Securing all APIs in Azure API Management with AD

4
votes

Is it possible to secure all APIs with one "shared" Azure Active Directory at the Azure Management Api level with following scenario:

  1. User calls Azure API Management service pointing to Service X
  2. If request is not authenticated user should provide Active Directory Creditentials
  3. AD Creditentials are validated on separate component and token is returned
  4. User use token to authenticate to Azure API Management service
  5. If user is authenticated API Management Service use Basic Authentication to call Service X
  6. One token can be used to access every Service, because it is validated in separate component.
  7. Services are protected only with basic authentication which is configured in API Management Portal. enter image description here

Is this scenario possible to be implemented? If not how can I achieve something similiar with available components?

1
azureowinazure-active-directoryazure-api-management

1 Answers

3
votes

Most of it should be possible using the API management policies.

2,3) use advanced policy features for this: https://msdn.microsoft.com/en-us/library/azure/dn894085.aspx

4) add the Validate JWT policy: https://msdn.microsoft.com/library/azure/034febe3-465f-4840-9fc6-c448ef520b0f#ValidateJWT

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
    <openid-config url="https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration" />
    <required-claims>
        <claim name="id" match="all">
            <value>insert claim here</value>
        </claim>
    </required-claims>
</validate-jwt>

5) default behaviour, basic auth or certificate are the only options in azure api management (or pass the JWT), this can be set from the Azure portal as well. https://msdn.microsoft.com/en-us/library/azure/dn894079.aspx#Basic

7) yes, and the credentials can be stored secure in the new "properties" section of API management: https://azure.microsoft.com/en-us/documentation/articles/api-management-howto-properties/