Microsoft Tech Summit 2017 本情報の内容(添付文書、リンク先などを含む)は、Microsoft Tech Summit 2017 開催日(2017 年 11 月 8日 -9 日)時点のものであり、予告なく変更される場合があります。
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
![Page 1: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/1.jpg)
Microsoft Tech Summit 2017本情報の内容(添付文書、リンク先などを含む)は、Microsoft Tech Summit 2017 開催日(2017 年 11 月 8日 - 9 日)時点のものであり、予告なく変更される場合があります。
![Page 2: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/2.jpg)
Azure AD を使用して、
ここを誰から、どう守るか?
![Page 3: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/3.jpg)
![Page 4: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/4.jpg)
PowerShell
https://testpsfunction.azurewebsites.net/api/HttpTriggerPowerShell1?code=
TvXkdY2WKsev/wFkpyik09RZosbMmNsAe0gg8G3Tpsb8uV28BodA4Q==
Functions Key
![Page 5: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/5.jpg)
![Page 6: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/6.jpg)
PowerShell
![Page 7: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/7.jpg)
Multitenant 設定
PowerShell
![Page 8: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/8.jpg)
➢Function Key
URL は外部から隠ぺい
![Page 9: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/9.jpg)
![Page 10: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/10.jpg)
今回のターゲット
![Page 11: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/11.jpg)
![Page 12: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/12.jpg)
B2C
![Page 13: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/13.jpg)
![Page 14: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/14.jpg)
API
![Page 15: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/15.jpg)
APIAzure APIManagement
Application
Subscription Key
https://xxxxxxxxx.portal.azure-api.net/signin-aad
![Page 16: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/16.jpg)
![Page 17: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/17.jpg)
③ ユーザーIDやロールによって API に対する権限を変えたい
![Page 18: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/18.jpg)
APIAzure APIManagement
Application
![Page 19: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/19.jpg)
<tenant ID>
<tenant ID>
<tenant ID>
![Page 20: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/20.jpg)
• validate-jwt : JWT を検証して操作を承認する
➢ RS256 署名アルゴリズム ー OpenID 構成エンドポイントからキーを受け取る
• 認証ポリシー
https://docs.microsoft.com/ja-jp/azure/api-management/api-management-policy-reference
![Page 21: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/21.jpg)
<policies>
<inbound>
<base />
<rewrite-uri template="/HttpTriggerPowerShell1?code=TvXkdY2WKsev/wFxxxxx==&name={username}" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
![Page 22: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/22.jpg)
・・・・
<inbound>
<base />
<rewrite-uri template="/HttpTriggerPowerShell1?code=TvXkdY2WKsev/wFxxxxx==&name={username}" />
<validate-jwt
failed-validation-error-message="Unauthorized. Access token is missing or invalid."
failed-validation-httpcode="401" header-name="Authorization">
<openid-config url=“https://login.microsoftonline.com/テナントURL/.well-known/openid-configuration" />
<audiences><audience>チェックしたいアプリケーションのクライアントID</audience>
</audiences>
<required-claims><claim name=“チェックしたいクレーム名" match="all">
<value>クレーム内の値</value>
</claim>
</required-claims>
</validate-jwt>
<inbound>・・・・
![Page 23: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/23.jpg)
<validate-jwt failed-validation-error-message="Unauthorized. Access token is missing or
invalid." failed-validation-httpcode="401" header-name="Authorization">
<openid-config
url="https://login.microsoftonline.com/pharaojp.onmicrosoft.com/.well-known/openid-
configuration" />
<audiences>
<audience>e55757f2-92ba-4422-8aa1-2ed25cbeece2</audience>
</audiences>
<required-claims>
<claim name="name" match="all">
<value>admin</value>
</claim>
</required-claims>
</validate-jwt>
![Page 24: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/24.jpg)
![Page 25: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/25.jpg)
![Page 26: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/26.jpg)
![Page 27: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/27.jpg)
IdPに応じた
プロトコルを実装
![Page 28: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/28.jpg)
APIAzure APIManagement
Application
![Page 29: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/29.jpg)
基本的に、プロトコルは意識しない
![Page 30: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/30.jpg)
a
preview
preview
OIDC/OAuth2.0 で実装
![Page 31: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/31.jpg)
a
preview
preview
Identity Experience Framework• SAML 2.0• OAuth 2.0• OIDC
Preview
Identity Experience Framework• SAML 2.0• OAuth 2.0• OIDC
Preview
![Page 32: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/32.jpg)
![Page 33: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/33.jpg)
![Page 34: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/34.jpg)
![Page 35: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/35.jpg)
c9687145-xxxx-xxxx-xxxxxxxxxxxx
![Page 36: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/36.jpg)
![Page 37: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/37.jpg)
.auth/login/aad/callback を追加
![Page 38: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/38.jpg)
![Page 39: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/39.jpg)
![Page 40: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/40.jpg)
![Page 41: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/41.jpg)
テナントID
控えておいた「アプリケーションID」を入力
https//sts.windwos.net/<テナントID>
![Page 42: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/42.jpg)
https://testpsfunction.azurewebsites.net/api/HttpTriggerPo
werShell1?code=TvXkdY2WKsev/wFkpyik09RZosbMmNsAe
0gg8G3Tpsb8uV28BodA4Q==
![Page 43: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/43.jpg)
![Page 44: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/44.jpg)
![Page 45: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/45.jpg)
![Page 46: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/46.jpg)
![Page 47: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/47.jpg)
![Page 48: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/48.jpg)
![Page 49: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/49.jpg)
![Page 50: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/50.jpg)
![Page 51: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/51.jpg)
![Page 52: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/52.jpg)
![Page 53: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/53.jpg)
![Page 54: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/54.jpg)
![Page 55: [Japan Tech summit 2017] SEC 009](https://reader031.cupdf.com/reader031/viewer/2022022415/5a6479087f8b9a27568b4759/html5/thumbnails/55.jpg)
Related Documents
![[Japan Tech summit 2017] SEC 004](https://static.cupdf.com/doc/110x72/5a6479027f8b9a52568b465f/japan-tech-summit-2017-sec-004.jpg)
![[Japan Tech summit 2017] SEC 010](https://static.cupdf.com/doc/110x72/5a64797e7f8b9a63568b4629/japan-tech-summit-2017-sec-010.jpg)