Single Page Webapp : How to secure your app and your API with Azure Active Directory

Introduction

A few months ago I did a post on using PHP to connect to the Azure management API. And a week ago I did a demo on how to secure a “classic” webapp with Azure Active Directory. Today we’ll look how to secure a single page webapp by using Azure Active Directory. For the post of today I’ll be using two webapps ;

  • Front end ; a small webapp based using AngularJS
  • Backend ; also a small webapp based on PHP, which will serve the API calls made from the front end

Why does this kind of setup differ from a “classic” approach? With single page apps, we see a very clear segregation of  backend & front end. When the backend & front end are combined, we often see more simple mechanisms used, often based on session information. When the two are clearly separated, we’ll need to authenticate to both individually… I’ve often seen the error where organizations just protect the front end, as this is where the user logs in. And they forget to secure the backend API… An unsecure API means that everyone who can access that API will be able to retrieve (or delete/adjust) the data served by that API. Let that one sink in!

 

Flow of the day

So what will we be doing today?

  1. A user access our front end
  2. If the user is not authenticated, (s)he will be redirected to Azure Active Directory (AAD) to login
  3. AAD will redirect (on success) with an authorization token
  4. We’ll inject this authorization token into the calls made to the backend (to prove your identity)
  5. The backend API will validate the authorization token and verify it against the issuer (AAD)

 

Continue reading “Single Page Webapp : How to secure your app and your API with Azure Active Directory”

Demo : Azure Webapp Authentication Integration

Introduction

In the previous post I showed you how you can protect any web app without altering code. Now what if you want to go a bit further in terms of authorization? Today we’ll take a look into this capability.

 

Demo Outline

For today’s demo, I’ve created a small web app ;

Here we can see if the azure web app thinks we are logged in or not. It also presents us with the opportunity to login to an identity provider of our choice and afterwards logout. In addition, you are presented with all the header information as the web app receives from the underlying platform (being Azure Webapps).

Continue reading “Demo : Azure Webapp Authentication Integration”

Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…

Introduction

Sometimes we come across applications that needed some basic form of protection, but (sadly enough) the code base did not allow it. Today we’ll see how we can enable authentication / authorization on your web app, -without- altering any code! We’ll be doing this capability from the web app service itself, without the code noticing anything of this.
Enable / Configure the Azure Active Directory Authentication

Let’s start by doing to our web app and looking for the “Authentication / Authorization” section.

2017-03-01-14_27_51-authentication-_-authorization-microsoft-azure

We’ll enabling the “App Service Authentication”. As we do not want guests, we’ll select “Log in with Azure Active Directory” as a way to force authentication. Next up we’ll configure the Azure Active Directory ;

2017-03-01-14_28_04-authentication-_-authorization-microsoft-azure

Continue reading “Protecting your webapp with Azure Active Directory WITHOUT adjusting any code…”

Did anyone say Azure Active Directory reports in PowerBi?

Introduction

A few days ago an announcement was made that there a PowerBI content pack has been published for Azure Active Directory! So let’s take that one out for a spin today and see what it can bring to the table.

 

Setting up the integration

This is one of the reasons I really like “cloud”! Integration almost has no entry barrier! Anyhow, in PowerBi, click on “Get Data”.

2017-01-24-10_06_33-power-bi

Continue reading “Did anyone say Azure Active Directory reports in PowerBi?”

Azure Active Directory Demystified

Introduction

Last year when I talked with customers during strategic roadmap exercises, I always portrayed one big message to them ;

“If you only have room in your budget for one project, then it’s <cloud identity>!”

social-identity-theory

The IT landscape is evolving at a pace none of us can manage… Really, you are not alone! Looking towards applications & cloud services, they are breeding faster then rats / mice / … Do you really want to manage one million (or more) directories? Because each application potentially has its own directory for authentication. Please forgive us if anyone would either join or leave the company? Then we, as IT, would need to make alterations to those one million directories… Ohhhh my! So you really need an identity strategy!

Continue reading “Azure Active Directory Demystified”

Integrating Azure Active Directory with Rancher

Introduction

Today we’ll be doing a post on how to integrate “Azure Active Directory” with my favorite docker orchestration tool “Rancher“. A few months back I issued a request towards the Rancher team (via Github) and it was added in the latest 1.1.0 release!

 

Authentication & Authorisation

So what can we do with it? The first thing I want to point out that in any identity process, there are two conceptual aspects;

  • Authentication ; Here you provide a way to prove that you are really you… This can be done via user/pass, certificates, … and so on.
  • Authorization ; Once your identity has been known, you can be granted with a given set of permissions (maybe grouped by role).

Why do I say this? It’s important to know that once you enable the AAD (Azure Active Directory) integration, this part will become responsible for the authentication part. Rancher UI (or Rancher Server) will remain responsible for the authorization part!

 

Identity Flow with the AAD integration

The following diagram will show you how the flow goes…

kvaes-rancher-azure-active-directory-integration

Continue reading “Integrating Azure Active Directory with Rancher”