Keycloak user-federation - keycloak-rest-api

I used keycloak for securing my web app project, the first scenario was keycloak with database user, I have created many roles and groups, and I can manage all these (users, roles, groups) from my app using keycloak api, till here everything works fine.
then the 2end scenario comes with user federation (from Active Directory AD), so I have delegated the authentication to AD with edit mode = Readonly and Import Users = on. The user synch works fine, even for the user changes, wherease I can't manage the roles , groups using keycloak Rest API and can't assigned the default role for any user right after the synchronization. how could I do that?
any help would be greatly appreciated

After the sync, you can user LDAP mappers to assign roles/groups to users.

Related

How to allow login only certain roles in client app using MSAL library for Azure AD

My Vue application uses Azure AD to authenticate users with msal library. Now only users with specific roles should have the possibility to log in. I saw an approach that needs to execute a request to Microsoft Graph API with directory.read.all permission to get logged in user's role and then determine if this user can proceed or not.
Is it possible to specify users' roles allowed to log in somewhere in AD and disallow other users to log in?
The way we solved this problem is by creating app specific roles (App Roles) and assign users to one or more of those roles.
Now when a user logs in, the app roles assigned to the user are available in the role claims. If we find that the user does not have any app roles assigned to them, we stop them from accessing the application.

How do I configure Azure SSO between two Azure AD Instances?

I am very new to SSO and am having trouble enabling cross company SSO. I work on a React SPA and used the MSAL React Library to implement SSO for our application. I created a non-gallery Enterprise Application in Azure, and used that subscription information to validate users on the application during login. This is all working as expected.
After providing our SAML SSO configuration to companyB, the user at companyB cannot sign on and is getting the following error...
"Selected user account does not exist in tenant 'XYZ' and cannot access the application '123-456-789' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
To me, that means I need to manually add the user who is attempting to log in, but that would negate the usefulness of integrating the two Azure ADs. I've provided all of my SAML configuration to companyB, and still no luck. What could I be missing?
In order to create the link between the two Azure ADs, the user just needs to create a non gallery application with SAML SSO enabled and the SAML config, right? Any insight into this issue would be greatly appreciated!
I realized my code was configured to only work for one tenant, pointing to the common login endpoint solved this issue.

Azure Active Directory B2B Alternate Login ID

We want to use Azure AD as the Identity Provider for users in a web application. At the moment, we have everything set up using MSAL.js 2.0 with the Auth Code Flow, a custom scope, and access token which is used to authenticate requests towards our various backend services.
The issue is that our users want to be able to login with their own custom email addresses, instead of their login ids generated by AD and with the #onmicrosoft.com domain. For example, user1#some-orginization.com or user2#some-other-organization.
It would still be okay to accept the login ids as usernames as well, but surely there must be a way to allow users to use another property of the profile (their alternate email for example) to log in.
Our application is registered to AD such that it will allow only logins from one tenant, since we don't want to require users to already have existing Microsoft Accounts.
We're avoiding B2C because some users would face issues with their company policies, which would mean they could be invited as users, but would be rejected at login. Also, B2C does not really support Roles like B2B does, which is somewhat important for us.
Any guidance will be greatly appreciated.
EDIT:
After countless hours of attempting to make this work, I decided that it just isn't worth the effort, and switched to Auth0. They provide everything I could possibly want, and seemingly even better Azure AD integration to other tenants then Azure AD itself.
I think what you want to express is that you want to log in to your application with any email (including personal accounts and social accounts).
If so, then you need to modify the application's manifest configuration and then change the /tenant id endpoint to the /common endpoint.
To change the setting for an existing AD App, navigate to the Manifest blade of it in the portal, find the signInAudience attribute, set it with AzureADandPersonalMicrosoftAccount or PersonalMicrosoftAccount.

Azure AD app - client secret connected with user

please, is here any way how to make relationship between applicaiton in Azure AD and User with client secret.
My use case. User ask for token with client secret(as deamon) and call my web api and a verify this token. Token is valid but there is no information about user who call it or who registered app. User gets token via API (https://learn.microsoft.com/en-gb/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
When user ask for token interactive everything is ok.
I tried to use a information about who created app, but Azure AD does not set it when user is administrator.
Is there any way how to use deamon which will be connected with some user?
Is there anywhere i can save this relationship in azure AD?
My idea, every user who wanted use my web api as deamon create his application and connect to mine web api, which use his app for verification. Relationship between app creator and user can be enough. but when i delete user and he has still client secret, he can access. I dont want to use his username and password because it will be saved on different computers and it is not save enough.
If you have more questions, dont hesitate to ask!
Thank you for any idea.
For scenarios, such as this one, your application should have an App Role with the allowedMemeberTypes having Application and as mentioned in the docs, this will show up as an application permission to other apps.
So the consumers of your API will have to add this application permission to their daemon app (which requires admin consent). This will trigger a flow internally that creates a Service Principal (like a user persona of the application) and adds that as a user to your application (you should be able to see it listed under Enterprise Applications > (Your API) > Users and Groups).
When you want to deny this daemon access to your API, you will just have to revoke the admin consent provided at first.
I believe you could even automate this process by using the Microsoft Graph APIs.

Secret Key / Access Key with Azure Active Directory, enterprise application, app roles?

We are working on WEB APIs and want to integrate Azure AD for AuthN and AuthZ. We have successfully integrated the same. We have created enterprise applications, custom roles, assigned users for the same.
Now we need to allow access to APIs with AWS like keys (Secret / Access keys). Individual user can generate their own keys and store those in Azure AD so that when those keys are used, user can be authenticated.
I didn't find any way to achieve this using Azure AD. Any suggestions around same are welcome.
Meanwhile I have gone through custom store for keys. Please refer link : https://www.codeproject.com/Articles/1228892/Securing-ASP-NET-CORE-Web-API-using-Custom-API-Key
Thanks in advance.
Azure AD authentication uses tokens.
So any app wishing to call your API must authenticate with AAD and acquire a token for the API.
If these users are making apps within your organisation, then they can register their app in your AAD and require access to your API. They will create and manage their own keys.
If on the other hand these users are making an app for another organisation, you'll have to make your API a multi-tenant app.
And you'll need to have an on-boarding page in your API through which you will redirect their admin/user to the AAD login page, where they will consent to any permissions your API requires.
After this a service principal is created in their tenant.
Then they can register their client apps and require access to your API.
They will have full control which permissions they want to assign to each app, what roles to give to users etc. But of course the tokens will contain their tenant id so you can filter access on that.

Resources