We are looking to host our product on Azure- the intent behind using Azure is that we get to focus on the core product, and are fine with the standard cloud features that Azure offers without needing to understand too much of the internals- not exactly the power users!
One thought was that if Azure had an authentication functionality- profiles, logins, password reset/ reminder etc, it would save us time from building what is essentially a commodity
Any guidance on this?
Azure offers the Access Control Service, which is a Federated Authentication service. It's already preconfigured with support for Live ID, Google and Yahoo authentication, but you can also add your own security token service (such as ADFS).
Windows Azure does not have a built in login feature. However,App Fabric Access Control Service(ACS) does; see the ACS tutorial here for example usage.
Related
I'm attempting to connect the Microsoft Graph Security API Connector to Power BI Desktop. Everything seems to work okay until I try to set 'Application' or advanced 'Delegated' authorizations so I can execute GET commands, such as '/security/securityActions', '/security/TiIndictors' and '/security/securityEvents'.
When using the Graph Security API Connector in Power BI, it automatically connects to my Azure tenant as a Service Principle (e.g. Enterprise Application) with an App ID = 'cab163...'. However, this Enterprise Application doesn't have an intuitive way to add additional permissions.
The documentation https://learn.microsoft.com/en-us/power-bi/desktop-connect-graph-security only talks about Delegated authorization.
Any guidance would be helpful. I'm sure it's an easy solution - it's seriously eluding me.
Thanks!
To set permissions for Application Only mode, please refer to the Application permissions section.
Your app needs to be consented by an administrator.
I have a SharePoint Online application that access an API the reside outside my network and one of our Azure. This API is accessibly through public. I am using this API to access data in my SQL server, with this I am worried that my API is not secure and I am wonder what are the things I can do to secure my API so that no only users logged in to our SharePoint can use it.
There are several ways in which you can secure it. These ways vary in complexity and each have their specific considerations.
Secure an API with Azure AD
If you're using Office 365, securing custom APIs using Azure AD is an architectural option that you should definitely consider. First and foremost, it allows you to secure the access to the API using existing organizational credentials that are already managed through Office 365 and Azure AD. Users with an active account can seamlessly work with applications that leverage APIs secured with Azure AD. Azure AD administrators can centrally manage access to the API, the same way they manage access to all other applications registered with Azure AD.
More info: here
I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.
I am trying to evaluate a strategy where I can integrate our Azure based application to SharePoint Online.
The idea is to provide seamless UI so that they are able to use the best of the features from both these applications without having to navigate away from our application.
We would like to bundle the application with Sharepoint online so that if a user comes to our application they will see another tab for collaboration which will open SharePoint online in a seperate iFrame or something like that.
However the issue here is that we do not want the user to keep another set of user credentials for SharePoint online. Is there a way where we can provide some kind of single sign on here.
Our application uses forms based authentication.
I could verify that you sure can use ClaimBased SSO with Azure and SPOnline. Look for the following:
Claims-Based Single Sign-On for the Web and Windows Azure
Remote Authentication in SharePoint Online Using Claims-Based Authentication
So using Claim Based Authentication (Use Windows Azure ACS) you can merge SP online and Azure Web Role together.
Do anybody know if there is any sort of API available for Cyber-Ark Privileged Identity Management to integrate it with an enterprise applications?
I think the answer might be 50% yes, 50% no. Definitely Cyber-Ark offers web services and an API for their Vault objects, so you should be able to retrieve passwords from the Vault from a trusted application. There is a paragraph of sales information on Cyber-Ark's website:
Cyber-Ark's comprehensive SDK provides an interface to the Vault objects that you can use to develop custom solutions that work with the Vault. Cyber-Ark provides a variety of SDK such as Command Line Interface, ActiveX API, .Net API and Web Services API
But beyond working with their Vault objects, I'm not entirely sure. I'm currently looking for more information on their Vault web services, and I think I need to register to be a Partner to get that information. I'll post a follow-up if I learn anymore.
You are suppose to purchase an API license per server to have read-only access to the vault for authorized applications.
They provide Java, C#, etc. libraries and you place authorization key material on the server to enable it access.
It is called CyberArk Application Identity Manager, an entire sub-product.
The only reference I could find:
http://lp.cyberark.com/rs/cyberarksoftware/images/ds-application-identity-manager-10-20-2014-en.pdf
CyberArk created Conjur. It is open source and free. It contains its own Vault and is intended for dynamic Application Access Management. In particular, Conjur and its upgrade Conjur Enterprise should secure the complete DevOps pipeline. The paid version can be integrated with the Vault solution (the PAS Core solution of CyberArk).
For static applications, CyberArk has the Credential Provider, Central Credential Provider and ASCP (I forgot the full name of it now). These solutions are agent based while Conjur is agentless. Because they are agent based, they are only intended for environments with comparatively slow changes as an agent needs to be installed on every server in order to provide the credentials from the Vault.
These solutions have REST API, CLI and SDK capabilities.