We have all the user data in our local mysql database. We are moving our services to cloud and I need to use cloudfoundry UAA to authenticate by calling a login microservice endpoint on our network instead of doing uaac add user for all the users in db.
I am new to this, it would help me if you can explain the steps to do it.
Thanks in advance
I assume (based on the SAML tags on your question) that you are thinking of doing this with SAML. If this is your first time doing SAML then there is a bit of learning curve. If so you may find it easier to just creating a custom Login app.
SAML
You would setup an Identity Provider and the IdP would authenticate users against either mysql or your login microservice. simplesamlphp can be used for this purpose. A user would authenticate to the IDP, the IdP generates a SAML assertion (e.g a signed xml doc with information about the user) that gets sent to the Service Provider (UAA). The service provider then looks at the assertion to determine who the user is. UAA supports SAML logins. It has been a while since I've set it up that way, but I recall you run a separate 'login' war from the rest of UAA, and the login war uses APIs to talk to UAA. You also need to configure the SAML trust relationship between ssp and the UAA login war. This isn't hard to do if you are familiar with SAML. If you aren't then it can be difficult to get all the pieces right.
Custom Login App
I think an easier approach is to just build your own login app that calls your authentication service and the UAA apis. UAA provides a sample app and documentation
Related
My company's application has a website xyz.com, and the user authentication is done via Auth0 SSO. There is another service which we internally use, and Auth0 SSO is configured on that as well (hosted on service.xyz.com).
Now, this service also has a SDK (in form of JS) through which it allows us to embed its components. However, that requires me to get access to its accesstoken.
When I'm in context of our company' website (after logging into xyz.com), I can access the Auth0 token, but in order to make use of service provider's SDK and integrate that in our website, I would somehow need to get the appropriate oauth token for that service provider.
My question is, how is this usually done?
I am setting up a PowerAutomate flow which will be called from a PowerApp. I would like fetch a JWT token from Azure AD in Power Automate and use that token to authenticate call a REST API, return back the result to PowerApps.
However, I would the JWT token be generated for the user which executes the flow and I dont want to hard-code user credentials in the flow. There would be multiple users executing the flow and each user would have different permissions in my App ( to which the REST call is made) so I want the authentication to the app be done as a named user rather than a service account/generic account
Thank you #lona Varga for your valuable suggestion. Posting your suggestion as an answer to help other community members.
To authenticate your application as a named user, please try the
following:
Create both backend and client application registrations in Azure portal.
After configuring these, create a custom connector by updating your security setting as below:
Authentication type: OAuth 2.0
Identity Provider: Azure Active Directory
Client ID: Client ID for Client App Registration
Client Secret: Client Secret for Client App Registration
Resource URL: Client ID fot Backend App Registration.
Update the redirect url by removing the existing value and add this newly created one, this is same for all connectors and it is :
https://global.consent.azure-apim.net/redirect
For more in detail, please refer below link:
Solved: Re: custom connector secure using Azure Active Dir... - Power Platform Community (microsoft.com)
I have a requirement to replace the LDAP Authentication from a gateway microservice with Azure AD B2C, Is there any standard way or steps to replace that with newer authentication method or we need to completely do that from scratch to provide the implementation through Azure AD B2C.
There's a write-up here and some custom policy samples here.
The main steps are:
Migrate the users; either big bang or just in time. The main issue is that you need new passwords
Replace the LDAP API that you use to authenticate with an appropriate B2C code sample
Replace the LDAP user CRUD calls with the appropriate Graph API call
I have created a Single Page Application with Angular and authentication/authorisation is managed by Azure AD. I have used MSAL.js to initiate the implicit flow.
Everything is working fine, but now my client wants to use her own identity provider (IDP) so that users have a single point of entry for all apps (including mine). This IDP is not mainstream, it is built in-house by the client;
I want to keep using Azure AD to manage authorisations (groups, roles...). I also want my application and its dedicated backend API to be registered in Azure AD, not in the third-party IDP.
Azure AD should remain responsible for providing the Access Token to the SPA in order to call the API.
Somehow, I should redirect the user to the third-party IDP login form and upon successful login it will redirect to my SPA, which should then associate the tokenID with an AzureAD account and retrieve the Access Token (I suppose I will have to create an account in Azure AD for users identified in the third-party provider)
However I'm having a hard time figuring out how to achieve this and if it is at all possible ?
What would be the recommended approach for this scenario ? Can I still use MSAL.js or do I have to rely on something else ?
ARCHITECTURE
Your goals are completely correct and you should not need to change a single line of code to integrate a new IDP - so you can continue to use MSAL.js.
PREREQUISITES
In order to integrate their own IDP into your system you need to insist on certain prerequisites:
The client needs to provide a Standards Compliant Identity Provider
Typically the IDP needs to communicate with your Authorization Server (Azure AD) via either Open Id Connect messages or SAML2P messages
A home grown IDP may not meet these prerequisites in which case you need to explain to the client that they need to get standards compliant.
HOW FEDERATION WORKS
Your UI will redirect to your AS
The AS will redirect to the IDP, when given a trigger
The user will authenticate in the IDP
The IDP will post a token to your AS to identify the user
The AS will issue another token to your UI
Note that there is no coding involved here - there is only standards based integration between vendor systems.
WHAT THE CLIENT WILL GIVE YOU
Client details are often supplied by giving you their metadata document, and these details are then configured in Azure AD as a trust entry:
The entity id of the IDP
The token signing public key for IDP tokens, so that your AS can validate them
A URL to redirect to
WHAT YOU WILL GIVE THE CLIENT
A similar trust entry will need to be configured in the client IDP so that it trusts requests and issues tokens - though no certificate is usually needed here:
The entity id of the AS
A URL to post tokens to
TRIGGERING THE REDIRECT FROM THE AS TO THE IDP
One option is to forward the entity id to the authorization server in Open Id Connect redirects. Often an 'idp' query parameter is used, something like this:
Client accesses your app with a bookmarked URL:
https://app.mycompany.com?idp=urn:client.com
You add an extra parameter to the Open Id connect redirect to tell it where authentication should happen:
https://login.mycompany.com/authorize?client_id=XX&idp=urn:client.com
AZURE AD SPECIFICS
Once you understand the high level process there is some technical stuff to configure the connection and you'll need to consult vendor documentation, such as this Microsoft Azure B2B article.
PRACTICE
If you haven't done this before then you need to invest some time to get a connection working and then document the process.
You can use Windows Server and ADFS to simulate a client connection, then integrate it as a SAML2P connection. There is a learning curve though, and you'll need infrastructure such as ADFS certificates.
I am building a new application using microservices with a frontend UI using React JS. I have created an auth microservice using Spring Boot and OAuth 2.0. For single page applications I have read that I should use the implicit grant instead of the password grant. The auth microservice will support this but my question is where would I implement the UI for the user to put their username and password? Would it be within the auth microservice or would I have to create a separate UI application?
The authentication form will be on your auth microservice. Think for example as you use google login. You'll see google login page even if you have your own microservice. It's because authentication provider is google and you redirect user to login to google.
I implemented all grant types a while back. May be this will help you.