I am trying to programatically retrieve Saml Federation Metadata XML files from Azure AD applications via the msgraph API; however I am struggling to find an API endpoint to do so.
Is this something that is possible in Azure?
Related
I have an Azure WebApp which needs to call the Azure DevOps API to trigger a build pipeline.
The only problem I have is to find out which is the proper way to authenticate from my web api against azure devops API.
Should I use a service principal account for that, or Managed Identity?
Do I have to create a service account in Azure AD, give him rights on Azure DevOps ?
I only have a route which then calls the DevOps API, so I need to authenticate at the moment the route was called with a Principal from the WebApp.
Iam a little bit lost how to do it the right way, because there is so much information about the auth topic.
Currently I use my personal account with PAT from Azure KeyVault, which is only a temporary solution.
Thanks & Regards
If you check this Choose the right authentication mechanism document, you will find several types of authentication mechanism from your Web App API against azure DevOps API.
But it's mostly recommended to use Azure DevOps Services Client Libraries for authentication and accessing Azure DevOps Services resources. You can authenticate your web app users for REST API access, so your app doesn't continue to ask for usernames and passwords.
Azure DevOps Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your application. When you call Azure DevOps Services APIs for that user, use that user's access token. Access tokens expire, so refresh the access token if it's expired.
I would suggest to read this Authorize access to REST APIs with OAuth 2.0 document for the more explanation and detailed approach to achieve the result.
In case, if any required functionality is missing from the client libraries, MSAL is an alternative authentication mechanism to use with our REST APIs.
We have a client that owns two separate Azure Cloud tenants: ACloud and BCloud.
ACloud contains their regular SaaS and Azure AD users log in with userName#clientACloud.onmicrosoft.com
BCloud contains only IT/sysadmin users managing cloud PaaS resources and users log in with userName#clientBCloud.onmicrosoft.com
We have deployed an API to BCloud which requires Azure AD authentication. The API is being called from a mobile app written in React. There, users are presented with a login screen and must login using username#clientBCloud.onmicrosoft.com
However, we want users to be able to log in using their normal userName#clientACloud.onmicrosoft.com
Is there a way to configure the API in BCloud to use ACloud’s Azure AD for authentication to an API hosted in BCloud?
One resource from Microsoft recommended using the graph API. I think the graph API would allow the mobile app to authenticate the user’s ACloud account, but that SAML token won’t work against BCloud’s API. We are looking for some way that the API in BCloud can accept user tokens from ACloud, so I suspect there is some configuration we need to make in BCloud to trust ACloud’s Azure AD.
Thanks in advance!
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.
Entering the AWS management console, how does one build an SSO solution where authentication is done against Azure AD but authorization level is in AWS IAM?
Azure AD SAML claim will not include any security group data, since we don't want to overload SAML token with metadata. Same applies to Kerberos tickets. Hence using the Azure AD Graph API is out of question as well.
Basically the SAML assertion will only include data about authenticated user.
The AssumeRoleWithSAML API is role-driven, whereas we would need a SAML based solution that is user-driven (mapping incoming user data with IAM user). Any help is welcome.
I have a web app (node.js) which will access the GraphAPI through OAuth using ADAL to my company's Azure AD. Does it support SSO such that the domain user doesn't need to give credential again after domain login?
The Azure AD Graph API is not used for SSO, you can refer to its API reference.
The Azure Active Directory Graph API provides programmatic access to Azure Active Directory through REST API endpoints. Apps can use the Azure AD Graph API to perform create, read, update, and delete (CRUD) operations on directory data and directory objects, such as users, groups, and organizational contacts.
For more details of single sign-on, please see the doc What is application access and single sign-on with Azure Active Directory?