How can we Integrate Office 365 Authentication with Web API 2 project and generate token with owin server for authentication?
Related
Context:
AD domain, AAD Connect, Office365 tenant
ADFS deployed, federation between AD and AAD
SAP GW on premise, with SAML and OAuth configured
SAP GW does not support integration with AAD (only SAML SSO, and it's required to use it's own OAuth server)
Scope:
I'm trying to build an application in SharePoint online where the authenticated user can:
fetch data from the SAP gateway (oh behalf of the user)
fetch data from Microsoft Graph
Design (So far):
The user access Office 365 and authenticate with ADFS
With ADAL/MSAL I'm able to acquire an OAUTH token from AAD and get data from Graph (supported by the registration of an Enterprise application in AAD with permission for Graph)
Issue:
The OAuth token generated by AAD is not validated by SAP OAuth Server onprem if I try to access the onprem SAP API.
What should I do?
Should I get another SAML assertion directly from ADFS to get another OAuth token for SAP OAuth Server to access the onpremise SAP API? If so, how can I get a SAML assertion (to call the SAP OAuth server) from ADFS without passing to adfs user credential (like in this example: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion) and by using information available in the user session (already authenticated with AAD)?
Is there a way to configure ADFS to accept SAML assertions / JWT tokens originating from AAD?
Should I do something else?
Any idea on how could I support this scenario?
Thank you
I've set up access to MS Graph API, using Oauth 2.0 3-legged, where permission is asked to final user.
Is it possible to set up MS Graph API Oauth 2.0 for a Office 365 Domain, Group of users via Azure AD or Admin in Office 365 Portal? In other words, a 2-legged Oauth 2.0 for MS Graph?
In G Suite is well documented 2-legged Oauth 2.0, but I have not found documented for MS Graph.
I found the solution, using the admin consent endpoint, my app can gather permissions for all users in a tenant, including admin-restricted scopes
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
I am trying to handle authentication for my app which uses Microsoft Graph.
What is the difference between these two libraries?
Active Directory Authentication Library for JavaScript (ADAL.js)
Microsoft Authentication Library for JavaScript (MSAL.js)
Is ADAL.js just an Angular 1 library of MSAL.js?
MSAL.js works with the AzureAD V2 endpoint, whereas ADAL.js works with the AzureAD V1 endpoint. The V1 endpoint supports work accounts, but not personal accounts. The V2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. Finally, with msal.js you can also get authentications for Azure AD B2C.
I have asp.net web api authentication with external providers and asp.net mvc application. I want to authenticate from the mvc app. I follow instructions from this post: asp.net web api 2: how to login with external authentication services? but how can i get the access_token after redirect from provider page?
I am developing web api which will be hosted in Azure. I need to implement security to handle tokens from corporate STS server. Which would be better approach:
ACS oAuth 2.0
OWIN
Seems like OWIN comes standard with WEB API 2.0 and quite easy to implement with few nugget packages. Any one have suggestion?
Microsoft ACS can be one of the authentication/token provider. The WebAPI can use OWIN to consume tokens from different providers, such as Facebook, Azure AD, Google, Microsoft Live, ACS etc.