Configure MSAL without access to Azure AD administration portal - azure

A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.

You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.

Related

python3-saml and Azure AD - missing a point

Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library

possible to automate the ADFS SAML SSO MFA authenticator app code on a mobile app SSO flow?

I have a properly authenticating SAML service working with ADFS. When we switch on MFA - the SSO flow requests an access code from an Authenticator app. The only way this seems to work on a mobile device is to break out of the SSO app and go to the Authenticator app to retrieve a new code. Then the user has to return to the mobile app and manually punch it in. Is there an automation step or config setting somewhere that might make this flow more user friendly by automating the auth step within the existing SAML flow instead of having to break out of the app to retrieve the code ?
• Since, you have configured SAML SSO for ADFS with MFA, and selected ‘Microsoft Authenticator’ app as second factor authentication medium, in this process, you will have to enter the one-time passcode appearing in the app for 30 seconds in the authenticator app in the MFA authentication window. So, since this is not unlike OTP (One Time Passcode) which is received as a text message in your cell phone upon requesting for login through ADFS. As if it was a text message, it could be naturally copied by giving the app access to read text messages permission in ‘Apps and permissions’ section of the cell phone if it was Android. Similarly, I would suggest you to please give your app permission to read the data from Microsoft Authenticator app in your cell phone settings and accordingly test it.
• But as far as I know, your app may not have the configuration settings to do so as Microsoft Authenticator app is just an application that is installed from ‘Playstore’ unlike any other system app like text message, inbuilt app notification, etc. Thus, I would like to suggest you to please enable the setting ‘Draw over other apps’ for your app which requires authentication through ADFS for the Microsoft Authenticator app by modifying the ‘AndroidAppManifest.xml’ file which will make it possible to read the ‘One-time passcode’ generated in the Microsoft authenticator app and in effect will automate the two-factor authentication for your app login through ADFS.
Kindly refer to the link below for more information on modifying the ‘AndroidAppManifest.xml’ file: -
https://www.geeksforgeeks.org/how-to-draw-over-other-apps-in-android/#:~:text=In%20order%20to%20draw%20over,android.
Also, find the link below which states the configuration that needs to be done for enabling the Azure MFA as well as various prerequisites needed for that purpose: -
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

Disable Azure Active Directory Single Logout

Here is a scenario, I have given Single Page Web Application(just HTML and CSS) to authenticate and authorize the users to access this application.
So I used .NET CORE and Azure AD to authenticate users through Visual Studio (Register the app to the Azure portal). The login works fine but when I tried to logout it logs me out from all other applications that are using the Azure AD login mechanism.
For Example: In my browser, if I open Outlook that uses Azure AD authentication and my.NET application, if I want to log out from my custom .NET application, it automatically logs me out from Outlook. Is there a way I can prevent this? I just want to log out from my .NET application, not from Outlook or other applications that are using Azure AD authentication.
For logout: I am using the link: /MicrosoftIdentity/Account/SignOut
Update: I haven't added the Azure AD as Connected Services on my .net app but once I added the azure ad on my .net app, the log out works perfectly for Google Chrome. (I can able to log out from the app without logging out from outlook) but when I tried the same thing with firefox(regular, developer) it logs me out of both application and outlook.
Looking at the network logs I found that after logout, firefox is calling https://outlook.office365.com/owa/auth/logoff.aspx?cmd=logoff&exlive=1&lgtype=1&sid=xxxxxxxxxx that logs me off from outlook but Chrome is not calling this URL.
Anything I can do to prevent this or should I have to contact Microsoft?
If you need to logout from the application only (which has a lot of security outcomes - eg. user clicks sign-in again and they will be signed in automatically), you can just sign out from the Cookie authentication scheme (which will result in the identity cookies being dropped), see: https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Controllers/AccountController.cs#L108 for the specific implementation by Microsoft in Microsoft.Identity.Web.
Simply create a sign-out endpoint in your controller and do something like:
return SignOut(
new AuthenticationProperties
{
RedirectUri = callbackUrl,
},
CookieAuthenticationDefaults.AuthenticationScheme
);
However, I urge you to reconsider doing this, Single-Sign-Out has really a lot of security benefits.

How to Integrate existing Azure AD B2C into a Xamarin forms app using MSAL?

I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.

Azure B2C setup

I'm trying to set up Azure AD B2C for my web app.
I've already created a tenant. I then created an app. According to articles I'm following, I should then be able to click "API Access" and add scopes. In my case, there's nothing under API drop down:
I already see "Access the user's profile" with the following selected:
Under "Published Scopes", again, I see nothing:
What am I missing here?
UPDATE:
After adding the App ID URI, I was able to move forward a bit but still not sure about published scopes. This is what I currently have:
And under API Access, this is what I have:
Basically, the behavior I'm getting on my frontend app which is built on ReactJs is that I hit the Azure AD B2C login. After entering my credentials, I get redirected to my app. I see id_token in the URL but the MSAL library I'm using doesn't capture the token -- I have a break point in my React code to see if I'm capturing the token. I get sent back to the login screen on Azure, then back to my app. On the third one, I actually see the token being captured but I end up with the following errors:
I'm using this library which is a wrapper for the MSAL.js library: https://github.com/jamesrandall/react-azure-adb2c
I'm pretty certain there are config errors. Just not sure what they are.
API access is used to assign access from a web app to an API app.
Published scopes is used to register the access scopes for the API app.
Before the access scopes can be registered for the API app, an App ID URI must be set as the resource identifier for the API app, as described by the Azure Active Directory B2C: Register your application article.

Resources