Is it possible to SSO into a 3rd party mobile application from Azure AD B2C secured mobile application directly?(app to app)
I know we can do app to web to app using an interim auth web page as bridge but I was wondering if direct communication and SSO possible between apps? Let's say platform is iOS and app1 is secured with Azure AD B2C and app2 is with another IDP and we would like to jump from app1 into app2 without logging in again. If possible which protocol should we choose (oAuth, OpenID, SAML) and which libraries AppAuth, MSAL etc. should we consider using
Hope it is clear if not pls comment and I will extend the question
If you are just trying to open a second app and auto-sign on with some credentials, app2 can define a custom URL scheme. Then app1 can use that scheme to open the app and provide the credentials/token.
More About Apple URL Schemes.
caveat: I have not implemented this myself.
Related
Can we achieve the if Any user login into iOS App Through MSAL in azure and it is authenticate and then if I open a webApp into Device Safari then it should automatically sign in and vice versa if do sso on WebApp then iOS App Login
Yes, we can achieve in SSO and web app using Azure using silent SSO between multiple apps.
This type of SSO works between multiple apps distributed by the same Apple Developer. It provides silent SSO (that is, the user isn't prompted for credentials) by reading refresh tokens written by other apps from the keychain, and exchanging them for access tokens silently.
Microsoft provides apps, called brokers, that enable SSO between applications from different vendors as long as the mobile device is registered with Azure Active Directory (AAD). This type of SSO requires a broker application be installed on the user's device.
SSO between MSAL and Safari
Silent SSO between multiple apps need to ensure the following points.
Ensure that all your applications use the same Client ID or Application ID.
Ensure that all of your applications share the same signing certificate from Apple so that you can share keychains.
Request the same keychain entitlement for each of your applications.
Tell the MSAL SDKs about the shared keychain you want us to use if it's different from the default one.
Here are the details information about SSO for IOS and MAC OS.
We're building an iOS native app together with two web apps. For identiy/access management we are using Keycloak (supports OpenID Connect and OAuth 2.0).
The iOS apps are installed on MDM managed devices. Only our apps are installed.
I learnt that the current best practice for implementing authentication/authorization is to use OpenId Connect and a browser based flow through an external user agent:
http://lists.jboss.org/pipermail/keycloak-dev/2016-May/007259.html
https://www.rfc-editor.org/rfc/rfc8252.txt
https://auth0.com/blog/oauth-2-best-practices-for-native-apps/
using one of these libraries:
https://github.com/openid/AppAuth-iOS
https://github.com/aerogear/aerogear-ios-oauth2
Is it also recommended for MDM managed iOS devices (with no "evil" third party apps, just our own stuff) to implement a browser based flow? Or is it safe in this case to implement a native login flow (user enters credentials directly into the app)?
I am worried about the user experience... That switch between our app and the browser does not look very smooth...
There is an RFC about OAuth2 for native apps. It's worth reading - it discusses possible implementations and security risks involved. The general recommended way is to use the authorization code flow in a browser (not an internal application component), because this way the application cannot get the user credentials. People use to trust the browser and the authentication provider more than other apps, so the visibility of URL and the verified SSL certificate is important too.
The RFC covers also the iOS implementation details:
Apps can initiate an authorization request in the browser, without the
user leaving the app, through the "SFSafariViewController" class or
its successor "SFAuthenticationSession", which implement the in- app
browser tab pattern. Safari can be used to handle requests on old
versions of iOS without in-app browser tab functionality.
So if you use the SFAuthenticationSession you don't need to open a new Safari window and the user experience should not suffer.
If you use the Resource Owner Password Credentials grant (users enter their credentials into your application directly), you will make it less secure for the same reasons - the credentials get exposed to the application. And using this grant, you cannot use the third party authentication providers in Keycloak (Google, Facebook).
It's up to you (and your organization) how much secure you want the system to be, so you can opt for some compromises, but I would rather stick to the current best practices, since the app may grow later the compromises may turn to problems.
I am building an iOS application with swift and this application has a web client that's using Microsoft Azure services. I want to add sign in and login functionality to the application using Microsoft Azure. I am not using any cloud applications or services. I will just have simple forms for signing up and logging in. I want to be able to save user credentials to authenticate and authorize them when they are using the application. I tried reading over their documentation and It seems to me that I need to use Azure Active Directory but I am not clear on that.
I am fairly new to Microsoft Azure, Can anyone clarify to me if I can use it and provide resources of how to do that.. ?
The simplest way to implement that is to use Azure Mobile Apps - it is the backend-as-a-service. You are able to connect your backend with the authentication providers of a choice - Facebook, Azure Active Directory, custom provider, etc. Then, when user will try to authenticate, all of the authentication code will be handled by a cloud platform - user will enter his credentials, these will be sent to the auth provider and if they are valid it will send the auth token that you will be able to use in your app to get his information, etc.
Here is the tutorial for Mobile Apps for iOS.
Or, you may use Azure Active Directory directly as a provider (it will serve as a catalogue of your users). Using that tutorial or the samples from the official library. But i would highly recommend to look at Mobile Apps as it is the fast and simple way to implement what you need.
We have web application built on ruby on rails and added Azure AD SSO feature. We are using OAuth2 and JWT gems for achieving SSO functionality. But after successful user login, our application is not visible on users office portal myapps dashboard. Instead it is only visible if AD admin assigns this app to the user.
But..
Our objective is to show our application on any user(multi-tenant) apps (https://portal.office.com/myapps) once he successfully performs SSO. Like, developing a Web app(ruby-on-rails) that users can install directly from the Office Store.
After our googling we found this ASP.NET DEMO application(https://github.com/OfficeDev/O365-WebApp-MultiTenant) which is working same as we expected. After login we are able to see this demo app on users myapps. In the app description following is written "web application that uses Azure AD for sign-in using the OpenID Connect protocol, and then calls a Office 365 API under the signed-in user's identity using tokens obtained via OAuth 2.0. This sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net.".
It is clear that DEMO app uses OpenID Connect protocol, which we are not using. is this creating problem? Kindly guide us in right direction.
The administrator have to accept the app for the whole Tenant so called admin consent.
http://blog.mastykarz.nl/implementing-admin-consent-multitenant-office-365-applications-implicit-oauth-flow/
https://github.com/waldekmastykarz/sample-azure-adminconsent
hope this help
I found working ruby on rails working example which implements Openid-connect protocol here https://github.com/nov/openid_connect_sample_rp. Then modified db/seeds.db to
I am trying to implement enterprise mobile SSO with our Identity Provider (OKTA). My goal is to have a smooth user experience; the user shouldn't leave our custom built app in order to login to the identity provider.
OKTA has a native iOS app that facilitates the process. During the login, it is possible to forward the user to the OKTA Native App, do the authentication and bring the user back to the custom app. The process looks like (image is taken from http://tech.blog.box.com/2013/03/rethinking-mobile-sso/):
What I am trying to is to avoid the opening of the Native SSO App (the first 2 steps). OKTA provides a REST API that allows the user to authenticate and create sessions programmatically (and more http://developer.okta.com/docs/getting_started/design_principles.html).
The question is: After creating a session with the native SSO App (OKTA) via its REST API and getting the auth token, can I authenticate directly with the Service Provider from my custom native iOS app?
Okta provides a method for native app sso on iOS that allows the user start in your app, and have an SSO experience. In this case the Okta Mobile App serves as the identity provider. So long as the user has a session within Okta Mobile, they can access your custom native app without entering their credentials. If the user's session in Okta Mobile has ended, they can re-authenticate with their PIN.
More details on the standards-based framework (SAML + iOS) are available here:
http://developer.okta.com/docs/getting_started/saml_guidance.html#saml-for-mobile-native-apps
https://github.com/okta/okta-mobile-sdk