune 500: Employees: Revenue: Segments: 1833 Ranked 14 th $122. 5 billion San Francisco 43, 500 Distribution Solutions and Technology Solutions Together with our customers and partners, we are creating a sustainable future for healthcare. Together we are charting a course to better health.

Distribution Solutions Technology Solutions #1 pharmaceutical distributor in U. S. and Canada leader in clinical, revenue-cycle and resource-management solutions #1 generics distributor leading Relay. Health claims-processing and connectivity business #1 in medical-surgical distribution to alternate care sites #1 in medical-management software and services to payers

§ § § https: //github. com/orgs/MSOpen. Tech § § http: //katanaproject. codeplex. com/ https: //github. com/orgs/MSOpen. Tech

https: //github. com/Azure. ADSamples

§ § § http: //www. windowsazure. com/en-us/solutions/identity/

Category Protocol Native client OAuth 2. 0 auth code grant, public client Web sign-in WS-Federation SAML 2. 0 Web to Web API Server to Web API Open. ID Connect AD FS 3. 0 AD FS 2. 0+ Azure AD Preview GA GA Not available Preview OAuth 2. 0 auth code grant, confidential client Not available Preview OAuth 2. 0 client credential grant Not available GA OAuth 2. 0 on behalf of Not available Preview

Web App to Web API: OAuth 2. 0 auth code grant, confidential client Contoso. com directory tenant Web. App SP • Client ID • Redirect URI • Credential delegation Authorize Endpoint Web. API SP • App ID URI Token Endpoint 1. Signed in, using the web app… Web. App 2. Request Auth Code (Client ID, Redirect URI) WIF OWIN Browser 3. Return Auth Code Might require user consent ADAL Web. API WIF OWIN

Web App to Web API: OAuth 2. 0 auth code grant, confidential client* * Called “confidential client” because Web. App uses it’s credentials when redeeming the auth code. Contoso. com directory tenant Web. App SP • Client ID • Redirect URI • Credential delegation Authorize Endpoint Web. API SP • App ID URI Token Endpoint 4. Request access token (Auth Code, Client ID, Credential, Redirect URI, App ID URI) Web. App 5. Return access token, refresh token Browser 6. Call web API with Access Token in Auth. Z Header WIF OWIN ADAL Web. API WIF OWIN