You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/sample-v2-code.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,12 +55,12 @@ The following samples illustrate web applications that sign in users. Some sampl
55
55
> | ASP.NET |[GitHub repo](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[MSAL.NET](https://aka.ms/msal-net)||
56
56
> | ASP.NET |[GitHub repo](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[Admin Restricted Scopes <br/> • Sign in users <br/> • call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[MSAL.NET](https://aka.ms/msal-net)||
57
57
> | ASP.NET |[GitHub repo](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp)| Microsoft Graph Training Sample |[MSAL.NET](https://aka.ms/msal-net)||
58
-
> | Java </p> Spring |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial)| Azure AD Spring Boot Starter Series <br/> •[Sign in users](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/1-Authentication/sign-in) <br/> •[Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> •[Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/2-Authorization-I/call-graph) <br/> •[Uses App Roles for access control](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/3-Authorization-II/roles) <br/> •[Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/4-Deployment/deploy-to-azure-app-service)| MSAL Java <br/> AAD Boot Starter |[Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow)|
58
+
> | Java </p> Spring |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial) | Azure AD Spring Boot Starter Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/3-Authorization-II/roles) <br/> • [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-java-spring-tutorial/tree/main/4-Deployment/deploy-to-azure-app-service) | MSAL Java <br/> AAD Boot Starter | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
59
59
> | Java </p> Servlets |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication) | Spring-less Servlet Series <br/> • [Sign in users](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/1-Authentication/sign-in) <br/> • [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/1-Authentication/sign-in-b2c) <br/> • [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/2-Authorization-I/call-graph) <br/> • [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/3-Authorization-II/roles) <br/> • [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/3-Authorization-II/groups) <br/> • [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-java-servlet-webapp-authentication/tree/main/4-Deployment/deploy-to-azure-app-service) | MSAL Java | [Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) |
60
60
> | Java |[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-webapp)| Sign in users, call Microsoft Graph | MSAL Java |[Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow)|
61
61
> | Java </p> Spring|[GitHub repo](https://github.com/Azure-Samples/ms-identity-java-webapi)| Sign in users & call Microsoft Graph via OBO </p> • web API | MSAL Java |•[Auth code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow) <br/> •[On-Behalf-Of (OBO) flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow)|
Some of the claims used above are considered deprecated but are fully supported. It is recommended that all future code and tooling use the non-deprecated claim names. See [claims issued by Azure Attestation](claim-sets.md) for more information.
132
137
138
+
The below claims will appear only in the attestation token generated for Intel® Xeon® Scalable processor-based server platforms. The claims will not appear if the SGX enclave is not configured with [Key Separation and and Sharing Support](https://github.com/openenclave/openenclave/issues/3054)
139
+
140
+
**x-ms-sgx-config-id**
141
+
142
+
**x-ms-sgx-config-svn**
143
+
144
+
**x-ms-sgx-isv-extended-product-id**
145
+
146
+
**x-ms-sgx-isv-family-id**
147
+
133
148
## Encryption of data at rest
134
149
135
150
To safeguard customer data, Azure Attestation persists its data in Azure Storage. Azure storage provides encryption of data at rest as it's written into data centers, and decrypts it for customers to access it. This encryption occurs using a Microsoft managed encryption key.
Copy file name to clipboardExpand all lines: articles/attestation/faq.yml
+7-7Lines changed: 7 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -21,27 +21,27 @@ sections:
21
21
- name: Ignored
22
22
questions:
23
23
- question: |
24
-
What is Azure PCK caching service and its role in enclave attestation
24
+
What is Trusted Hardware Identity Management (THIM) and its role in enclave attestation
25
25
answer: |
26
-
Azure PCK caching service defines the Azure security baseline for the [Azure Confidential computing (ACC)](../confidential-computing/overview.md) nodes from Intel and caches the data. The cached information will be further used by Azure Attestation in validating Trusted Execution Environments (TEEs).
26
+
Trusted Hardware Identity Management (THIM) defines the Azure security baseline for the [Azure Confidential computing (ACC)](../confidential-computing/overview.md) nodes from Intel and caches the data. The cached information will be further used by Azure Attestation in validating Trusted Execution Environments (TEEs).
27
27
28
-
Azure PCK caching service:
28
+
THIM is recommended for the following reasons:
29
29
- Offers high availability
30
30
- Reduces dependencies on externally hosted services and internet connectivity.
31
31
- Fetches the latest versions of Intel certificates, CRLs, Trusted Computing Base (TCB) information and Quoting Enclave identity of the ACC nodes from Intel. The service hence confirms the Azure security baseline to be referred by Azure Attestation while validating the TEEs, greatly reducing attestation failures due to invalidation or revocation of Intel certificates
32
32
33
33
- question: |
34
34
Is SGX attestation supported by Azure Attestation in non-Azure environments
35
35
answer: |
36
-
No. Azure Attestation depends on the security baseline stated by Azure PCK caching service to validate the TEEs. Azure PCK caching service is currently designed to support only Azure Confidential computing nodes.
36
+
No. Azure Attestation depends on the security baseline stated by Trusted Hardware Identity Management (THIM) to validate the TEEs. THIM is currently designed to support only Azure Confidential computing nodes.
37
37
38
38
- question: |
39
39
What validations does Azure Attestation perform for attesting SGX enclaves
40
40
answer: |
41
41
Azure Attestation is a unified framework for remotely attesting different types of TEEs. Azure Attestation:
42
42
43
43
- Validates if the trusted root of a signed enclave quote belongs to Intel.
44
-
- Validates if the enclave quote meets the Azure security baseline as defined by Azure PCK caching service.
44
+
- Validates if the enclave quote meets the Azure security baseline as defined by Trusted Hardware Identity Management (THIM).
45
45
- Validates if the SHA256 hash of Enclave Held Data (EHD) in the attestation request object matches the first 32 bytes of reportData field in the enclave quote.
46
46
- Allows customers to create an attestation provider and configure a custom policy. In addition to the above validations, Azure Attestation evaluates the enclave quote against the policy. Policies define authorization rules for the enclave and also dictate issuance rules for generating the attestation token. To confirm if intended software is running in an enclave, customers can add authorization rules to verify if **mrsigner** and **mrenclave** fields in the enclave quote matches the values of customer binaries.
47
47
@@ -50,12 +50,12 @@ sections:
50
50
answer: |
51
51
In general, for the attestation models with Intel as the root of trust, attestation client talks to enclave APIs to fetch the enclave evidence. Enclave APIs internally call Intel PCK caching service to fetch Intel certificates of the node to be attested. The certificates are used to sign the enclave evidence thereby generating a remotely attestable collateral.
52
52
53
-
The same process can be implemented for Azure Attestation. However to leverage the benefits offered by Azure PCK caching service, after installing ACC virtual machine, it is recommended to install [Azure DCAP library](https://www.nuget.org/packages/Microsoft.Azure.DCAP). Based on the agreement with Intel, when Azure DCAP library is installed, the requests for generating enclave evidence are redirected from Intel PCK caching service to Azure PCK caching service. Azure DCAP library is supported in Windows and Linux-based environments.
53
+
The same process can be implemented for Azure Attestation. However to leverage the benefits offered by Trusted Hardware Identity Management (THIM), after installing ACC virtual machine, it is recommended to install [Azure DCAP library](https://www.nuget.org/packages/Microsoft.Azure.DCAP). Based on the agreement with Intel, when Azure DCAP library is installed, the requests for generating enclave evidence are redirected from Intel PCK caching service to THIM. Azure DCAP library is supported in Windows and Linux-based environments.
54
54
55
55
- question: |
56
56
How to shift to Azure Attestation from other attestation models
57
57
answer: |
58
-
- After installing Azure Confidential computing virtual machine, install Azure DCAP library ([Windows/](https://www.nuget.org/packages/Microsoft.Azure.DCAP/) [Linux](https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/)) to leverage the benefits offered by Azure PCK caching service.
58
+
- After installing Azure Confidential computing virtual machine, install Azure DCAP library ([Windows/](https://www.nuget.org/packages/Microsoft.Azure.DCAP/) [Linux](https://packages.microsoft.com/ubuntu/18.04/prod/pool/main/a/az-dcap-client/)) to leverage the benefits offered by Trusted Hardware Identity Management (THIM).
59
59
- Remote attestation client needs to be authored which can retrieve the enclave evidence and send requests to Azure Attestation. See [code samples](/samples/browse/?expanded=azure&terms=attestation) for reference
60
60
- Attestation requests can be sent to the REST API endpoint of default providers or custom attestation providers
61
61
- Azure Attestation APIs are protected by Azure AD authentication. Hence the client that invokes attest APIs must be able to obtain and pass a valid Azure AD access token in the attestation request
0 commit comments