Mixed Reality Authentication for Active Directory
On-Premise Active Directory Authentication with RemoteSpark
Introducing SparkBridge
We’ve completed our authentication bridge, known as SparkBridge, for Universal Windows Applications (UWP) for on-premise Active Directory so we can authenticate a HoloLens application against on-premise Active Directory.
The PC version of the UWP app, like RemoteSpark, can use Windows Hello for Business to authenticate to Active Directory (AD). But this doesn’t work for the HoloLens as a HoloLens can only use an Azure Active Directory Account (AAD), Microsoft Account (MSA), or a local account for authentication.
For on-premise Active Directory, you will need an authentication proxy/bridge/relay/code like the one we built for RemoteSpark. The HoloLens will require a local account and RemoteSpark can be configured so that it can only be used with a valid AD accounts.
SparkBridge was originally titled Kognitiv Spark Mixed Reality Authentication Bridge for the Enterprise but was changed as to not sound like a Microsoft product circa 2008. Example: Windows Server 2008 R2 Service Pack 3 for Data Center on I64.
Authentication Bridge
This method mimics how a Microsoft cloud account is currently validated with RemoteSpark or any UWP application.
When the user moves to login into RemoteSpark with an AD account on the HoloLens, the RemoteSpark client will open a WebView with content from the configured AD Authentication Agent server. The WebView will collect the AD Username, AD Password, and Email Address from the user. If successfully authenticated, the AD Authentication Agent sets up a secure session.
Additional Security/Trust Factors:
We provide a source code license for the AD Authentication Agent to authorized enterprise clients for a security review.
Separate AD credentials could be set up for accounts used by the app with limited rights to further minimize risk. This is especially useful for pilot deployments.
This follows the pattern of authenticating with Office 365 and Azure Active Directory Accounts.
Authentication Bridge Diagram
What’s Next?
Each day the security and development teams have a stand up which means security and product features/roadmap are discussed as a group every day. We’re continuously looking at ways to increase the security of our Mixed Reality applications and many of our ideas come from the collaboration between various disciplines present on our team.
The team is further exploring how to create low-level UWP libraries using SAML, LDAP, Kerberos, etc. to continuously look for additional mechanisms to authenticate and secure Mixed Reality apps like RemoteSpark to various authentication providers.
Currently, we’re looking at implementing Relying Party Trust with AD FS for UWP application authentication using AD. We’re looking at integrating this into our bridge which gives us additional options to support various versions of on-premise Active Directory installations.
Have questions about this topic or how it applies to your organization? Reach me on Twitter @RyanGroom or via the Kognitiv Spark site.
Unsure what RemoteSpark is and want to learn more? Book a remote demo here.