I have a requirement to replace the LDAP Authentication from a gateway microservice with Azure AD B2C, Is there any standard way or steps to replace that with newer authentication method or we need to completely do that from scratch to provide the implementation through Azure AD B2C.
There's a write-up here and some custom policy samples here.
The main steps are:
Migrate the users; either big bang or just in time. The main issue is that you need new passwords
Replace the LDAP API that you use to authenticate with an appropriate B2C code sample
Replace the LDAP user CRUD calls with the appropriate Graph API call
Related
I am setting up a PowerAutomate flow which will be called from a PowerApp. I would like fetch a JWT token from Azure AD in Power Automate and use that token to authenticate call a REST API, return back the result to PowerApps.
However, I would the JWT token be generated for the user which executes the flow and I dont want to hard-code user credentials in the flow. There would be multiple users executing the flow and each user would have different permissions in my App ( to which the REST call is made) so I want the authentication to the app be done as a named user rather than a service account/generic account
Thank you #lona Varga for your valuable suggestion. Posting your suggestion as an answer to help other community members.
To authenticate your application as a named user, please try the
following:
Create both backend and client application registrations in Azure portal.
After configuring these, create a custom connector by updating your security setting as below:
Authentication type: OAuth 2.0
Identity Provider: Azure Active Directory
Client ID: Client ID for Client App Registration
Client Secret: Client Secret for Client App Registration
Resource URL: Client ID fot Backend App Registration.
Update the redirect url by removing the existing value and add this newly created one, this is same for all connectors and it is :
https://global.consent.azure-apim.net/redirect
For more in detail, please refer below link:
Solved: Re: custom connector secure using Azure Active Dir... - Power Platform Community (microsoft.com)
I'm trying to implement security to a backoffice CLI tool (NodeJS) that calls a REST api (Java/JAX-RS) for performing database operations etc.
As we're using Azure AD for all our user accounts I'd like to use it for authenticating our users and also for authorization.
The authorization is needed since not all members of the AD is supposed to use the CLI, and there are two types of users of the CLI with a different set of available commands, meaning that even if you are able to use it, some features might be locked out depending if you are an operator or administrator.
I've managed to create two applications in Azure AD, one for the CLI and one for the API. I can login using our AD credentials, fetch Access tokens for the CLI app id requesting the REST API resouce. On the client side I'm using https://www.npmjs.com/package/simple-oauth2 .
On the Java side the tokens are validated against Microsoft public keys, so everything seems to work out fine.
But, how should I lock down the users to either operator or admin roles? One naive way I can think of is to have the user/role correlation in the REST API and only use the OAuth flow for authenticating the user. But I guess that's what the AD is there for... Could OAuth scopes help me in this case?
Or should the REST API call the AD to query for users group memberships, once it receives the access tokens and knows the end user identity?
Thanks in advance!
Use the Application Roles.
Here you will find good description what application roles are and how to handle them:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
The recommended resources at the end and also very helpful and will guide you through the process.
Also, when developing CLI it is recommended to use the Device Flow - described here with sample code (.net core) here.
I've been searching for many hours about a viable architecture for my scenario.
We would like to have a multitenant MVC application where each tenant belongs to a different company.
Each tenant have settings where we can configure their authentication type : Customer AD or Forms.
Is it possible to allow each company to login using their own active directory ? Or by default if they don't have AD, we use forms authentication.
I've read some articles about Azure AD, AD Federation Services + WIF (or more recently OWIN), but I would like some guidance about solutions to achieve it.
Thanks
This is a pretty standard scenario in Azure AD. You'll want to register an Azure AD app in the Azure portal, and use the OWIN OpenIdConnect middleware to do login/session management. If you want to also call a web API or the Microsoft Graph, you may also need to include ADAL (Active Directory Auth Library) to help exchange auth codes for tokens.
Here's a great code sample that shows you how to build a .NET multitenant MVC App. Moreover, the rest of the docs for this stuff can be found at the Azure AD developer page.
Having done this before, the way I did it was to use asp.net-identity and per tenant override the SignIn Manager via dependence injection.
The sign in manager is where the authentication takes place, so there isn't a drop-in framework that just does it (I am aware of), but just overriding a couple of methods in a single class is pretty easy.
Have you looked into Azure AD B2C? You can have users sign in with their companies emails/ AD.
Take a look here: https://azure.microsoft.com/en-us/services/active-directory-b2c/?cdn=disable
As per other answers, Azure AD allows multi-tenancy. Literally just selecting a check-box in the config.
However, the standard way of authentication is OpenID Connect / OAuth.
Also, you cannot change the mode of authentication.
You mention ADFS and on-premises AD. Where do these fit in?
Using ASP.NET Identity along with OpenID connect, you get this functionality. ASP.NET Identity has local accounts, and with OpenID Connect to Azure AD you can have users sign in with their Azure AD account.
The application definition needs to be a multi-tenant application.
You can pretty much follow the instructions here if you are using ASP.NET Core, and then add OpenID Connect as described e.g. here or by just adding code similar to this after the app.UseIdentity calls:
// Add Authentication services.
services.AddAuthentication()
// Configure the OWIN pipeline to use OpenID Connect auth.
.AddOpenIdConnect(option =>
{
option.ClientId = Configuration["AzureAD:ClientId"];
option.Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]);
option.SignedOutRedirectUri = Configuration["AzureAd:PostLogoutRedirectUri"];
option.Events = new OpenIdConnectEvents
{
OnRemoteFailure = OnAuthenticationFailed,
};
});
If you create a new app with Individual User Accounts, you can add the code above after the boilerplate code for Identity in the ConfigureServices method of Startup.cs, and then you are pretty much good to go.
We have all the user data in our local mysql database. We are moving our services to cloud and I need to use cloudfoundry UAA to authenticate by calling a login microservice endpoint on our network instead of doing uaac add user for all the users in db.
I am new to this, it would help me if you can explain the steps to do it.
Thanks in advance
I assume (based on the SAML tags on your question) that you are thinking of doing this with SAML. If this is your first time doing SAML then there is a bit of learning curve. If so you may find it easier to just creating a custom Login app.
SAML
You would setup an Identity Provider and the IdP would authenticate users against either mysql or your login microservice. simplesamlphp can be used for this purpose. A user would authenticate to the IDP, the IdP generates a SAML assertion (e.g a signed xml doc with information about the user) that gets sent to the Service Provider (UAA). The service provider then looks at the assertion to determine who the user is. UAA supports SAML logins. It has been a while since I've set it up that way, but I recall you run a separate 'login' war from the rest of UAA, and the login war uses APIs to talk to UAA. You also need to configure the SAML trust relationship between ssp and the UAA login war. This isn't hard to do if you are familiar with SAML. If you aren't then it can be difficult to get all the pieces right.
Custom Login App
I think an easier approach is to just build your own login app that calls your authentication service and the UAA apis. UAA provides a sample app and documentation
Context
I'm building a web application deployed to Azure Webapps where users need to sign in. To accomplish this, I'm leveraging Azure AD with OAuth 2.0 Authorization Code Grant. Since I'm using Nancy (with the ASP.NET host) instead of MVC, I can't follow the official Azure AD MVC examples where all the OAuth handling seems to happen magically in the background.
Redirecting to the OAuth endpoint is straight-forward, and the user is also correctly redirected back to my application with an authorization code.
Problem
Now I need retrieve the user ID in order to match it to the user database in my application. I'm using ADAL for this, because this is basically step D & E of the authorization code grant flow, from what I understand.
Now what puzzles me is that this use case is not supported by Azure AD, stating that
The client '[ClientId]' and resource '[ResouceId]' identify the same application.
Also, as indicated by this answer, "ADAL is not meant to achieve web sign-on in a web application."
I've been able to work around this problem by creating two applications in Azure AD, as suggested by this blog, but it feels like I misunderstood something. This could very well be the case, as I am new to OAuth and Azure AD.
So my question is, what is the correct way to authenticate a user from a non-MVC web application using Azure AD?
the OWIN middleware should work with non-ASP.NET as well. See for example http://unlustrously55.rssing.com/browser.php?indx=24287735&item=13 - in your case you will have to use the OpenId Connect one or the ww-federation one.
Is this purely for users inside your organisation/tenant? It sounds like it.
Why don't you use an App Registration in Azure AD and grant it permissions to access the users profile? You should then be able to retrieve a user's UPN from the token. Please see here:
https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service