I'm building a web portal where my customers can log in - pretty standard stuff.
Now I would like my customers to log into the portal by using their "own credentials".
The optimal solution would be that users could use one of the following:
Office 365
If they have O365 then just sign in with their own credentials. This scenario is covered by the OOTB VS template
On-premise ADFS
If the customer has an on premise ADFS then they should be redirected to that to sign in. (I know this needs configuration for both parties, buts that's ok)
None of the above
The customer does not have any of the above and therefore need a "local account". In this case I would like to use Azure AD B2C to store the credentials.
I can do all of the above, but I have never tried to do it all together in one site.
Therefore, is it at all possible and how should I be constructed?
And how would the login experience be?
I'm using OWIN.
Any advice would be helpful.
Thanks!
When you say "local". you mean in AAD?
Azure B2C allows non-federated (i.e. don't use ADFS) users to provision and then authenticate themselves.
However, such users are "outside" of the normal authentication flow and cannot use ADFS or have O365 licenses.
In terms of ADFS and O365, you need to set:
Convert-MsolDomainToFederated
as in Step-By-Step: Setting up AD FS and Enabling Single Sign-On to Office 365.
In future Azure AD B2C will add the ability for users to login using their 'Work Accounts'. Those are the accounts used for O365. If the respective tenants have setup federation with Azure AD, ADFS federation will also work.
Meanwhile, the old work around for you to get it to work is to have your application
1. handle multiple tokens. [Azure AD, Azure AD B2C, ADFS or other federations] by implementing each federation to get the tokens.
2. implement the idp selection screen on the application and federate to appropriate party.
Related
We are working on a web application that requires two different types of users:
Administrators (mapped to Azure AD, SSO);
Customers (mapped to Azure AD B2C);
Customers log into the web application using their Azure AD B2C account. Administrators log into an administration UI area of the website using their Azure AD account. This part is fine.
However, one of the requirements is that the Administrators are able to impersonate the Customer, so that they can carry out certain tasks on-behalf of the customer e.g. place an order.
We'll be using OAuth (.NET package) for the authorisation. My question is two fold really:
1) Does OAuth support impersonation of other accounts?
2) If yes, is it even possible for an account in Azure AD to impersonate a user in Azure AD B2C - currently they are different directories with no visibility of one another.
Perhaps my questions are a little vague, we're looking for some pointers in the right direction.
Many thanks in advance
dotdev
You can build a flow which authenticates the Admin via the federated IdP (AAD), then presents them a B2C page which allows them to impersonate a B2C user: https://github.com/azure-ad-b2c/samples/tree/master/policies/impersonation. The policy should do some checks to make sure the AAD user is in some group who can impersonate, then present them a screen in B2C to provide the end users email. B2C will then finish the authentication by minting a token that is in the B2C users context.
Azure AD (regular/B2C) does not allow you to impersonate other users.
You can't really login as the user.
You will most likely have to build this functionality into your application, where the admin is allowed to choose a customer on whose behalf they are making the order.
We need to authenticate both corporate users and external users (partner, customers, third party) into the same application.
Corporate users will authenticate using Azure AD, I want them to have SSO experience.
For external users I was thinking of Azure AD B2C.
The application is built with Asp.NET MVC/WebApi + AngularJs.
For the scenario described above, I understand I will need 2 different Azure AD tenants.
I'm planning to use the Microsoft new Authentication Library MSAL, but I can't find how to configure 2 tenants.
What is the recommended approach for login both corporate and external users ?
Thanks in advance for any help!
At this time, you must treat Azure AD & B2C as two separate identity providers in your application. I've created a quick & dirty example of such dual integration in a web app here. In an AngularJS app, or in an app that uses MSAL, the integrations will be different. But the high level pattern will be the same.
With this approach, you'll have to ask users which type of account they want to sign-in with, so you know which provider to invoke.
I have an ASP.NET MVC 4.6 application and I want to be able to use an application identity to provide access to the Azure Graph API behind the scenes, but I want to use Azure AD users for my applications authentication and authorization.
The end goal is to be able to have a user initially register using Google, Facebook, or enter their own username. During this registration, my application would leverage the Graph API to create an Azure AD user behind the scenes.
Once registered, if the user logs on using Google, Facebook, or their own username, it will look up against the Azure AD users to retrieve groups or roles.
Is this possible, or even a good idea? I'm open to other suggestions. Thanks!
This is possible. Azure AD recently released Azure AD B2C (business to consumer) to public preview. B2C will allow your users to sign up and sign in with consumer identity providers (e.g. Google, Facebook, etc.).
The sign up portion of this creates a special kind of user in Azure AD that has a reference to an identity in the consumer identity provider. The sign in portion of B2C allows users to authenticate with their corresponding identity provider, and that authentication is recognized in Azure AD.
The full documentation starts at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-overview/, and a ASP.NET MVC sample is at: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/.
Alternatively, if you want to do you own, off the top of my head, the best you can do is to build a mechanism where you associate a "regular" Azure AD user with the corresponding social identity provider (e.g. maintain a lookup table). Your users would sign in to your app using each identity provider's protocol, and when they've done so, you "artificially" link them to the corresponding Azure AD users. From Azure AD's perspective, however, these users would not actually be authenticated, so at best, you'd be using Azure AD as a place to store users and groups.
Check out the new Azure B2C offering, in preview, which supports the exact scenario you are asking about out of the box.
we're currently using the office 365 api but we're a little bit stuck in the oauth process. On the target platform we have no access to a browser, which cause the main problem using the oauth procedure.
Does Microsoft offer other kinds of authentication like Limited Input Device Authentication like google does? Or are there any alternatives, when no browser is available?
Thanks a lot!
Yes, there are ways to do it without a browser, depending on your scenario. If you're looking to prompt the user yourself for username/password, you can pass those directly via ADAL. For example, here's how to do it using the ADAL for Node.js: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/blob/master/sample/username-password-sample.js
The trick when you do this is that there must be user consent already recorded in Azure AD. Because this bypasses the user consent screen, it has to be "pre-consented". One way to do this is to have the organizational administrator register the application in their own Azure AD, which by default consents for all users in the org.
Another approach would be to use the client credential flow. In this scenario, the administrator consents once for their entire organization, and the app then has access to all mailboxes in that org.
I have developed MVC 5 application. Now i want to use Authentication for my application.
My end users are Employees and Customers and i want to authenticate Employees with Azure AD and customers with windows live id.
I have tried to use Azure ACS, but it will ask me whether i want to log in with Azure AD or Windows Live ID.
My requirement is as below.
Default URL is http://localhost:12973.
When Employees want to login then it will redirect to http://localhost:12973/employees and employees should redirect to Azure AD log in page
and for customers http://localhost:12973/customers and customers should be redirected to windows log in page
So how can i configure both Azure AD and ACS in single web config file?
Can anyone please help me how can i achieve both the requirements.
You need to setup Azure AD as an IdP for ACS to utilise and then switch your MVC app to only use ACS. Details on how to setup Azure AD as an ACS identity source can be found on Vittorio's blog.
In order to differentiate between the user types you would have to inspect the incoming claims and determine whether the user is in Azure AD (I assume employee) or elsewhere (customer). That would be your 'return URL' which would then do a 301 redirect to the correct landing page as per your requirements.
In the future Azure AD will be the right place to do all this stuff (including external IDs) so it might be worth revisiting your design and reading some of the recent advice around how to use Azure AD instead of ACS.
Alternatively your application can trust Auth0 and you can configure Microsoft Accounts (Windows Live) and Azure AD as connections in Auth0. The following sample shows how to use Azure AD with different social connections:
The big difference with ACS today is that Auth0 can also get the email address of users authenticating with a Microsoft Account.
Disclaimer: I work for Auth0.