When I go through Azure AD B2C documentation, I notice there is no code example or mention of Java Web apps and APIs as part of examples. We have good examples for nodejs and dotnet apps, but Java web app example is missing:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/integrate-with-app-code-samples#web-apps-and-apis
Does this mean that Java web applications must implement B2C authentication at the protocol REST call level?
There are some Java samples here:
Java web application using the MSAL4J to sign in users with Azure AD
A Java web application using Spring Security to sign in users with Azure AD
A Java web application using the MSAL4J to sign in users Azure AD B2C
They use the MSAL4J library.
Related
I'm really struggling with these Azure AD concepts.
Here is my situation. I have a webapp with users belonging to Companies. I have a requirement that is to be able to authenticate those users through their Companies' Azure AD. Eventually, We would want to offer this in the Azure app gallery in the future.
I started registering the app through App Registration, which gives me the information to integrate using OIDC. We would like to support both, OIDC and SAML protocols (I see that there are apps in the gallery offering both).
I tested OIDC out and it's working correctly, but when I want to develop SAML integration, the documentation says that it has to be done using an enterprise application. I can't edit the SSO section of the enterprise app generated by my registration:
The single sign-on configuration is not available for this application in the Enterprise applications experience. MY APP was created using the App registrations experience.
so I tested creating a new enterprise app. Using this app I can do all the SAML flow correctly.
My questions here are:
Do I have to connect the registrated app with the enterprise app? How I do that?
Why I can't edit the SSO info in the enterprise generated app?
If it's done through the registration app. Where do I set up the SAML endpoints, certificates etc.?
By reading the docs, I understand that enterprise apps are like "an instance of a registered app". That leads me to think that I should configure all in the registered app, but I can't see how to support SAML.
As mentioned by #Srinath Menon in the above answer, If the application was registered using App registrations then the single sign-on capability is configured to use OIDC OAuth by default. In this case, the Single sign-on option won't show, For enterprise applications we have an option.
In both the ways applications are get registered in AAD, and there are two types of objects get created once the app registration is done.
The Application Object is what you see under App Registrations in AAD. The application object describes three aspects of an application: how the service can issue tokens to access the application, resources that the application might need to access, and the actions that the application can take.
. App Registration are basically the apps local to the tenant/organization.
The Service Principal Object is what you see under the Enterprise Registration blade in AAD. Every Application Object would create a corresponding Service Principal Object in the Enterprise Registration blade of AAD. A service principal is created in each tenant where the application is used and references the globally unique app object.
Enterprise apps blade shows global apps (other tenants) which can be configured and used within your tenant/organization.
Reference
Set up SAML-based single sign-on for an application
No, there is no specific reason to connect the 2 apps.
The reason for this is by default "App Registration" is wired for OIDC Auth. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
This need to be done from the Enterprise apps for any SAML related functionality.
I am a bit new to Azure AD and some of its features. I have a vendor application that wants to setup authentication & single sign on using our Azure Active Directory. The documentation they provided me with just walks through adding Azure AD SAML Toolkit as the enterprise application and configuring it accordingly. However, I noticed immediately that the description for that enterprise application was "This is the sample SAML app which customers can use to test the SAML single sign-on integration with Azure AD."
My question is, shouldn't a vendor application have setup an enterprise application for me to add to our Azure tenant or is it common and good practice for applications to use the Azure AD SAML Toolkit for production implementations?
So far I have found no reason documented that this is bad practice. We have implemented it for the vendor application and have had no issues up to this point.
Is SAML authentication possible in Azure Web Apps? If possible, how can I configure Azure AD for SAML authentication? I tried finding a solution but the only Microsoft documents I've found regarding this is https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial . The problem within the document is that it doesn't specify any code related information
Yes - you need two things.
The application needs a client-side stack.
Azure AD has to be configured as an Enterprise application.
Does Azure AD B2C only works with .NET core?
I need a sample web app in MVC with .NET 4.5 for Azure AD B2C, without using .Net core and OWIN.
Does Azure AD B2C only works with .NET core?
No. Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities. It can be easily integrated across mobile and web platforms.
It supports industry standard protocols such as OpenID Connect makes identity management possible on a variety of platforms, such as .NET and Node.js.
Here is a code sample using the .Net OWIN OpenId connect component and you can follow the helpful article about it here. If you doesn’t want to use the OWIN component, you need to complete the OpenId connect protocol in the apps yourself.
We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.