created in the process, and the corresponding record in Azure SQL Database is also updated.
Activation of Policy by Customer: Once all the details of a policy are captured in the secret, a notification is sent to the customer (outside the scope of this article) with instructions for activating the policy. Users can self-register on the customer portaleitherusingtheirsocialcredentialsorthecredentialsstored in Azure AD B2C. When the customer is signed into the portal, the policy details are displayed along with an option to activate it. On activation, the user downloads a QR code from the portal and affixes its image to the insured vehicle.
Policy Validation: Customers or regulatory authorities can validate the policy anytime using a native Xamarin app that reads the QR code on the vehicle and displays the policy details in it, to be tallied with that on the vehicle. This validation doesn’t require an Internet connection and can be done offline. When connected to the Internet, additional validation can be performed. The native app invokes a REST API that’s exposed in the customer portal MVC application, passing the data from the QR code. The API first matches this data with the data in Azure SQL Database, and additionally with the data stored in the secret in Azure Key Vault.
Technical Aspects of the Solution
Now let’s delve into the source code and automation scripts used in the solution. Keep in mind that the code and scripts shared in this article are by no means intended to be a complete solution, nor do they necessarily handle all validations, exceptions or best practices required in a production-ready application. They are meant rather to illustrate specific aspects of a technology area or to provide guidance toward developing a full-fledged solution.
Figure 2 Dependency Framework in ASP.NET Core 2.0 MVC Application
Create and Configure Azure Key Vault The PowerShell script files PrepareContosoAKV.ps1 and PrepareContosousersAKV.ps1, included with the accompanying download, are used to provi- sion and configure the key vault used in this article. Here’s what
they
accomplish:
• Creation of self-signed certificates (to be used only in dev
scenarios)fortheadminandcustmerportalASP.NETMVC applications, which are used when creating the service prin- cipals in Azure AD.
• Creation of a service principal in Azure AD that’s assigned to the admin portal. The access policy that’s set for this service principal permits creation and update of keys and secrets, and the performance of operations like encryption and decryption:
# Specify privileges to the vault for the Admin Portal application Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName `
-ObjectId $servicePrincipal.Id ` -PermissionsToKeys all ` -PermissionsToSecrets all
• Creation of a service principal in Azure AD that’s assigned to the customer portal. The access policy that’s set for this service principal permits Get operations on keys and secrets, and the decryption of data:
# Specify privileges to the vault for the Customer Portal application Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName `
-ObjectId $servicePrincipal.Id ` -PermissionsToKeys get,list,decrypt ` -PermissionsToSecrets get,list
• Note that there’s an alternative to creating these service prin- cipals with PowerShell, which is to use the Managed Service Identity feature in Azure App Service. This is actually recom- mended. Refer to the guidance at bit.ly/2BgB6mu for more details.
• Creation of a key used for the encryption and decryption of a secret.
• Creation of a secret that stores the connection string to the Azure SQL Database. (This can be done directly on the Azure Portal, as can the other steps.)
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
//Adding the Azure AD integration for User authentication services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options => Configuration.Bind("AzureAd", options)) .AddCookie();
services.AddMvc();
// Add the Key Vault Service Client Connection to the Context Object AKVServiceClient servClient =
new AKVServiceClient(Configuration["AzureKeyVault:ClientIdWeb"], Configuration["AzureKeyVault:AuthCertThumbprint"], Configuration["AzureKeyVault:VaultName"], Configuration["AzureKeyVault:KeyName"]);
services.AddSingleton<AKVServiceClient>(servClient);
// Get the Connection string to Azure SQL Database // from the secret in Azure Key Vault
string connection = servClient.GetDbConnectionString(); // Add the Azure SQL Database Connection to the Context Object
services.AddDbContext<ContosoinsauthdbContext>(options => options.UseSqlServer(connection));
services.AddOptions(); }
48 msdn magazine
Azure Key Vault
For simplicity, this solution uses a single key vault, and a single set of keys for all insurance companies and brokers to encrypt and decrypt the data. In the real world, for added isolation and security, separate Azure Key Vault instances should be created for each insurance company, and grouped by region, for example, or any other criteria. This ensures that the data maintained by one insur- ance company can’t be read by others because they wouldn’t share the same encryption key.
Keep in mind that secrets stored in Azure Key Vault must be no more than 25KB in size. Hence, to avoid bloat, only certain properties of the policy data are stored in it, such as ID (docu- ment serial number), secret name, user ID, policy number and insurance company ID. The Entity Insdata.cs file in the Visual Studio 2017 solution ContosoInsAuthorityAdminPortal.sln con- tains these properties. Other properties, like the effective start and end dates, content type, and so on, are stored as attributes of the secret in the key vault.
Build the Admin and Customer Portal Applications Refer to the Visual Studio 2017 solution ContosoInsAuthorityAdmin- Portal.sln in the download for the admin portal source code, and to ContosoinsExtPortal.sln for the customer portal code.