We have hosted our application with third party authentication enabled using oAuth-OpenID connect which is working fine for Google and Facebook. Now we want to expose that to few users for testing purpose but we dont want the URL itself to be misused.
So, we added additional Authentication just to reach the site itself for preconfigured AD email addresses. But that was enabled directly in the Azure portal settings.
1) Once the user type the url in the browser, it takes to the microsoft login page. Enter the AD email address
2)It redirect to the site properly as expected
3)But here comes the problem, since the individual authentication already enabled for ather service providers, the AD token carried to the site and it started misbehaving
I want to provide AD authentication just to the entry for my site. But after that, it should not effective. How to achieve that
It seems that you want to expose the web app to specific Azure AD user for testing purpose.
If I understood correctly, in this scenario the web app can interact with Azure AD via OpenID connect just like the Google and Facebook instead using settings on Azure portal. And if you also doesn't want to Google and Facebook account could access the web app, you should remove the corresponding authentication middle-ware. And to limit the Azure AD user to access the web app, you can enable Enabled for users to sign-in feature like below:
Then we can add the users via Users and groups to enable the users we want to allow to access the web app.
Related
We have Azure Active Directory with Security Default enabled. We have the MVC application which is creating the users in the Azure active directory using graph API (https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http).
When I logged in the first time using a newly created user into the azure portal, it asked for more information to set up the Microsoft Authenticator app on my phone. I set up an account in the authenticator app successfully. When I tried to sign in again after sign out, it supposes to send me a notification on phone for approval. But portal allowed me to sign in without MFA verification.
The Security Default setting is not working as expected when the user is created using graph API tried to login into the MVC application. It is working fine when I tried to login into the portal.azure.com.
Is there any solution to this issue?
My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.
I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?
I have completed my iOS app and now want to have user registration and authentication functionality.
When the user opens the app it must ask them to register or login and then when the app closes it logs out. I want to send their basic details to my server e.g. name, location.
Is this allowed my Apple and does anyone know of a service that I could use as appose to reinventing the wheel?
It is allowed by Apple.
There are apps on App Store that do not implement their own register/login mechanism. Those apps ask their users to login via Facebook. So any user who has a Facebook account, can login to your app using their FB credentials. You would have to use the iOS SDK provided by Facebook.
It is always better to provide multiple login options to your app user, instead of just relying on Facebook or any other provider. Allow users to login via GMail, for example.
Adding support for OpenID is another good option. OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities. Users may create accounts with their preferred OpenID identity providers, and then use those accounts as the basis for signing on to any website which accepts OpenID authentication.