I have an existing MVC application that authenticates users using their Google, Facebook or Microsoft (live) accounts. The application is derived from the basic MVC template, and the 'Individual Accounts' option was chosen. This all works fine.
We have had a request/requirement that we also support Microsoft Work Accounts, authenticated against Azure AD. We have developed a second test MVC application, using the 'Organisational Accounts' from the template and can successfully get the user details, including extended details such as Manager and Office from AD.
However we are struggling to understand how to combine the two options, and still get the extended details. We've added a OpenIdConnect option in the Startup.Auth file, pointing to AAD and they works, getting hold of the users main login only. We are struggling to then use that email to obtain the user's full information
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
I have a MVC5 application which has authentication and authorization using ASP.net Identity. So all my roles, user profiles are stored in the application database. The application is managed by me. My company now wants to use Azure AD for authentication in the application. So the user will be able to login with their credentials. If the user is signing in for the first time then i want to create the user profile in my application database. I also want to use the the roles stored in my application database for authorization.
Can someone provide some guidelines on how I can achieve this?
Thanks for your help.
Here is the link where the step by step guide is available for using Azure AD to accept sign up and sign in.
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-aspnet-webapp
Overall in summary below is the architecture diagram which you need to perform.
You could also use Azure AD B2C for allowing user to signup/sign through google, FB, Amazon and etc identity provider.
All the authentication login you could implement it in filter and later you can decorate your controller with the AUTH filter.
and then you can register your filter like below
GlobalFilters.Filters.Add(new AuthorizeAttribute());
I have not provided code samples here as it would be too long answer.
Coming back to your original question , i want to create the user profile in my application database , basically after successful login you can save the claims data which would act as a user profile in your DB.
However it is not recommened to save the entire profile in database if you are already maintaining it in Azure AD.
Azure AD B2C gives the flexibility to add custom attributes too.
Hope it helps.Let me know if you need any help.
We have hosted our application with third party authentication enabled using oAuth-OpenID connect which is working fine for Google and Facebook. Now we want to expose that to few users for testing purpose but we dont want the URL itself to be misused.
So, we added additional Authentication just to reach the site itself for preconfigured AD email addresses. But that was enabled directly in the Azure portal settings.
1) Once the user type the url in the browser, it takes to the microsoft login page. Enter the AD email address
2)It redirect to the site properly as expected
3)But here comes the problem, since the individual authentication already enabled for ather service providers, the AD token carried to the site and it started misbehaving
I want to provide AD authentication just to the entry for my site. But after that, it should not effective. How to achieve that
It seems that you want to expose the web app to specific Azure AD user for testing purpose.
If I understood correctly, in this scenario the web app can interact with Azure AD via OpenID connect just like the Google and Facebook instead using settings on Azure portal. And if you also doesn't want to Google and Facebook account could access the web app, you should remove the corresponding authentication middle-ware. And to limit the Azure AD user to access the web app, you can enable Enabled for users to sign-in feature like below:
Then we can add the users via Users and groups to enable the users we want to allow to access the web app.
I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.
I'm looking into creating a single-sign-on portal built in ASP.NET MVC. This single sign on portal should give users the option to sign in with their individual account (which should be verified against AD) or their Facebook/Twitter account. What I'm still in the dark about is if the application/authentication flow I came up with is actually feasible. This is how it should work:
User logs into the SSOP with his AD account (using a custom form where he enters these credentials). The SSOP verifies these credentials against AD and logs the user into the SSOP accordingly. The SSOP then offers the user to start any of the applications he has access to (based on his group memberships in AD). These applications are built by various third parties and are not all .NET based. Clicking one of these applications in the SSOP should log the user into this application using the credentials authenticated against AD that were used to enter the SSOP. I currently do not know how this should be done, e.g. by using claims or some sort of auth token? Obviously the receiving application should support whatever option we choose, which means we're looking for a best practice of some sorts.
The social login part of the SSOP should work somewhere along the following lines: The user logs in using his social account. The first time he does, he also has to enter his AD account credentials so we can link his social account to a specific AD account. Every subsequent time the user logs in with his social account the SSOP should log in the linked AD user. That way the SSOP always uses a valid AD account to authenticate to the applications it offers the user. This also makes it easier to administrate the user base since these are all stored in AD. The social login links and any other SSOP specific data is stored in a custom data store (MS SQL db).
I've been looking into the ThinkTecture IdentityServer, but have yet to figure out how it can be used in this scenario or if this scenario is even feasible.
So, the question basically is: is this authentication flow even possible or remotely best practice? If so, where to begin? And if not, what is?