1 00:00:03,070 --> 00:00:10,060 Prior to add ZFS in Windows Server 2016, you created a relying party trust to represent an application 2 00:00:10,060 --> 00:00:12,610 that used ADF's for authentication. 3 00:00:13,210 --> 00:00:18,550 So the same mechanism for federating with another organisation by setting up a federated partner as 4 00:00:18,550 --> 00:00:19,560 a relying party. 5 00:00:19,570 --> 00:00:24,370 That mechanism was also used for integrating web applications with ADF's. 6 00:00:25,000 --> 00:00:32,020 And that's because those web applications had used W's Federation or SAML 2.0 as the protocol for brokering 7 00:00:32,020 --> 00:00:34,060 authentication with ADF's. 8 00:00:34,730 --> 00:00:38,600 It's still possible to configure applications to use those protocols. 9 00:00:38,600 --> 00:00:45,680 But since the rise of OAuth 2.0 Open ID Connect PDFs has continually added support for those protocols. 10 00:00:46,310 --> 00:00:52,550 There was limited support for OAuth and ADF's in server 2012 or to using relying parties. 11 00:00:53,180 --> 00:00:58,190 The idea of an application group was introduced in ADF's 2016. 12 00:00:58,790 --> 00:01:05,270 An application group is a separate configuration in ADF's, completely apart from a relying party. 13 00:01:05,840 --> 00:01:09,140 But at a high level, they serve a similar purpose. 14 00:01:09,760 --> 00:01:14,950 They're both containers for the configuration required to integrate an application with ADF's. 15 00:01:14,950 --> 00:01:17,200 But application groups can be just that. 16 00:01:17,200 --> 00:01:23,080 Groups of smaller components that work together to make up an entire application that could include 17 00:01:23,080 --> 00:01:28,210 a web application on its own, or a JavaScript single page application that works with a back end web 18 00:01:28,210 --> 00:01:34,000 API on a web server or a server that communicates with another web API or a native application on a 19 00:01:34,000 --> 00:01:39,970 desktop that communicates with a web API or a mobile app that uses several web APIs, and the list goes 20 00:01:39,970 --> 00:01:40,480 on. 21 00:01:41,050 --> 00:01:46,450 The point is, each element of each of those applications have individual configurations, but they 22 00:01:46,450 --> 00:01:48,970 ultimately are part of the same application. 23 00:01:49,600 --> 00:01:52,780 You could say they have the same security context. 24 00:01:53,440 --> 00:01:57,940 Let's talk first about types of applications that make up an application group. 25 00:01:58,540 --> 00:02:04,450 There are three types of applications a public client, a confidential client, and a Web API. 26 00:02:05,140 --> 00:02:10,780 A public client could be a native application running on a desktop or a single page application running 27 00:02:10,780 --> 00:02:14,230 in the browser or a mobile application running on a device. 28 00:02:14,890 --> 00:02:20,470 This type of application has a client ID configured that it sends and requests to identify itself with 29 00:02:20,470 --> 00:02:24,400 ADF's and it requests tokens from the ADF's server. 30 00:02:25,070 --> 00:02:31,820 The Public Client app can then send HTTP requests to protected resources such as web APIs on servers 31 00:02:31,820 --> 00:02:33,200 using those tokens. 32 00:02:33,930 --> 00:02:39,660 A confidential client is a web application that runs on a server and is usually accessible to a user 33 00:02:39,660 --> 00:02:40,770 via the browser. 34 00:02:41,400 --> 00:02:47,310 The Web app is called a confidential client because it can maintain its own secret credential to authenticate 35 00:02:47,310 --> 00:02:49,050 with the ADF's server. 36 00:02:49,750 --> 00:02:55,420 You couldn't store a secret in a single page JavaScript application or in a config file on a desktop 37 00:02:55,420 --> 00:02:58,180 client, because that secret could be compromised. 38 00:02:58,780 --> 00:03:04,030 So the fact that the server can securely store that secret away from prying eyes is what makes the web 39 00:03:04,030 --> 00:03:06,250 application a confidential client. 40 00:03:06,890 --> 00:03:13,520 The Web app can request tokens from ADF's to access other resources like web APIs on other servers. 41 00:03:14,150 --> 00:03:19,400 The web app makes those requests by authenticating with its client ID and the secret that's known to 42 00:03:19,400 --> 00:03:23,090 the web app and the ADF's application group configuration. 43 00:03:23,720 --> 00:03:29,810 So it's kind of like a username and password that's stored on the web app server and in the ADF's application 44 00:03:29,810 --> 00:03:31,190 group configuration. 45 00:03:31,820 --> 00:03:37,730 The last application type is the web API, which is just a resource server that accepts bearer tokens 46 00:03:37,730 --> 00:03:41,780 from the public and confidential clients in order to return data to them. 47 00:03:42,410 --> 00:03:49,040 These are essentially the relying party applications in modern authentication, but if a web API needs 48 00:03:49,040 --> 00:03:54,620 to make calls to another web API, then the first web API is acting as a confidential client in that 49 00:03:54,620 --> 00:04:00,380 case, and it can use a stored client ID in secret to get a bearer token from ADF's to use when calling 50 00:04:00,380 --> 00:04:01,910 the second web API. 51 00:04:02,500 --> 00:04:07,480 And remember, that Bearer Token is another name for the access token we talked about in the previous 52 00:04:07,480 --> 00:04:09,580 clip on ORF 2.0. 53 00:04:10,180 --> 00:04:15,820 Let's take a look at the application group configurations in advance to see how different application 54 00:04:15,820 --> 00:04:17,230 types are configured. 55 00:04:17,800 --> 00:04:22,420 When you create a new application group, there are several templates to choose from. 56 00:04:22,990 --> 00:04:29,110 These give you a pre-configured group of elements that represent the components of typical applications. 57 00:04:29,710 --> 00:04:35,020 You can get more information on each of these templates by selecting one and clicking more information 58 00:04:35,020 --> 00:04:35,890 at the bottom. 59 00:04:36,490 --> 00:04:38,860 Let's walk through the different templates. 60 00:04:39,480 --> 00:04:42,870 First we need to give the application group a name. 61 00:04:43,500 --> 00:04:46,980 I have the first template selected, so I'll click next. 62 00:04:47,610 --> 00:04:51,210 This template has a public client and a web API. 63 00:04:51,820 --> 00:04:57,640 The first configuration is the public client in this template, which is called a native application. 64 00:04:58,240 --> 00:05:01,990 This could be an app running on a phone, tablet or desktop. 65 00:05:02,580 --> 00:05:07,140 There's a client identifier created, but you can change this if you like. 66 00:05:07,850 --> 00:05:13,580 A confidential client is a web application that runs on a server and is usually accessible to a user 67 00:05:13,580 --> 00:05:14,660 via the browser. 68 00:05:15,310 --> 00:05:21,190 The Web app is called a confidential client because it can maintain its own secret credential to authenticate 69 00:05:21,190 --> 00:05:22,960 with the ADF's server. 70 00:05:23,650 --> 00:05:29,320 You couldn't store a secret in a single page JavaScript application or in a config file on a desktop 71 00:05:29,320 --> 00:05:32,080 client, because that secret could be compromised. 72 00:05:32,680 --> 00:05:37,930 So the fact that the server can securely store that secret away from prying eyes is what makes the web 73 00:05:37,930 --> 00:05:40,150 application a confidential client. 74 00:05:40,790 --> 00:05:47,420 The Web app can request tokens from ADF's to access other resources like web APIs on other servers. 75 00:05:48,050 --> 00:05:53,300 The web app makes those requests by authenticating with its client ID and the secret that's known to 76 00:05:53,300 --> 00:05:56,990 the web app and the ADF's application group configuration. 77 00:05:57,620 --> 00:06:03,710 So it's kind of like a username and password that's stored on the web app server and in the ADF's application 78 00:06:03,710 --> 00:06:05,090 group configuration. 79 00:06:05,720 --> 00:06:11,630 The last application type is the web API, which is just a resource server that accepts bearer tokens 80 00:06:11,630 --> 00:06:15,680 from the public and confidential clients in order to return data to them. 81 00:06:16,310 --> 00:06:20,990 These are essentially the relying party applications in modern authentication. 82 00:06:21,540 --> 00:06:27,870 But if a web API needs to make calls to another web API, then the first web API is acting as a confidential 83 00:06:27,870 --> 00:06:33,480 client in that case, and it can use a stored client ID in secret to get a bearer token from ADF's to 84 00:06:33,480 --> 00:06:35,790 use when calling the second web API. 85 00:06:36,370 --> 00:06:41,380 And remember, that Bearer Token is another name for the access token we talked about in the previous 86 00:06:41,380 --> 00:06:43,480 clip on OEF 2.0. 87 00:06:44,080 --> 00:06:49,720 Let's take a look at the application group configurations in advance to see how different application 88 00:06:49,720 --> 00:06:51,130 types are configured. 89 00:06:51,700 --> 00:06:56,320 When you create a new application group, there are several templates to choose from. 90 00:06:56,890 --> 00:07:02,980 These give you a pre-configured group of elements that represent the components of typical applications. 91 00:07:03,610 --> 00:07:08,920 You can get more information on each of these templates by selecting one and clicking more information 92 00:07:08,920 --> 00:07:09,790 at the bottom. 93 00:07:10,390 --> 00:07:12,760 Let's walk through the different templates. 94 00:07:13,360 --> 00:07:16,750 First, we need to give the application group a name. 95 00:07:17,420 --> 00:07:20,900 I have the first template selected, so I'll click next. 96 00:07:21,530 --> 00:07:25,130 This template has a public client and a web API. 97 00:07:25,700 --> 00:07:31,550 The first configuration is the public client in this template, which is called a native application. 98 00:07:32,150 --> 00:07:35,870 This could be an app running on a phone, tablet or desktop. 99 00:07:36,480 --> 00:07:41,040 There's a client identifier created, but you can change this if you like. 100 00:07:41,650 --> 00:07:47,200 Then the access control policy can be configured and there are no scopes in this case, but it actually 101 00:07:47,200 --> 00:07:52,120 configures the open ID scope by default and you can modify these later if you need to. 102 00:07:52,690 --> 00:07:57,840 If you look at the standalone application templates, these are just portions of the templates above. 103 00:07:57,850 --> 00:08:01,330 So just the client component or Web API component. 104 00:08:01,960 --> 00:08:07,330 So the client server application templates are combinations of the individual application templates. 105 00:08:07,330 --> 00:08:12,490 And what's interesting is that as your application evolves, you can add components to your application 106 00:08:12,490 --> 00:08:15,640 group to represent new parts of your total application. 107 00:08:16,270 --> 00:08:19,000 Let's open up an existing application. 108 00:08:19,570 --> 00:08:23,440 This application group has a client and a server component. 109 00:08:24,040 --> 00:08:29,020 Let's say we needed to add a web API to this application that the web app will call. 110 00:08:29,620 --> 00:08:34,780 We can click on add application at the bottom, and that opens up a dialog where we can choose one of 111 00:08:34,780 --> 00:08:40,600 the standalone templates to configure a web API, for example, and that will get added to our application 112 00:08:40,600 --> 00:08:41,110 group. 113 00:08:41,760 --> 00:08:45,360 So that's a tour of application groups in ADF's. 114 00:08:46,050 --> 00:08:51,930 Next, let's create a sample application to use as a protected resource and to view claims return from 115 00:08:51,930 --> 00:08:53,010 ADF's. 116 00:08:53,670 --> 00:08:57,570 In the process, we'll also configure an application group.