WS-Federation was developed by an industry consortium and was released in December 2006, with Microsoft being a key contributor. WS-Federation is also part of a larger framework, WS-Security, and builds on the work of WS-Trust from February 2005, defining the following two key principles:

It also defines two profiles:

WS-* Federation Suite consists of:

In the next section, we will describe the key elements of the WS-Federation specification.

In simple words, authentication is the act of proving who you are, whereas authorization is the act of determining what you can do. OAuth 2.0 is about delegated authorization and not about authentication. It is not a protocol, it's an authorization framework defined in the RFC 6749, The OAuth 2.0 Authorization Framework. This can be confusing because there are many cases in which you use OAuth 2.0 to log in to a client web application.

The authentication process must end by figuring out and validating the identity of the end user, but OAuth doesn't do that. OAuth provides time-based tokens, which can be used to access a resource on behalf of the end user without providing any identity information about the end user.

OAuth 2.0 is the existing standard for API security and is a major breakthrough in identity delegation.

OIDC was established as a standard by its membership in February 2014. OIDC provides a lightweight framework for identity interactions in a RESTful manner. The specification was developed under the OpenID Foundation and has its roots in OpenID; it was greatly affected by OAuth 2.0, because that specification was not intended for authentication. Microsoft was also a co-author of the OIDC specification.

Key facts about OIDC

It defines the following identity layers on top of OAuth 2.0:

• It uses two OAuth 2.0 flows:
  • Authorization code flow
  • Implicit flow
• Adds an ID token to OAuth 2.0 exchange
• Adds the ability to request claims using an OAuth 2.0 access token

The following roles are used:

• OpenID Connect Provider (OP): Authorization server issues the ID token
• Relying Party: Client application that requests the ID token
• ID token: Issued by the OP
• Claim: Information about the user

The following figure shows the OpenID Connect flow:

OpenID Connect flow

The flow runs with the following steps...

Azure AD pass-through authentication provides an alternative to the Azure AD password hash synchronization and a local ADFS infrastructure if all claims-based applications are connected to the Azure AD. Microsoft offers with this service the capabilities to reduce the on-premise complexity and operations of ADFS. Furthermore, in combination with the password hash synchronization, customers get a redundant and flexible authentication environment. You are also able to include password protection features for your local Active Directory.

Pass-through authentication supports the Azure AD conditional access policies, Azure MFA, and the blocking of legacy authentications to secure your organization's or customer environment. The communication of the on-premise agent and the Azure AD service is protected with certificate authentication. The feature can support multi forest infrastructures if forest trusts are enabled and the UPN-suffix routing is configured...

Protecting sensitive information or application access with additional authentication is an important task, not just in the on-premise world. In particular, it needs to be extended to every sensitive cloud service used. There are a lot of variations for providing this level of security and additional authentication, such as certificates, smart cards, or biometric options. For example, smart cards depend on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware. The following table gives you an overview of different attacks and how they can be mitigated with a well-designed and implemented security solution:

Summary

---

Working through the chapter and the given references, you have worked through many aspects and practical examples of the most important authentication protocols. We have tried to provide you with a very crisp reference card with much valid additional information about this topic. You should be able to use WS-Federation, SAML, OAuth 2.0, and OIDC in your design or configuration work for customers or your own organization. As already mentioned at the beginning of the chapter, we will use the knowledge in the upcoming chapters.

In the next Chapter 7, Deploying Solutions on Azure AD and ADFS, we start to work on it directly!

The rest of the chapter is locked

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Renews at £13.99/month. Cancel anytime

Start free trial

Previous Chapter

Chapter 11 of 23

Next Chapter

You have been reading a chapter from

Mastering Identity and Access Management with Microsoft Azure - Second Edition

Published in: Feb 2019Publisher: PacktISBN-13: 9781789132304

© 2019 Packt Publishing Limited All Rights Reserved

Register for a free Packt account to unlock a world of extra content!

A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.

Sign up now

undefined

Unlock this book and the full library FREE for 7 days

Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of

Start free trial

Renews at £13.99/month. Cancel anytime

Author (1)

Jochen Nickel

Jochen Nickel is a Cloud, Identity and Access Management Solution Architect with a clear focus and in-depth technical knowledge of Identity and Access Management. He is currently working for inovit GmbH in Switzerland leading and executing projects in the field of Identity and Access Management including Data Classification and Information protection. Jochen is focused on Microsoft Technologies, especially in the Enterprise Mobility + Security Suite, Office 365 and Azure. He is an established speaker at many technology conferences like Azure Bootcamps, TrustInTech Meetups or the Experts Live Switzerland and Europe.
Read more about Jochen Nickel

Other recommended products

Related to this chapter

Active Directory Administration Cookbook

Active Directory and Azure Active Directory offer centralized administration possibilities to automate network, security and access management in Microsoft-oriented environments. This book will help you in deploying, administering, and automating Active Directory through a recipe-based approach.

BookMay 2019620 pages

Identity with Windows Server 2016: Microsoft 70-742 MCSA Exam Guide

This practical guide covers Identity with Windows Server 2016: 70-742 exam objectives required for MCSA: Windows Server 2016 certification.

BookJan 2019232 pages

Microsoft 365 Security Administration: MS-500 Exam Guide

MS-500: Microsoft 365 Security Administration offers complete, up-to-date coverage of the MS-500 exam so you can take it with confidence, fully equipped to pass the first time.

BookJun 2020672 pages

Microsoft 365 Mobility and Security - Exam Guide MS-101

The MS-101 exam is part of the Microsoft 365 Certified: Enterprise Administrator Expert certification path in which users learn to evaluate, plan, migrate, deploy, and manage Microsoft 365 services. This book offers complete, up-to-date coverage of the MS-101 exam so you can take them with confidence, fully equipped to pass the first time.

BookNov 2019312 pages

Mastering Active Directory

Identity is key for any infrastructure, no matter the size. Active Directory Domain Services provide the ability to manage elements in an infrastructure, such as attributes, resources, and privileges. Using them in an effective manner will help organizations manage their infrastructure in a secure, productive, and efficient way. The vision behind this book is to help professionals gain the knowledge to address modern identity infrastructure challenges in enterprises.

BookAug 2019786 pages

Managing Microsoft Teams: MS-700 Exam Guide

Managing Microsoft Teams: MS-700 Exam Guide offers complete, up-to-date coverage of the exam course content to help you pass with confidence. With this book, you will learn the steps of how to plan for a Microsoft Teams deployment within a business environment and manage Teams administrative functions on a day-to-day basis.

BookFeb 2021452 pages

Implementing Microsoft Azure Infrastructure Solutions: Exam Guide 70-533

This book focuses on skills and knowledge for provisioning and managing services in Microsoft Azure. This includes implementing infrastructure components such as virtual networks, virtual machines, containers, web and mobile apps, storage, planning and managing Azure AD and configuring Azure AD integration with on-premises Active Directory domains.

BookAug 2018516 pages

Architecting Microsoft Azure Solutions - Exam Guide 70-535

This study guide includes all the topics that are still relevant from the previous 70-534 exam, updated with the latest features like Artificial Intelligence, IoT, and architecture styles. This guide will help Azure Architects, Developers or anyone interested in designing and implementing effective Cloud architecture strategies.

BookApr 2018418 pages

Mastering Active Directory

Identity is key for any infrastructure, no matter the size. Active Directory Domain Services enable you to manage infrastructure elements, such as attributes, resources, and privileges, in a secure, productive, and efficient way. This book will help you develop the skills required to address modern identity infrastructure challenges in enterprises.

BookJun 2017742 pages

Microsoft Azure Administrator – Exam Guide AZ-103

Microsoft Azure Administrator- Exam Guide AZ-103 is a complete guide that will help you master topics related to Azure administrator practices. Using this guide, you will have all the information required to ace the AZ-103 exam and become a Microsoft Azure administrator expert.

BookMay 2019452 pages

Microsoft 365 Certified Fundamentals MS-900 Exam Guide

Microsoft? ?365? ?Certified? ?Fundamentals certification demonstrates your knowledge of cloud services in general and the SaaS cloud model. This MS-900 exam guide, filled with practice questions, exam patterns, and mock tests, will help help you pass the exam on the first go and get to grips with adopting core Microsoft 365 services and cloud concepts.

BookFeb 2020342 pages

Mastering Azure Security

Mastering Azure Security enables you to implement top-level security in your Azure tenant. With a focus on cloud security, this book will look at the architectural approach on how to design your Azure solutions to keep and enforce resources secure.

BookMay 2020262 pages

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages

Attacker	Possible security solution
Password brute force	Strong password policies
Shoulder surfing Key or screen logging	One-time password solution
Phishing or pharming	Server authentication (HTTPS)
Man-in-the-Middle Whaling (Social engineering)	Two-factor authentication Certificate...