So, you wanna build a SSO? Case study and technology review Piotr Benetkiewicz
So, you wanna build a SSO?
Case study and technology review
Piotr Benetkiewicz
AgendaTake 1: Custom STS
• Architecture
• Protocol
• Demo
• Conclusions
Take 2: Azure AD• Architecture
• Protocol
• Demo
Future
Architecture
Requirements• Legacy user store, proxying On-Premise AD
• Superadmins: managers of App and other supporting services• Managing access to up to 10 resources
• App admins: access to /reports• Typically access to all apps in /org
• Users of apps• Out of scope
Let’s write our own STS• Custom STS on top Legacy User Store
• WS-Fed, WIF based
• Very little custom code needed
• Ability to add claims STS-side• Resource = Url = Claim
WS-Fed
Custom STS Architecture
DemoCustom STS and Relying Party
Custom STS conclusions• Dev perspective - nice, clean and explicit
• Certs nightmare
• Custom implementation??? Lack of trust.
• Veto
• Hmm… We might have azure AD for Office 365, let’s use Azure!
New Architecture• Azure AD synced with On-Premise AD for “Admin” identities
• Another Azure AD for sign-up (public)
• Azure groups. Group = URL = AccessGraph API
Oauth2 and OpenIdConnect
Demo• Adding Azure AuthN to simple MVC app
• Azure portal environment overview
• Graph API and other “gotcha’s”
Azure AD B2C conclusionsLot’s of “Gotcha’s”
• Sliding expiration
• Missing cookies (Old stack vs. Owin Stack)
• JSON manifest setup
• Groups-Claims overflow
Future• Machine to machine scenario
• Integration processes
• Sign up• B2C Policies