I have an MVC5 website that was created in Visual Studio 2013. It was set up from the start to use Organizational Authentication using a single-tenant single-sign on. There is no way to access any part of the site without logging in with an account that has the correct domain. This is the desired function.
However, I am looking to add role-based authentication using Azure Active Directory. The desired functionality is that some users in certain groups can see some pages, and people in other groups can see different pages, etc. This seems like the most relevant/updated tutorial https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. But since I already use WS-Federation to login with an organizational account, do I really have to use OpenID type authentication as stated in the tutorial? It seems like there should be an easy way to get the roles once I'm already logged in. I know I probably have to use the Graph API in some sense but I don't know how. Please advise.
At sign-in, when the user arrives at you app with an SSO token - your application can query the directory Graph API to determine the users group memberships. Per the group memberships you can either grant permissions to the user directly or map the group membership to a "role" in you application.
We have a topic that explains this in more detail and a sample application (that uses WSFed) to perform role-based authorization using Azure AD group memberships: http://msdn.microsoft.com/en-us/library/azure/dn195601.aspx
Enjoy :-)
Related
I have an ASP.NET application hosted as Azure App Service. This application is configured with Microsoft Authentication. But the problem is anyone with hotmail/live account will be able to access the application.
I wanted to restrict the access to my Application Pages to SPECIFIC hotmail/live users only.
What changes I have to do on Azure Portal?
What changes I have to do in my application?
Thanks,
Paraclete
Applications typically have two "gates" of security - authentication and authorisation.
The simplest way would be to set up a list in a store (e.g. SQL DB - or hard code for testing) of authorised users. Let the Microsoft Authentication handle authentication and then use your list for authorisation. Redirect to HTTP Status code 403 forbidden if a user is not in the list of approved users.
You could make this a bit more fancy by implementing groups/roles, which is more elegant and manageable. Look in to the ASP.NET Role provider for built in functionality to expedite development. That said, some people find this build in approach cumbersome and roll their own simple provider and add it in to the page life cycle or the master page to share the functionality across all pages.
im developing a .net core mvc application with authentication against azure active Directory. My Problem is, that i have two different azure avtice directories which are undepentandend to eachother. Based on the user Input (mail or employenumber) i will decide which active Directory should used.
Any idea or reference?
Thank You!
You're describing a multi-tenant application where the AAD common endpoint is used as the entry point to the application rather than a specific AAD login page. You can configure your application to trust more than one AAD instance. It's rather involved, but MS had good documentation on how to adopt a single tenant app to multi-tenant. I'd also highly recommend Vittirio's blog as a place to learn about AAD auth, and while you're at it, his book titled 'Modern Authentication with Azure Active Directory for Web Applications'
Once you've turned on multitenancy for your application, you'll want to handle AAD validation yourself by checking the tenant id in the incoming SSO request. You do this by overriding SecurityTokenValidated in UseOpenIdConnectAuthentication. You can refer to this example where the code validates against a database.
There are other considerations such as admin consent where an AAD admin has to grant access to restricted permissions to your application. Good explaination here.
There is a very good reliable open-source project for that (Identity Server)
https://github.com/IdentityServer/IdentityServer4
And also you can check that (openiddict)
https://github.com/openiddict/openiddict-core
I have several projects such as After Sales Service and Product Label Generator that their users are the same, I mean users can register and according to admin's decision can have some roles or claims.
Depending on roles or claims, each user has access to a specific application.
In my opinion I should create a web-api app in order to just serve authentication and authorization services.
It should be noted that we may go further and have some other apps such as android version. also each project has its own database.
What's the problem? I have no idea how I can implement this! any suggestion or article can help.
Thank you
Hooman, I would suggest you to use IdentityServer for authentication, it's Open Source OpenID Connect and OAuth 2.0 framework for .NET. We are also in process of using it,nature of yours and ours products looks same to me. Keeping a single database for users and their rights and also managing access/rights for specific applications. As it's also token based, so if u extend your products to Mobile later on, it would prove to be a better approach as well.
link: https://identityserver.io/
documentation looks self sufficient to me.
I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx
Authentication works as expected. However, I'm not getting any roles back by default. There should be several AD groups created and I would like to use them to role restrict the application via the [Authorize] attribute in MVC.
I can't really find a good place to even start figuring this out. Can anyone give me an outline or point me to a good tutorial?
I should mention that I'm not the administrator for our Azure account, so I need to be able to tell our admin what to do if any setup is required on that side.
First, tokens returned by Azure AD do not currently contain claims for roles or groups, so you need to get them from the Graph API. Second, roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV/LoB app, and in general you should use security groups for authorization instead. To perform authorization, you should use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.
If you check out the following resources in order, I think your questions will be answered. You'll learn how to authenticate to the Graph, call it, and configure your application to use the result of the group operations to perform authorization:
Using the Graph API to Query Windows Azure AD -- This is the second walkthrough to complete now that you've done the web SSO one.
Authorization with Windows Azure Active Directory
MVC Sample App for Azure AD Graph
Blog post describing checkMemberGroups and getMemberGroups
How do I get role and group membership claims for users signing in via Windows Azure AD? -- This one is out of date in regards to the methodology for authentication and the UI for managing users/groups, but it's still useful. Pay special attention to the section on the custom ClaimsAuthenticationManager, which gives you an idea of how to inject role/group data into the ClaimsPrincipal object early so that it can be used in the [Authorize] attribute or other authorization logic.
Sean answer is a bit outdated. You can now configure Azure AD so it will include groups or roles inside JWT token so it will be included into ClaimsPrincipal.Current.Claims so standard [Authorize(Roles = "yourRoleName")] attribute will work.
Here is introduction post. Which basically says you have two options:
Use groups claim - you need to change groupMembershipClaims value in app manifest and later in application you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to see in what group user is (you only get group id). You can write you own Authorize attribute that use this. more info
Define roles for you application and then use normal code for testing if user is in role:
[PrincipalPermission(SecurityAction.Demand, Role = “yourRoleName”)]
[Authorize(Roles = “yourRoleName”)]
if (ClaimsPrincipal.Current.IsInRole(“yourRoleName”)) { //do something }
You need to edit roles in you app's manifest.
More info here and here. Values needed to be set in manifest are described here
What is really strange is that you can't assign more than one role to group from Azure web page. You need to use azure graph api for this.
If you can't see Users and Groups tab in Azure portal you probably need Azure AD Basic or Premium edition. If you are working on free azure subscription you can use free Azure AD Premium trial to test stuff.
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck