{"id":26695,"date":"2018-07-30T17:58:00","date_gmt":"2018-07-30T17:58:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/?p=26695"},"modified":"2019-02-14T20:17:56","modified_gmt":"2019-02-15T03:17:56","slug":"software-as-a-service-part-1-identity-as-a-service","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/software-as-a-service-part-1-identity-as-a-service\/","title":{"rendered":"Software-as-a-Service Part 1 (Identity-as-a-Service)"},"content":{"rendered":"<p>App Dev Manager, <a href=\"https:\/\/www.linkedin.com\/in\/keith-t-anderson\/\">Keith Anderson<\/a> explores aspects and patterns of building solutions under a Software-as-a-Service model.<\/p>\n<hr \/>\n<p>I often get asked by customers who are independent software vendors (ISVs) for a prescription for writing and providing software as a service.\u00a0 Pointing to Office 365 as a shining example of successful SaaS is woefully insufficient.\u00a0 Providing a prescription of steps to create and provide SaaS is an overwhelming endeavor, destined to sprawl and quickly become unwieldly.\u00a0 Yet companies need exactly this as they transition to the cloud.<\/p>\n<p>To answer this need, we identify some patterns and group them into related pillars.\u00a0 My intention in this series of posts is to showcase various applications demonstrating different aspects and patterns of Software-as-a-Service (SaaS) models.<\/p>\n<p>The first post will showcase the identity-as-a-service (IDaaS) pillar using Azure Active directory and OAuth2 + Open ID Connect modern authentication protocols and how this supports multi-tenant apps in Azure.<\/p>\n<p>These samples and tutorials are open-source and available as part of the Microsoft Azure documentation.\u00a0 I would like to call out and thank Danny Strockis, an Identity Services Program Manager at Microsoft.<\/p>\n<ul>\n<li>POC 1 \u2013 Multi-tenant Identity-as-a-Service\n<ul>\n<li>Source code<\/li>\n<li>Demo and walkthrough<\/li>\n<li>Link to documentation<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>POC 1 \u2013 Multi-tenant Identity-as-a-Service<\/h3>\n<p>You cannot explore the topic of SaaS architectures long without touching on identity and tenancy models. Generally speaking, a tenant is an entity occupying a property.\u00a0 The tenant metaphor works better for cloud computing when you think of an office building full of businesses leasing space, than say, a landlord renting an apartment to individuals.\u00a0 A tenant in Azure Active Directory represents an organization and technically is nothing more or less than an instance of Azure Active Directory (AAD).<\/p>\n<p>Therefore, a multi-tenant application in the context of AAD is simply one that supports more than one instance of AAD.<\/p>\n<p>This is a narrow definition of muti-tenancy, and more generally, a multi-tenant application is one that supports more than one organization, regardless of the identity mechanism, but it is important to realize that context matters when discussing terms.\u00a0 This first POC explores the narrow AAD definition of multi-tenancy and later POCs explore a more general definition in terms of customer data.<\/p>\n<h3>Build a multi-tenant SaaS web application using Azure AD &amp; OpenID Connect<\/h3>\n<p>The TodoListWebApp is a sample application that shows how to build and register a multi-tenant application with Azure Active Directory, so that users from any AAD tenant can sign in with their own credentials.\u00a0 It leverages Azure AD for IDaaS, and also demonstrates how this can be used in hybrid scenarios.\u00a0 This application can be deployed anywhere and leverage Azure AD to manage access.<\/p>\n<h3>Register the app in AAD<\/h3>\n<p>The complete setup instructions in the Azure documentation linked at the end of this post go through everything step by step, so I will not reproduce them here.\u00a0 I will point out a couple of details worth noting.\u00a0 We need to register an application in AAD so that users of that directory can authenticate through the service.\u00a0 You will need to specify the redirect URL so Azure can send you back to your homepage once the authentication flow has taken place.\u00a0 You will also need to specify the logout URL so the session can be terminated.<\/p>\n<p>From a tenancy perspective, the interesting bit about this is the flag you can set at the bottom, specifying Multi-tenanted, Yes or No.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/SaaSPOC1.png\"><img decoding=\"async\" title=\"SaaSPOC\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/SaaSPOC_thumb1.png\" alt=\"SaaSPOC\" width=\"285\" height=\"772\" border=\"0\" \/><\/a><\/p>\n<p>If \u2018Yes\u2019 is specified, users from other instances of AAD can authenticate through this service and log in to your application.\u00a0 If \u2018No\u2019 is specified, only users registered in your AAD can do so.<\/p>\n<p>AAD Authorization needs to know where to return tokens containing claims to your application.\u00a0 For this reason, you need to specify these end points in the Reply URLs.<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/SaaSPOC2.png\"><img decoding=\"async\" title=\"SaaSPOC2\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/SaaSPOC2_thumb.png\" alt=\"SaaSPOC2\" width=\"244\" height=\"204\" border=\"0\" \/><\/a><\/p>\n<p>Another interesting point to note is that it doesn\u2019t actually matter where the application is deployed, as long as it can access Azure and as long as AAD can call back to your home site, the application itself can be hosted on prem, in Azure, or some other cloud.<\/p>\n<p>The following content was structured for demos and discussion.\u00a0 You can follow these steps as shown or the tutorial steps in the documentation.\u00a0 If you wish to engage Premier Developer for added context, please contact your local ADM or TAM, or if you need a Premier contract, reach out to your Microsoft representative for information.\u00a0 You can also consult <a href=\"https:\/\/www.microsoft.com\/en-in\/microsoftservices\/support.aspx\">https:\/\/www.microsoft.com\/en-in\/microsoftservices\/support.aspx<\/a> for information on Premier services.<\/p>\n<p>Before performing these steps, make sure to sign out of your browsers if you are signed in with your Microsoft account.<\/p>\n<h4><span style=\"color: #0000ff\">Create a new App Registration<\/span><\/h4>\n<ol>\n<li>\n<h4>Create a new App Registration in the Azure Portal<\/h4>\n<\/li>\n<li>\n<h4>Open Settings and Add Properties<\/h4>\n<ul>\n<li>\n<h4>Enter <a href=\"http:\/\/localhost:47671\/\">http:\/\/localhost:47671\/<\/a> for the Home page URL<\/h4>\n<\/li>\n<li>\n<h4>Enter <a href=\"http:\/\/localhost:47671\/Account\/EndSession\">http:\/\/localhost:47671\/Account\/EndSession<\/a> for the Logout URL<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Enter Reply URLs<\/h4>\n<\/li>\n<li>\n<h4>Add the Microsoft Graph API<\/h4>\n<ul>\n<li>\n<h4>Select the Sign in and read User Profile permission<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Provision a Secret Key<\/h4>\n<ul>\n<li>\n<h4>Discuss the App ID and App Key required to link a registered application to the deployed application.\u00a0 Show it in the source code and portal.<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Open the App Manifest and discuss App Specific Roles<\/h4>\n<ul>\n<li>\n<h4>Add an App Specific Role<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<pre>[{\u00a0\u00a0\u00a0\u00a0\u00a0 \"allowedMemberTypes\": [<\/pre>\n<p>&#8220;User&#8221;<\/p>\n<p>],<\/p>\n<p>&#8220;displayName&#8221;: &#8221; Export\/Import&#8221;,<\/p>\n<p>&#8220;id&#8221;: &#8220;d31fca6f-6cbe-408a-9387-8ac53b77d548&#8221;,<\/p>\n<p>&#8220;isEnabled&#8221;: true,<\/p>\n<p>&#8220;description&#8221;: &#8220;App Specific \u2013 Export\/Import&#8221;,<\/p>\n<p>&#8220;value&#8221;: &#8220;ImportExportAdmin&#8221;<\/p>\n<p>}]<\/p>\n<h4><span style=\"color: #0000ff\">Identity as a Service (IDaaS)<\/span><\/h4>\n<p>Azure Active Directory is a fully managed service to provide authentication and authorization to your applications.\u00a0 It is highly integrated with other Azure services, but can be used as a stand-alone service as well, to provide AuthN\/AuthZ to your applications on prem or in some other cloud.<\/p>\n<h4><span style=\"color: #0000ff\">Log in with same-domain account as registered application<\/span><\/h4>\n<ol>\n<li>\n<h4>Create a new user in the Azure Portal<\/h4>\n<ul>\n<li>\n<h4>Show Applications assignment is empty<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Sign in with same domain account<\/h4>\n<ul>\n<li>\n<h4>Show Applications assignment is now populated<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Demo the app with a same-domain user<\/h4>\n<\/li>\n<li>\n<h4>Debug the app and show the claims in the ClaimsPrincipal during any action<\/h4>\n<\/li>\n<li>\n<h4>Assign the App Specific role to the user and show how it is now part of the claims<\/h4>\n<\/li>\n<\/ol>\n<h4><span style=\"color: #0000ff\">Log in with domain account different from registered application<\/span><\/h4>\n<ol>\n<li>\n<h4>Log in with user from cross-domain account<\/h4>\n<ul>\n<li>\n<h4>Show error<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Toggle Multi-tenanted flag to \u2018Yes\u2019 and Log in with cross-domain account\n{There will be a slight delay while this takes effect, even after the Portal indicates the change was made}<\/h4>\n<ul>\n<li>\n<h4>Show success<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Demo the app with a cross-domain user<\/h4>\n<\/li>\n<\/ol>\n<h4><span style=\"color: #0000ff\">Create and Log in with Guest B2B account<\/span><\/h4>\n<ol>\n<li>\n<h4>Toggle Multi-tenanted flag to \u2018No\u2019<\/h4>\n<\/li>\n<li>\n<h4>Create a Guest user in same domain as registered application, inviting a cross-domain user.\n{This takes time.\u00a0 An email initiation will be sent.\u00a0 The user has to accept the invitation.}<\/h4>\n<ul>\n<li>\n<h4>Show Applications assignment is empty<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Sign out after accepting invitation.<\/h4>\n<\/li>\n<li>\n<h4>Sign up in the application with B2B user.<\/h4>\n<ul>\n<li>\n<h4>Show Applications assignment is now populated<\/h4>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h4>Demo the app with a B2B user<\/h4>\n<\/li>\n<\/ol>\n<h4><span style=\"color: #0000ff\">Source code and Complete Setup Instructions<\/span><\/h4>\n<p>Here is a link to the complete setup instructions and a link to the git repository housing the source code:<\/p>\n<p><strong>Setup Instructions:\n<\/strong><a href=\"https:\/\/azure.microsoft.com\/en-us\/resources\/samples\/active-directory-dotnet-webapp-multitenant-openidconnect\/\">https:\/\/azure.microsoft.com\/en-us\/resources\/samples\/active-directory-dotnet-webapp-multitenant-openidconnect\/<\/a><\/p>\n<p><strong>Git Repository:\n<\/strong><a href=\"https:\/\/github.com\/Azure-Samples\/active-directory-dotnet-webapp-multitenant-openidconnect\/archive\/master.zip\">https:\/\/github.com\/Azure-Samples\/active-directory-dotnet-webapp-multitenant-openidconnect\/archive\/master.zip<\/a><\/p>\n<p><strong>Other Resources:\nDeveloper\u2019s Guide to AAD<\/strong> &#8211; <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-developers-guide\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/active-directory-developers-guide<\/a><\/p>\n<p><strong>App Roles &#8211;<\/strong> <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/architecture\/multitenant-identity\/app-roles\">https:\/\/docs.microsoft.com\/en-us\/azure\/architecture\/multitenant-identity\/app-roles#roles-using-azure-ad-app-roles<\/a><\/p>\n<h3>Summary<\/h3>\n<p>In this post, we explored the identity pillar of developing and operationalizing software as a service and we explored multi-tenancy with respect to identity using Azure Active Directory Identity as a Service.<\/p>\n<hr \/>\n<p><a href=\"https:\/\/blogs.msdn.com\/b\/premier_developer\/archive\/2014\/09\/15\/welcome.aspx\"><strong>Premier Support for Developers<\/strong><\/a> provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality. Contact your Application Development Manager (ADM) or <a href=\"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/contact-us\/\">email us<\/a> to learn more about what we can do for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>App Dev Manager, Keith Anderson explores aspects and patterns of building solutions under a Software-as-a-Service model.<\/p>\n","protected":false},"author":582,"featured_media":27417,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[240,329,3],"class_list":["post-26695","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-identity","tag-saas","tag-team"],"acf":[],"blog_post_summary":"<p>App Dev Manager, Keith Anderson explores aspects and patterns of building solutions under a Software-as-a-Service model.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/26695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=26695"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/26695\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/27417"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=26695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=26695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=26695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}