Can we revoke saml token in azure aad .i got to see revoking refresh tokens documentations but i never saw any document for revoking saml token.is there any possibility to revoke saml token from azure AAD ?
There is no mechanism for revocation in Azure (or most SAML implementations). Each SAML token has a configurable lifetime defined by NotBefore and NotOnOrAfter. The default in AAD is a one-hour lifetime.
Azure also supports Single Sign-out.
These are the only mechanisms built into Azure. You could might be able to get better controls with some of the APIs, but this is what you get out of the box.
Related
I got the workaround to work to add claims to the token using a custom REST API, however I realized this is the Id token and not the Access token. I need the custom claims to be the Access token to use for authorization in the service.
I haven't inspected the Access token yet but are these claims also inserted into the Access token?
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-rest-api-netfw
Yes, custom claims come back when requesting access tokens. The only difference in the list of claims is the scp claim. The scp claim is only returned on access tokens.
Unfortunately, the Claims in ID and access tokens documentation doesn't discuss this.
You can quickly verify this via the Run Now feature in the Azure Portal. See this SO answer.
Sample access token w/ a custom claim
I am using custom claims in my Azure Active Directory B2C tenant where I registered two applications (UI and API). The UI passes the access_token to the API and I am able to retrieve the custom claims there. I guess this should be also true for custom claims using a custom REST API.
If not, It must be possible to setup:
... The return claims can be stored in the user's Azure AD account,
evaluated in the next Orchestration Steps, or included in the access
token
If your question is "Can I get the user's access token from the federating IdP such as Azure AD, facebook etc"? The answer currently is no. You can vote for this feature here.
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/15334347-return-social-idp-s-native-access-tokens-back-to-t
I have implemented WSFed authentication mixed up with Cookie based authentication.
I want to set cookie expiration time to the SAML token timeout.
Is there any Azure AD API (REST or Configuration) I can use to access SAML token timeout? One way is to read it from configuration but looking out for more generic solution.
Thanks in advance for your help
AFAIK, there is no such Azure AD API we can read the lifetime for the token issued from Azure AD. Not sure which configuration you mean, normally the issue will declare the lifetime in the token-self.
For example, for the lifetime of SAML token, we can read the saml:Conditions element like below:
<saml:Conditions
NotBefore="2004-12-05T09:17:05"
NotOnOrAfter="2004-12-05T09:27:05">
<saml:AudienceRestriction>
<saml:Audience>https://sp.example.com/SAML2</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
More about SAML, you can refer link below:
Single Sign-On SAML protocol
The documentation (under "configure your SCIM test app") states that a bearer token is required.
Is this a never-expiring OAuth access token? Can OneLogin be configured to use a refresh token to obtain new refresh and access tokens?
OneLogin doesn't currently support refreshing access tokens for SCIM (but we're working on it) - Just the standard bearer tokens available either directly or via an OAuth authentication flow.
Currently, we've only seen one application that has this requirement (out of many, many dozens of SCIM implementations) so it hasn't been a priority for us.
I have a question about the tokens regarding Azure AD and multi-factor authentication (MFA).
So I have managed to look into what happens with tokens when they are sent for a user with and without MFA enabled.
What I observed is that in the payload of the token there is an extra claim in the: "amr": [] tag. By default there is a 'pwd' in that object, but with MFA there is also a claim called 'mfa'.
So now I know that somehow the token gets modified depending on the enabled options.
Is there some other claim or mechanism to obtain a specific ID for the device that the token was issued to. A device ID that potentially relates to its regustration through "Workplace Join" in Azure AD or through the Microsoft Authenticator App?
Is there a separate token being sent related to the Application Pass that is continuously talked about in the forums and documentation?
--------------------------Update---------------------------------
Ok so reading the application password, it's basically used as another form of authenticating the multi-factor authentication. And I guess it gets stored both on Azure AD and also on the phone somewhere inside the Authentication app.
So another question, is it possible to access this password from code?
There is no such claim about the device information in the id_token issued by Azure AD. You can refer all the claims in id_token from links below:
Azure AD token reference
Azure Active Directory v2.0 tokens reference
is it possible to access this password someone from code?
As far as I know, there is no such API like Azure Graph REST we can retrieve the password. And if you any suggestion about MFA, you can submit them from link here.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.