Data
Reader small image

You're reading from  Cloud Identity Patterns and Strategies

Product typeBook
Published inDec 2022
PublisherPackt
ISBN-139781801810845
Edition1st Edition
Concepts
Identity Management
Right arrow
Authors (2):
Giuseppe Di Federico
Giuseppe Di Federico
author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

Fabrizio Barcaroli
Fabrizio Barcaroli
author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

View More author details
Right arrow

Real-World Identity Provider – A Zoom-In on Azure Active Directory

In previous chapters, we went through a theoretical overview of how modern authentication protocols work and how they can simplify the way that users interact with an application .We analyzed the pros and cons of each authentication flow that these protocols provide, how they fit into the modern application landscape from a technical perspective, and the main challenges that an enterprise faces every day in the real world.

Having shared a list of the most famous identity providers that can be found on the market today, we would like to take a deep dive into one of them: Azure Active Directory (AAD).

In this chapter, we will explain many of the features that AAD offers, starting with the features that relate to the implementation of the underlying authentication protocols that we now know and understand. Then, we will go ahead with a list of features that have been built on top of the basic identity provider...

An overview of AAD

AAD is a unique identity and access management service and unified control plane solution that provides authentication, authorization, and security capabilities to all of Microsoft’s first-party cloud solutions, such as Azure, Microsoft 365, and Dynamics 365, and a plethora of third-party applications. Third-party developers can easily publish their applications into the AAD Gallery (and hundreds already have) to allow AAD administrators to seamlessly integrate applications into their enterprise and grant access to end users. If an application cannot be found in the gallery, the application can be manually added to an AAD tenant leveraging the underlying authentication protocols’ implementation.

AAD users can use single sign-on (SSO) to access all AAD applications so that they are not forced to re-enter their credentials each time they access a new application: an administrator can configure which applications a user or a group of users needs to...

AAD basics

AAD is a globally distributed identity and access management service organized so that each customer that would like to start using it can create their own separate and isolated instance, which is also referred to as a tenant. Each AAD tenant has a unique GUID and a unique tenant name that is written in the following format: tenantname.onmicrosoft.com. The tenant name is also called the default domain of the tenant.

Before diving into the description of the AAD objects, it is worth refreshing the concept of a security principal. It’s common to encounter the concept of security principals when talking about identity. In simple terms, a security principal can be defined as any entity that can be authenticated, that can be assigned permissions to do something, and that can be the target of a permission. Typical examples of security principals are users and groups.

AAD provides the ability to create and orchestrate the interactions of different types of objects...

Supported authentication protocols

AAD supports several authentication methods. Here’s the complete list at the time of writing:

  • Header-based authentication: This authentication pattern, which involves forwarding HTTP headers from a client application to a destination web application, is supported only when using the AAD Application Proxy service. AAD Application Proxy is a service that comprises two distinct components, one of which runs in the cloud and one of which runs on-premises (through the means of a connector), that allows us to publish on-premises applications that still leverage legacy authentication protocols to the internet.
  • LDAP authentication: Support for LDAP authentication is provided only through AD DS, which is a component, briefly described in the previous chapter, that must be deployed within an Azure Virtual Network and leverages identities that come from the synchronization of on-premises Active Directory forests. AD DS is useful in specific...

Registering and configuring applications

In the AAD basics section, we analyzed the twofold nature of an application in AAD. We know that an application has a definition that lives in the home tenant (the tenant where it has been effectively created) and a service principal, which is an instance of an application definition that can live both in the home tenant and within an external AAD tenant, where it will be created as a dedicated new instance. The service principal inherits the application definition permissions and applies them to the resources that live in the same tenant where it has been instantiated.

AAD provides several ways to manage its services:

The examples that will be described in this paragraph use the Microsoft Entra admin center, which has been released recently and still has...

Additional features

On top of all the authentication capabilities that AAD provides as an implementation of the OAuth 2.0/OIDC specifications, AAD has built a set of management and security features that ease the tasks of both governing identities and their life cycles and securing access to the assets protected by AAD, such as applications and the data behind them. In this section, we will give you an overview of these features. Some of them require additional licensing (AAD Premium 1 and 2) in order to be used.

Conditional Access

Conditional Access is a security feature that can decide to grant or block a user from accessing AAD-federated applications according to specific conditions that are evaluated during a user’s authentication attempt.

The Conditional Access feature consists of creating policies where an administrator can define the conditions that trigger the policy and the actions that AAD must perform when those conditions are satisfied.

A Conditional...

Summary

In this chapter, we’ve seen how OAuth 2.0/OIDC concepts are implemented in a real identity provider, AAD. We’ve seen how all the different parts of the protocols can be configured in AAD, including redirect URIs, secrets, flows, and tokens. The purpose of this chapter was to give an overview of how a commercial identity provider, at the end of the day, effectively implements a standard authentication protocol so that you can easily navigate the same concepts in other identity providers too.

In the next chapter, we are going to focus on real-world scenarios, starting with a holistic view of the identity challenges a company needs to deal with, going through the many implications the identity strategy has within a company, and going in depth to see the anatomy of a cloud-born application.

Figure 8.12 – AAD protocol endpoints

Enterprise applications

When an application is registered (defined) in the App registrations...

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 12 of 15
Next Chapter
You have been reading a chapter from
Cloud Identity Patterns and Strategies
Published in: Dec 2022Publisher: PacktISBN-13: 9781801810845
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Giuseppe Di Federico

Giuseppe Di Federico started working for Microsoft in 2011, with previous experience working for IBM and Accenture in software development. He became an architect for cloud and hybrid solutions, serving customers in more than 10 countries across EMEA. He had the opportunity to lead multicultural teams, visit many multinational customers, and learn about different cultures, mindsets, and assets, which enabled him to also appreciate how organizations' structures impact their results. During his experience, he has been able to appreciate many identity patterns designed to last, to be reliable and secure. In June 2022, he accepted the challenge to join a new leading-edge team for the greatest service company in Italy.
Read more about Giuseppe Di Federico

author image
Fabrizio Barcaroli

Fabrizio Barcaroli (born in 1987) started his career as a consultant in Italy after obtaining a master's degree in computer science in 2012. In 2013, Fabrizio joined Microsoft as part of the Microsoft Consulting Services unit, where he developed his technical skills and helped customers achieve their business goals through the usage of Microsoft technologies. With the rise of the cloud era, Fabrizio specialized in cloud and identity solutions, and in 2020, he became a cloud solution architect, a technical advisor that helps close the gap between business needs and Microsoft technologies for big enterprises operating in the manufacturing, finance, and retail markets in Italy and across the globe.
Read more about Fabrizio Barcaroli

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages