We are using Azure AD with Saml based SSO to log in to our external web application. We would like to integrate several of our partner organiziation that use Google Workspace to be able to log into our web application using the SSO from AD. Is this somehow possible? I tried this with adding Google IdP to the external identities but the user's identities don't work during the login - they get "We couldn't find an account with that username." error.
Any ideas on how to accomplish this? Thanks
Related
I am very new to SSO and am having trouble enabling cross company SSO. I work on a React SPA and used the MSAL React Library to implement SSO for our application. I created a non-gallery Enterprise Application in Azure, and used that subscription information to validate users on the application during login. This is all working as expected.
After providing our SAML SSO configuration to companyB, the user at companyB cannot sign on and is getting the following error...
"Selected user account does not exist in tenant 'XYZ' and cannot access the application '123-456-789' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
To me, that means I need to manually add the user who is attempting to log in, but that would negate the usefulness of integrating the two Azure ADs. I've provided all of my SAML configuration to companyB, and still no luck. What could I be missing?
In order to create the link between the two Azure ADs, the user just needs to create a non gallery application with SAML SSO enabled and the SAML config, right? Any insight into this issue would be greatly appreciated!
I realized my code was configured to only work for one tenant, pointing to the common login endpoint solved this issue.
So I want to provide access to users over Okta to Azure.
We have local AD which is not synced to MS Azure account
We have custom domain inside Azure AD
There is also 2nd part of this where we want to sync local AD mail field to Workday and add some O365 users to the same tenant which is another (native) Okta app.
So looking at docs, it seems I need to install ADConnect client which will import all users to the same O365/Azure tenant. Then on the Okta, there is native o365 app that I simply need to configure (it didn't look like problematic). But for the Azure part, the documentation is not really good and I am confused what should I do with Azure.
It seems I need to add Custom SAML 2.0 Application on Okta for Azure and configure External Identities-->New SAML connection on Azure. There also should be a way how to link Okta users to AzureAD ones but they have different domains. Did I get this correctly?
Thank you!
You can do the following:
Use AAD Connect to sync on-premise users to Azure AD
Integrate on-premise AD with Okta
Use Okta's native Office 365 application to integrate Okta with Azure AD for Single Sign On. When you use this application, you don't have to do anything on Azure AD. Okta will take care of everything for you. All you need to do is follow these steps: https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/configure-sso.htm
We have the following scenario:
an Angular app accessing a Web Api backend
our own user database
We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)
We want to get to the following scenario:
an Angular app accessing a Web Api backend
third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
users need to authenticate via the identity solution (e.g. using a social account)
some users are in an existing on-premise AD and also need to be able to access the angular app
So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?
This scenario can be solved with AD B2C custom policies.
I found that Auth0 has an integration with on-premise Active
Directory, but Azure AD B2C seems not to support this (at least not
that I could find out)
One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.
Update Start
You can use Shibboleth and Okta servers apart ADFS server.
Update End
users need to authenticate via the identity solution (e.g. using a
social account) some users are in an existing on-premise AD and also
need to be able to access the angular app
If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)
if we would use Azure AD B2C, how can we let users that are defined in
an on-premise AD, authenticate in our Angular app? Or with other
words: can an on-premise AD be an identity provider for Azure B2C?
As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.
Warning: If at all your server not have ADFS enabled first try it on other test server.
ADFS in custom policies can found at: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
I'm pretty new with Azure and all its services and I want to use Azure B2C to provide authentication to local users and FB providers. However, I noticed that I cant use the workflow I have defined in my mobile app because Azure has a redirect URL to load a browser and show the web page defined by them or custom according to the policies defined for sign in.
I've been googling for a while but doesn't seem there's an option to have a webAPI that receives data from the mobile app and authenticate against the Azure B2C.
Does anyone know if there's a way to not use the redirect URL and use the app login workflow?
Thanks!
Currently, Azure AD B2C doesn't have support for this.
However, work to support for the Resource Owner Password Credentials flow in Azure AD B2C is in-progress.
This new feature will enable the mobile app to collect a user credential and POST it to the B2C tenant for validation.
My customer wants to use AZURE AD B2C to authenticate external users, and Azure AD for employees of his company. I've been looking on github and googling about it, but there's a lack of examples over there.
Does anybody had the same requirement to give some hints?
Besides that, it seems that MSAL.js / hello.js has some bugs (X-Frame-Options issue when renewing the token).
Is there any other JS library that I'm not familiar?
My customer wants to use AZURE AD B2C to authenticate external users, and Azure AD for employees of his company.
Azure B2C supports this from custom policies. You can easily configure this by referring Azure Active Directory B2C: Get started with custom policies and Azure Active Directory B2C: Sign in by using Azure AD accounts
Besides that, it seems that MSAL.js / hello.js has some bugs (X-Frame-Options issue when renewing the token).
Microsoft was written a sample application using hello.js library. But as you said it has x-frame options issue but that is only for Social IDPs. So, you can still use SPA app written from Microsoft for your use-case.
Is there any other JS library that I'm not familiar?
Yes, there is another JS library out there similar to hello.js that is oidc-client.js. It is easy to configure and use in SPA application.