I have an internal web application (ASP.NET) that I want to expose to the internet, preferably thru Azure Application Proxy. The requirements are to use an existing external keycloak server for user authentication, the keycloak server is hosted separately from our Azure. I have read that Azure Application Proxy requires Azure AD ( not sure about this), but it is not clear if Azure AD can be connected/use an external Keycloak server.
My question is can Azure Application Proxy be made to work with an external KeyCloak service to authenticate and authorize users, or is there some other way to expose the internal web application to the internet with Azure and an external Keycloak server.
Using Azure is not a fix requirement, but it is preferred.
Using the external Keycloak server is required.
Thanks in advance for any help with this.
Related
I have a click once windows application which already has authentication n Authorization built in. Earlier i used to deploy it on physical server n share the location with users so that they can install it n use it. But now we have decided to deploy it on azure PAAS service (App service ). But currently url is geting access by anyone which i want to restrict. Currently my organization AD is not synced with Azure AD. So not able to use Azure AD for authentication.
Kindly provide some better solutions other than restricting users based on IP.
If it's a file download you can put it on Azure Blob storage for download and generate short-time SAS tokens.
While IP address restrictions and Azure AD authentication would be one-efficient approach for your scenario. Since you do not want to go that route (due to environment limitations), If you wish you could authenticate users with the specified provider (Microsoft Account, Facebook, Google, Twitter or Any OpenID Connect provider). App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code.
App Service uses federated identity, in which a third-party identity provider manages the user identities and authentication flow for you. You can also use multiple sign-in providers.
So the simple process could be:
The option is Log in with . App Service redirects all anonymous requests to /.auth/login/<provider> for the provider you choose. If the anonymous request comes from a native mobile app, the returned response is an HTTP 401 Unauthorized.
Kindly checkout step-step instructions on the process/workflow:
Configure your App Service or Azure Functions app to use Microsoft Account login
If your WebApp is on VNet, you can have service endpoints enabled for Microsoft.Web, through access restrictions.
See- Advanced usage of authentication and authorization in Azure App Service
I have a website on the namecheap server and an application on microsft azure deploy on Azure App Service I would like to send post requests from my namecheap server to azure which contains the application my questionis this possible and also isn't there a security risk?
thank you for your help
Web programs are accessed through HTTP Requests. The security risk you mentioned does not exist.
In webapp, the security of web application data is what we need to care about.
After passing the authentication, the data can be curd according to the authority to ensure the security of the program.
It is recommended that you deploy the azure webapp program to increase the authentication function, such as jwt token.
I'd like to connect to an On-Prem API from an external cloud service using the Azure AD Application Proxy. I can connect and use the API by logging in with my Azure AD User in a browser, but would like a code-based-like login to use from my external service.
I've been digging through various articles the last couple of days, and it seems not possible without an Azure AD User interactive login. I am able to create an AD user for this service only if needed, but handling the interactive login from code or even through Postman seems troublesome.
Can someone point me in the right direction to solve this cloud-service to on-prem app solution? (unfortunately, I can't move the on-prem app to Azure).
EDIT: I'll be looking at using the pass-through option in the App registration, which means i need to handle the authentication and security in my API.
Perhaps you could consider using an on-premises data gateway instead, but it depends on where your external cloud service is hosted.
https://learn.microsoft.com/en-us/azure/logic-apps/logic-apps-gateway-install
Essentially, if your external cloud service is completely outside your environment and your control, the data gateway can still be used, then you can expose a Logic App as a facade that can integrate with the on-premises data gateway. The external cloud service can then call the logic app to trigger the request, which can be secured by other means e.g. SAS key.
I have a design issue that I've been struggling with in Azure. I have created a .NET Core API and deployed it as an App Service in Azure. On top of that, I have an instance of Azure API Management with oAuth 2 securing it. I was able to achieve this by following this tutorial:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
So, the API Management instance is secured with policies and rate limiting, but the back-end URL is wide open and requires no authentication. What is the best process to secure the back-end URL?
you can set APIM public IP in accessing whitelist of your App service to make sure only APIM requests will be able to access your App Service. For how to set IP restriction , you may refer to this doc : https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions#adding-and-editing-ip-restriction-rules-in-the-portal
I have connected an Azure VM with Azure AD Domain Services. I am trying to set up sso for IIS web app which authenticates users using Integrated Windows.
I have followed the guide to setup the Application Proxy and I am stuck at Delegating KCD. https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/
Has anyone tried to authenticate users with Integrated Windows Authentication via Azure AD SSO?
This is not possible as in Azure AD Domain Services you don't have access to the domain controller so you can't configure KCD for the connector.
Disclaimer - I worked in the App Proxy team :-)