Extending Your Azure Active Directory – Part 2

In the previous post we built a web app that would let us add a custom attribute to our Active Directory tenant in Azure AD, and manipulate the value of this attribute on a per user basis. If you haven’t read the previous article I strongly suggest going back and doing so, or this might not make much sense Smilefjes

In this part I’m going to build another app that will use the information the first app provisioned into Azure AD. The first app let me register YubiKeys, and this app will let me authenticate based on these keys. The code is fully functional without the physical keys, so you will be able to follow along even if you don’t have one in your hand.

This app could have been implemented as a Windows Phone app, an Android app, or what have you really, but to make it available for all scenarios without too much fuss I’m building it as a web app. (Which is an entirely plausible use case by it’s own merits.)

Read more

Extending Your Azure Active Directory – Part 1

I don’t know about you guys, but I use Microsoft Azure all the time (it’s not Windows Azure any longer). Not for everything I do, I still have servers at home and at work, but if I need to deploy something to "the cloud" that cloud is often Azure. One of the features in Azure I’ve taken a liking to recently is Azure Active Directory, which lets you either extend your current on-premise AD or setup a cloud-only AD. Since this AD provides APIs as well as the UI management tools you would expect by default this gives you the benefit of not having to implement a separate identity system for stuff that you create, and users can reuse the credentials they already have instead of having to remember multiple logins.

The general workings of Azure AD works may be familiar to you already, so I’m not going to do an introduction on how to get started with Azure AD. If however it doesn’t ring a bell you may check out MSFT’s site:
http://azure.microsoft.com/en-us/services/active-directory/

To follow along with this article you will need access to an Azure AD tenant. It doesn’t matter if it’s cloud only or the full DirSync experience. The code stays the same.

When you break it down to the basics you could say that Active Directory is just a database. For a long time it’s been possible to use AD as a database by "extending the schema", but if you’ve ever tried to convince a sysadmin that "hey, my app wants to put extra stuff into your directory" you will know that’s a pretty tough sell. (I am equally hard to convince if an app I didn’t create wants to insert config data into my AD, so I don’t blame the admins.)

Microsoft recently introduced a new feature called "Directory Extensions" to Azure Active Directory. Still only in preview, but that’s not a problem as far as introducing it to the lab 🙂 These extensions live exclusively in the cloud, (if this will change later on I do not know), so they do not get synced back to your on-prem AD.

A blog post from the AAD Graph Team should give you an idea:
http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-preview.aspx

Graph API is the term for the RESTful interface that developers use to access the Azure Active Directory tenants; you don’t get to talk directly to the underlying files that make up the directory 🙂

The idea is that your app might be in the possession of data that it would make sense to attach directly to the user object in the identity directory, and/or data that might be of interest to other apps. This data should be inserted in, and extracted from, Active Directory in a manner that doesn’t interfere with the internals or break something.

It’s not necessarily easy at first glance to understand what this feature could be used for, or how it works, so I thought I’d try to create a walkthrough where I implement a simple scenario to illustrate what you can leverage these extensions for.

Read more

Mobile Authentication for a Web Site with a YubiKey NEO

I keep up with what gets posted on Channel 9 (lot’s of good stuff there), and a few months back I watched a demo which really is quite the smooth solution:
http://channel9.msdn.com/Shows/Web+Camps+TV/Benjamin-Soulier-Logs-into-a-Web-Site-Using-a-Bar-Code-and-Windows-Phone

What they show is how a normal web site presents a QR code for login, and when you scan the QR code with an app on your Windows Phone 8 device you are authenticated, and the web site refreshes it’s view to show that you are now logged in! (The web site is shown on a computer where there is no direct communications channel to or from the mobile device.) You gotta watch it to understand it. (Forward to around the 15-minute mark for the actual demo.)

Unfortunately there isn’t any sample code to follow the video, so you can’t just download a module and install in your own solution. While I don’t know the specifics of the implementation there were a few key words that got me thinking about how it could be done.

About a year ago I did two posts on a product called YubiKey:
http://mobilitydojo.net/2012/05/09/two-factor-authentication-on-mobile-devices/
http://mobilitydojo.net/2012/05/14/active-directory-federation-services-and-yubikeys/

Nice product, and I use it for some of my authentication needs, but I never got around to doing anything really snazzy with it. So I thought I’d see if the YubiKey could be used for a scenario similar to the one in the video.

Semi-long post, so you might want to grab a cup of coffee before going into the details. If you’re in a hurry just skip to the bottom of the post where there’s a video showing the end result 🙂

Read more