Understand authentication and authorization - Azure Tutorial

- [Narrator] Authentication and authorization are two fundamental elements of security. This is true for both on premises environment and for cloud hosted infrastructures. Authentication validates that users are who they claim to be while authorization determines what resources they can or cannot access and what permissions they have on those resources. For example, I'm a customer of bank XYZ. To get access to banking functions, I first need to prove that I'm a customer. To do this I log in with my username and password, this is the authentication piece. After I log in, what functions am I allowed to access? Can I simply view my statements and make payments or can I perform advanced functions? This is the authorization piece. Let's look at another example. Bob is a developer and needs access to application servers for testing purposes. To gain access, Bob first needs to prove who he is. He needs to prove that he's an employee of the organization. To do this, Bob may provide a corporate user name and password to the authentication server. The server verifies his credentials and allows him to get in. But what permissions does he have on the application servers? That is determined by the authorization component. Is Bob allowed to deploy new applications or is allowed to change the configuration of existing applications? Determining this is the function of authorization. Microsoft Azure uses the OpenID Connect protocol for handling authentication. Sometimes also known as AuthN and OAuth 2.0 protocol is used for handling authorization. Sometimes also known as AuthZ. Without getting into the specifics, OpenID connect is a mechanism by which an application can contact an identity provider, verify the details of a user and return them to the application. Within the Azure space, the Azure Active Directory can be used as a centralized identity provider. Doing this has several advantages, such as providing conditional access. An example of this is requiring the user to be in a specific location for access to be granted or policies that only allow access when requests are made from trusted IP addresses. Requiring multi-factor authentication, sometimes also referred to as two factor authentication. This requires a second factor, such as an authentication code, in addition to username and password combination. Enabling single sign-on. Once a user is logged into one application, she's automatically logged into all applications that share the same directory. To understand this, let's say we have a user that needs to access a web application. To gain access, the user opens up a web browser and navigates to the application. The application checks to see if the user is already authenticated. If the user is not authenticated, the application redirects the user to a registered identity provider, in this case, Azure Active Directory. The user now authenticates to the identity provider. This can be using a username and password or an authentication code, depending on the configured policy. When successfully authenticated, the identity provider sends a security token to the application. Also a cookie associated with the Azure Active Directory domain is saved in the user's browser. The application validates the token and grants access to the user. Since the cookie is stored in the browser, the next time the user tries to access the application the browser presents the cookie to the application and the user is signed in. This is an example of single sign-on also known as SSO. Hopefully the difference between authentication and authorization is clear. Though the terms are used in conjunction, they have distinct functions in granting access to a system. Having a clear understanding of the differences will make it easier to implement these security practices.