5 Minute Tutorial: Securing an Application with Azure AD and Datawiza

June 16, 2021
Weiyu Fang

Are you still asking your developers, who are usually not trained as security experts, to integrate and secure your applications with Azure Active Directory (Azure AD)? These are extremely security-sensitive integrations involving both authentication and authorization. And to do this, the developers may need to learn the latest authentication/authorization protocols (OIDC/OAuth or SAML) from scratch. They may need to practice with the Azure AD SDKs for different programming languages, e.g., .Net, Java, and PHP. They may also need to implement similar integrations for many different apps (e.g., HR and Finance) again and again. Such an integration effort could take your organization months or years to finish depending on the number and the complexity of applications. 


You deserve a better solution, and we are building one that will reduce the time required down to hours or days, even minutes


In this tutorial, you will learn how to implement OpenID Connect (OIDC) SSO authentication for a web application with Azure AD and Datawiza. “Application” here refers to Regular Web Applications that perform most of their application logic on the server (e.g., ASP.NET, PHP, or JAVA). Mobile applications (iOS and Android) and Single Page Applications (e.g., AngularJS, Node.js, or React) are not included. 

Introduction to the Datwiza Platform

The Datawiza platform is a cloud-delivered, SaaS-based access management solution. It includes a data plane and a control plane: Datawiza Access Broker (DAB) and Datawiza Cloud Management Console (DCMC)


DAB is a lightweight, container-based access proxy deployed close to your application via the sidecar (agent) or gateway mode. It talks to Azure AD on behalf of your applications so that you don’t need to worry about the integration work. DCMC is a cloud-based management console where you can configure and manage the policies of DABs. Such a SaaS-based design makes the whole platform much easier to use.

 

Simple configurations using Datawiza Cloud Management Console

Use your Azure AD Admin Account (this account should have the permission to create an app registration in the Azure AD tenant) log in to the DCMC. Click on the Get started button and follow the steps. 

Enter some basic information, such as the deployment name and provisioning key name:



For Add Application step:


Configure your application with the following values:

  • Platform: Web
  • App Name: Demo App
  • Public Domain: http://localhost:9772
  • Listen Port: 9772
  • Upstream Servers: http://host.docker.internal:3001
  • Default Action: Allow


Note that Upstream Servers is the address of the application for which you want to enable SSO. In this tutorial, we will provide a header-based app running on port 3001.

  • If you use Mac or Windows, then set the Upstream Servers to http://host.docker.internal:3001 (Docker 18.03+).
  • If you use Linux, use ip addr show docker0 to get the docker host IP (e.g., 172.17.0.1) and then set Upstream Servers to http://172.17.0.1:3001 (see this for more details).


For Configure IdP step:

Select the Microsoft Azure Active Directory as the Identity Provider and keep the Automatic Generator option on.


Our One-Click for Microsoft Azure AD solution simplifies and automates adding applications to the Azure AD environment. It is a convenient way for companies to integrate their apps with Azure AD, and it eliminates many manual application configuration steps, which are often time-consuming and error-prone, and delay the time to value of using Azure AD. It also simplifies operations for administrators with the ability to easily configure the entire environment using a single console, reducing the need to pivot across the Datawiza Console and the Azure Portal.


Click Create and wait for interaction with Azure AD.All the configurations are now automatically set. 


In the last step, we will give the command lines to pull the DAB image and the docker-compose file to run the DAB. 


NOTE: We use Docker and docker-compose to deploy the DAB. Please ensure that you have already installed both of them in your environment before running the DAB.


Execute the command lines in steps 1 & 2 and note down the docker-compose file in step 3.


Run DAB as a sidecar (agent) to your application

After finishing the configuration in DCMC, you can run the DAB with the YAML file noted down in the previous step. In this part of the tutorial, we need to add our header-based app to the YAML file for testing purposes. The docker-compose YAML file should then be like this:

version: '3'
services:
  datawiza-access-broker:
    image: registry.gitlab.com/datawiza/access-broker
    container_name: datawiza-access-broker
    restart: always
    ports:
      - "9772:9772"
    environment:
      PROVISIONING_KEY: #############################
      PROVISIONING_SECRET: #############################

  header-based-app:
    image: registry.gitlab.com/datawiza/header-based-app
    container_name: ab-demo-header-app
    restart: always
    ports:
      - "3001:3001"

Now, we can use docker-compose to create and start the DAB:

docker-compose -f datawiza-access-broker up -d


That's it. After executing the command above, the header-based app should have SSO enabled with Azure AD.


Now, let's give it a try.


Open a browser and type in http://localhost:9772. You should see the Azure AD login page as follows. Note that if you are already logged into Azure AD in your browser, you may need to logout to see the login page.


After logging in to the Azure AD, the header-based app will be shown.



Summary

This tutorial has shown you how to secure a web application with Azure AD using Datawiza -- in minutes instead of hours or days. Get a free trial by signing up/in here. Please email us at contact@datawiza.com if you need any help or have any questions.


DOWNLOAD IN PDF