I have a MVC5 application which has authentication and authorization using ASP.net Identity. So all my roles, user profiles are stored in the application database. The application is managed by me. My company now wants to use Azure AD for authentication in the application. So the user will be able to login with their credentials. If the user is signing in for the first time then i want to create the user profile in my application database. I also want to use the the roles stored in my application database for authorization.
Can someone provide some guidelines on how I can achieve this?
Thanks for your help.
Here is the link where the step by step guide is available for using Azure AD to accept sign up and sign in.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-aspnet-webapp
Overall in summary below is the architecture diagram which you need to perform.
You could also use Azure AD B2C for allowing user to signup/sign through google, FB, Amazon and etc identity provider.
All the authentication login you could implement it in filter and later you can decorate your controller with the AUTH filter.
and then you can register your filter like below
GlobalFilters.Filters.Add(new AuthorizeAttribute());
I have not provided code samples here as it would be too long answer.
Coming back to your original question , i want to create the user profile in my application database , basically after successful login you can save the claims data which would act as a user profile in your DB.
However it is not recommened to save the entire profile in database if you are already maintaining it in Azure AD.
Azure AD B2C gives the flexibility to add custom attributes too.
Hope it helps.Let me know if you need any help.
Related
I have an ASP.NET MVC application that is used by different customers. Currently the app is set up to use individual user accounts. I have built some authorization logic around that and would like to keep the logic unchanged.
I got a request that some of the customers would like to perform authentication for their users with their Azure Active Directory. I have uncommented the app.UseMicrosoftAccountAuthentication part from Startup.Auth.cs. I registered the app as multi-tenant in my AAD. I managed to get the whole thing running and users now have the possibility to link their accounts with AAD and use it for authentication.
However, I encountered a few problems I am struggling with:
In order for the user to link his account with AAD he needs to set up an individual login/pass account in the first place. How can I avoid that? I want to have the users either authenticating with login/pass or with AAD, not both at the same time.
I have no control over which account the user uses to authenticate. Let's assume I expect the user to use an account in domainx.com, but if they link domainy.com account it will still work. I need to have some kind of way to compare the expected domain with the actual one that comes back from AAD. How can I do that?
One of the ideas to tackle the problem was to have a customer admin create the user accounts for them. The issue is that in AspNetUserLogins I need to store the user's AAD ID, not the email. How can I query AAD to check the UserID based on the email?
My web application uses Azure Active Directory for authentication. In my Azure Portal I have an application reference which hooks into the AAD, I also have all the relative keys in place within the web application itself. Everyone in my organisation can log in without any problems but any new user accounts that are added get a message:
You can't access this application Company App Registration Name needs
permission to access resources in your organization that only an admin
can grant. Please ask an admin to grant permission to this app before
you can use it.
This is a message that only new accounts get, I can see these new accounts within the AAD and they accounts are identical to other employees, it's as if it's out of sync. Does anyone know what I have done wrong or why new accounts are not automatically picked up?
I believe you can solve your issue by having an Administrator of your tenant consent to the application on-behalf-of the entire tenant, which should include all new and existing users.
To do this, the Administrator can simply go to a login endpoint with the query string prompt=admin_consent.
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent
You can use this template URL, and simply fill out the variables with your application and tenant information. Then, hand it to the administrator and have them consent to the app.
Let me know if this helps!
I have an existing MVC application that authenticates users using their Google, Facebook or Microsoft (live) accounts. The application is derived from the basic MVC template, and the 'Individual Accounts' option was chosen. This all works fine.
We have had a request/requirement that we also support Microsoft Work Accounts, authenticated against Azure AD. We have developed a second test MVC application, using the 'Organisational Accounts' from the template and can successfully get the user details, including extended details such as Manager and Office from AD.
However we are struggling to understand how to combine the two options, and still get the extended details. We've added a OpenIdConnect option in the Startup.Auth file, pointing to AAD and they works, getting hold of the users main login only. We are struggling to then use that email to obtain the user's full information
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?
Currently using the Provisioning API that is being depreciated April 20.
This is the current flow:
user (University Alumni) gets to our site http://alumni.columbia.edu/email
they click on Create My Account
they authenticate through our university WIND system using what we call their UNI
they land on a page mentioning that an email account UNI#caa.columbia.edu is ready to be created. They can pick an alias to UNI. They also need to enter a password to use the Chat and POP-mail features of Gmail.
they confirm the creation of the account. At this point the API is being called using https://www.google.com/a/feeds/, some data (email address, name, id) being saved in our database.
To log in, they come through our site, click on the login button, this will use the SSO and they get logged in.
Based on the flow above, do I need to use OAuth2.0?
Yes, you will need to authenticate with OAuth using the Installed Applications approach to do this. Instead of step 5 the way you currently have it, you'll need to call the API from a process on your server with an account that has (limited) admin credentials that can create the account with the Directory API. To do this, you'll need to persist the OAuth token information that the account will use to connect, and handle the code to refresh the token when it has expired.
The first time you run your code you'll need to manually authenticate that account to get your application the appropriate permissions so that they can be stored.
If you're hoping to not go too crazy with handling the authentication side of things and you're using .Net, I'd recommend checking out my project gShell that acts as a wrapper for the authentication and handles the token storing and refreshing for you. It's still a young project but it should fit your needs. Alternately, feel free to browse the code for an example on what to do.
If you plan on using Python, check out Google Apps Manager by jay0lee which is also a wonderful resource.