A few months ago I did a post on using PHP to connect to the Azure management API. And a week ago I did a demo on how to secure a “classic” webapp with Azure Active Directory. Today we’ll look how to secure a single page webapp by using Azure Active Directory. For the post of today I’ll be using two webapps ;
- Front end ; a small webapp based using AngularJS
- Backend ; also a small webapp based on PHP, which will serve the API calls made from the front end
Why does this kind of setup differ from a “classic” approach? With single page apps, we see a very clear segregation of backend & front end. When the backend & front end are combined, we often see more simple mechanisms used, often based on session information. When the two are clearly separated, we’ll need to authenticate to both individually… I’ve often seen the error where organizations just protect the front end, as this is where the user logs in. And they forget to secure the backend API… An unsecure API means that everyone who can access that API will be able to retrieve (or delete/adjust) the data served by that API. Let that one sink in!
Flow of the day
So what will we be doing today?
- A user access our front end
- If the user is not authenticated, (s)he will be redirected to Azure Active Directory (AAD) to login
- AAD will redirect (on success) with an authorization token
- We’ll inject this authorization token into the calls made to the backend (to prove your identity)
- The backend API will validate the authorization token and verify it against the issuer (AAD)
Continue reading “Single Page Webapp : How to secure your app and your API with Azure Active Directory”
In the previous post I showed you how you can protect any web app without altering code. Now what if you want to go a bit further in terms of authorization? Today we’ll take a look into this capability.
For today’s demo, I’ve created a small web app ;
Here we can see if the azure web app thinks we are logged in or not. It also presents us with the opportunity to login to an identity provider of our choice and afterwards logout. In addition, you are presented with all the header information as the web app receives from the underlying platform (being Azure Webapps).
Continue reading “Demo : Azure Webapp Authentication Integration”
Sometimes we come across applications that needed some basic form of protection, but (sadly enough) the code base did not allow it. Today we’ll see how we can enable authentication / authorization on your web app, -without- altering any code! We’ll be doing this capability from the web app service itself, without the code noticing anything of this.
Enable / Configure the Azure Active Directory Authentication
Let’s start by doing to our web app and looking for the “Authentication / Authorization” section.
We’ll enabling the “App Service Authentication”. As we do not want guests, we’ll select “Log in with Azure Active Directory” as a way to force authentication. Next up we’ll configure the Azure Active Directory ;
Continue reading “Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…”
A few days ago an announcement was made that there a PowerBI content pack has been published for Azure Active Directory! So let’s take that one out for a spin today and see what it can bring to the table.
Setting up the integration
This is one of the reasons I really like “cloud”! Integration almost has no entry barrier! Anyhow, in PowerBi, click on “Get Data”.
Continue reading “Did anyone say Azure Active Directory reports in PowerBi?”
Last year when I talked with customers during strategic roadmap exercises, I always portrayed one big message to them ;
“If you only have room in your budget for one project, then it’s <cloud identity>!”
The IT landscape is evolving at a pace none of us can manage… Really, you are not alone! Looking towards applications & cloud services, they are breeding faster then rats / mice / … Do you really want to manage one million (or more) directories? Because each application potentially has its own directory for authentication. Please forgive us if anyone would either join or leave the company? Then we, as IT, would need to make alterations to those one million directories… Ohhhh my! So you really need an identity strategy!
Continue reading “Azure Active Directory Demystified”
Today we’ll be doing a post on how to integrate “Azure Active Directory” with my favorite docker orchestration tool “Rancher“. A few months back I issued a request towards the Rancher team (via Github) and it was added in the latest 1.1.0 release!
Authentication & Authorisation
So what can we do with it? The first thing I want to point out that in any identity process, there are two conceptual aspects;
- Authentication ; Here you provide a way to prove that you are really you… This can be done via user/pass, certificates, … and so on.
- Authorization ; Once your identity has been known, you can be granted with a given set of permissions (maybe grouped by role).
Why do I say this? It’s important to know that once you enable the AAD (Azure Active Directory) integration, this part will become responsible for the authentication part. Rancher UI (or Rancher Server) will remain responsible for the authorization part!
Identity Flow with the AAD integration
The following diagram will show you how the flow goes…
Continue reading “Integrating Azure Active Directory with Rancher”