Azure AD B2C Tenant Account | Social Credentials
Work Account – Azure AD | Azure AD B2B
Customers
Users of Central Agency, Insurance Companies
Internet
Customer Portal – ASP.NET Core 2.0 MVC
Admin Portal – ASP.NET Core 2.0 MVC
Azure Key Vault
SQL
Azure SQL Database
Azure AD B2C Tenant
Azure AD Tenant
AD B2C to self-register and sign in to the customer portal.
Separate service principals in Azure AD are created for the admin and customer portals, and separate policies are set that lock down their access to operations in Azure Key Vault. The admin portal policy permits the creation of keys and secrets, as well as the performance of operations like the encryption and decryption of data. The customer portal, in contrast, is assigned a policy that permits only the “get” operation on a secret and the “decrypt” operation on the
Figure 1 Solution Architecture
Architecture of the Solution
The solution uses Azure Key Vault to store the document serial number, along with the properties of the associated insurance pol- icy, as a secret. For additional security, the data that’s stored as a secret is encrypted beforehand using asymmetric keys generated in Azure Key Vault. While only the bare minimum data required to secure and validate each policy gets captured in the secret, additional supporting information is stored in an Azure SQL Database. The database also implements constraints on the data, to ensure, for example, that a registered vehicle has a single active policy number, that the same policy number hasn’t been used for multiple records, and so forth. Figure 1 represents the architec- ture used in the Solution.
Separate service principals in Azure AD are created for the admin and customer portals, and separate policies are set that lock down their access to operations in Azure Key Vault.
I’ve implemented two portal applications in this solution, one that’s used by the central agency and insurance companies, and the other by customers who buy insurance policies and by regula- tory authorities who need to ascertain the validity of the policies.
The admin portal and the customer portal are ASP.NET 2.0 Core MVC applications that use Entity Framework to store policy data in an Azure SQL Database, after it has first been stored in Azure Key Vault. The .NET SDK for Azure Key Vault is used to perform the cryptographic operations on the data, such as the creation of secrets and their versions and the encryption and decryption of the secrets using keys. Users of the admin portal are authenticated with Azure AD, while customers, who are external users, use Azure
secret retrieved. This ensures that individual applications don’t have more access than needed to Azure Key Vault.
The policy data stored as a secret in Azure Key Vault is first encrypted, for additional security. Every time the secret is updated, a new version gets created, and previous versions of the data are preserved. An audit trail is also maintained for all operations performed in the Key Vault, which is archived to meet statutory compliance requirements.
The attribute bundle of the secrets stored in Azure Key Vault captures the policy start and end dates, which are used to ascer- tain the validity of the policy. Tags and content-type parameters of secrets are used to store additional information pertaining to the insurance policy.
The following code snippet shows how the attributes, tags and content types are added to the policy data stored as a secret:
SecretAttributes attribs = new SecretAttributes {
Enabled = true,
Expires = DateTime.UtcNow.AddYears(1), NotBefore = DateTime.UtcNow.AddDays(1)
};
IDictionary<string, string> alltags = new Dictionary<string, string>(); alltags.Add("InsuranceCompany", policydata.Inscompany);
string contentType = "DigitalInsurance";
SecretBundle bundle= await _keyVaultClient.SetSecretAsync(keyVaultUri, policydata.Uidname,encrypteddata,alltags,contentType,attribs);
Implementing the Use Case Scenario
Let’s take a closer look at the use case scenario that’s implemented by the solution. Here are the basic steps:
Purchase of Unique Codes by Insurance Companies: On receipt of orders from the insurance companies, the central agency uses the admin portal to generate an inventory of document serial numbers and store them as secrets in Azure Key Vault. The admin portal creates the first version of a secret in Azure Key Vault and then creates a record in Azure SQL Database.
Policy Generation: When a customer purchases a vehicle policy, an unassigned secret from the previous step is chosen and additional information, such as the vehicle registration number, the identity of the customer, the policy document number gener- ated and the validity period of the policy, is added. A new version of the original secret containing this additional information is
msdnmagazine.com
March 2018 47