We have a Java application running on Wildfly. We use the Redhat keycloak adapter to authenticate against Microsoft Azure via SAML2.
This works fine for users. For example, If a user opens the application
The keycloak saml2 adapter redirects the user to the Microsoft login page (https://login.microsoftonline.com/...) with the SAMLRequest.
The user can login with userid/password
And the user is redirected back to the wildfly app. The user is now authenticated in wildfly and a JSESSIONID is used for further requests as usual.
But how can I login programmatically? I have for example backend services which need to request data form the app. I already tried to implement a java RequestFilter but this works only until the point I get redirected to the Microsoft Login Page for users. This login page consists only of JavaScript (!) and I can not post my UserID/Password to get redirected back.
Does somebody knows how to do a Azure AD Login in java or with curl? Or is there any alternative URL for the Login not based on Javascript - maybe some Rest API?
Related
I have an application which has multiple frontend SPAs (mostly React). They allow the user to sign in if they want to access privileged features, but an unauthenticated user is still able to access the site. Each SPA will access some backend apis using a token if they are authenticated. All of these sites should function transparently when it comes to login, so if you login on one site, it should be automatically propagated to all the sites (SSO)
When a site first loads we want to get the token for the user if they are logged in with SSO. If we use the redirect flow and the user isn't signed in we will end up on the sign in page, which isn't what we want as we allow anonymous access. We only want to show the login page if the user explicitly clicks the login link on a site.
Is there a way to check if the user is logged into sso without redirecting to the login page?
We have looked at ssoSilent (from msal) which functionally does what we want however its only supported via third party cookies which don't work in some browsers.
I have thought perhaps we could redirect to a silent login page which if the user isn't logged in will just redirect back with an anonymous flag in the queryString, but I don't know if theres a way to do this with azure b2c.
The only method is ssoSilent(), or your own implementation of it via iframe. It should work as long as your app is on the same root domain as the AAD B2C login page, which you can do with the Custom Domain feature.
There is no API endpoint available to do what you want.
We have a web application implemented in Java/JSP and Azure AD single-sign-on authentication has been implemented using OpenID connect protocal. And the sign-in approach is working as expected, but the major issue is with sing-out. While signing out the user we are following the below approach.
1) User clicks sign-out button.
2) He will be redirected to application application sign-out page.
3) Clear the application session in sign-out page.
4) Then redirecting the user to Azure AD logout page, see below URL...
https://login.microsoftonline.com/common/oauth2/v2.0/logout?
post_logout_redirect_uri=our_application_sign_out_success_page
The above approach is working as expected, but the problem is, if user copy and paste above URL in the browser tab when the user have a valid session in another browser tab, his AD session is getting cleared.
But the expected behavior is, the logout should happen only when user clicks the sign_out button.
This is expected behavior, the server is not able to detect whether the request is sent from clicking or paste in the address bar and navigate manually. And the server should'n care where is the request from, it only do the job you told it.
And if you have other applications also using the Azure AD as the identity data provider, the sign-out request will not affect the other applications when you sign-out from your web application. Also if you want to implement the single sign-out, you have to implement LogoutUrl in the web application and register it on the Azure portal.(refer here)
I've read through every resource our there on the servicestack wiki, examples on github, forums and stackoverflow to figure out implementing facebook integration with a mobile app and servicestack backend. However, none of them have the answer or I'm missing something basic.
In our workflow, a user decides to Register on through the mobile app using Facebook:
We contact Facebook requesting permissions to the user's account
User grants permissions (let's not worry about denied for now)
We get a user access token and everything is good so far
Next, we want to access our ServiceStack backend (using the Facebook Auth Provider) to create an account and automatically log the user in the first time. The examples refer to the method where a web browser is used. What if I want to pass the user auth token from my mobile app to the server to fetch the user permissions and create an account if it doesn't exist and then log the user in?
The existing endpoint seems to work only for a browser app because it also does a redirect. We need a way to pass in the user auth token and log the user in (or create an account if it doesn't exist). Any idea how this can be accomplished?
To login via OAuth in Mobile Apps, you'd typically launch a browser control to have it redirect to the remote OAuth site where it gets the users permission and captures their credentials just as it would with a website.
If you're developing a Mobile App using Xamarin the TechStacksAuth shows an example on how you can use Xamarin.Auth control to authenticate with a ServiceStack back-end via OAuth.
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.
Setup:
My web application has OpenAM + OpenDJ interacting with a federation server in order provide SSO service through SAML2. The list of users who are authorised to access my application are part of the OpenDJ.
How it works-
When the user launches the link for the first time and the application determines that he has not logged in, the user is redirected to the IDP URL to authenticate. The IDP provides the SAML2 response through the Consumer URL exposed. On receiving the SAML2 response my application determines if the user is part of my LDAP and thereby allowed to access and shows up a home page if he has access.
Problem
When the user is not part of my LDAP, I would like to throw up an Access Denied Page, however, I find that OpenAM throws the default IDP initiated login page with a goto parameter to my URL.
I've tried to have success and failure URL configured but it result in the application not being completely accessible. The users are not shown even the IDO login screen.
Is there a property or configuration I need to set to enable OpenAM to show the Access Denied page instead of IDP Login?
I was able to get this working through changes/redirection on the web server. Though I am not sure if there is a place within OpenAM config to solve this.