Disable Azure Active Directory Single Logout - azure

Here is a scenario, I have given Single Page Web Application(just HTML and CSS) to authenticate and authorize the users to access this application.
So I used .NET CORE and Azure AD to authenticate users through Visual Studio (Register the app to the Azure portal). The login works fine but when I tried to logout it logs me out from all other applications that are using the Azure AD login mechanism.
For Example: In my browser, if I open Outlook that uses Azure AD authentication and my.NET application, if I want to log out from my custom .NET application, it automatically logs me out from Outlook. Is there a way I can prevent this? I just want to log out from my .NET application, not from Outlook or other applications that are using Azure AD authentication.
For logout: I am using the link: /MicrosoftIdentity/Account/SignOut
Update: I haven't added the Azure AD as Connected Services on my .net app but once I added the azure ad on my .net app, the log out works perfectly for Google Chrome. (I can able to log out from the app without logging out from outlook) but when I tried the same thing with firefox(regular, developer) it logs me out of both application and outlook.
Looking at the network logs I found that after logout, firefox is calling https://outlook.office365.com/owa/auth/logoff.aspx?cmd=logoff&exlive=1&lgtype=1&sid=xxxxxxxxxx that logs me off from outlook but Chrome is not calling this URL.
Anything I can do to prevent this or should I have to contact Microsoft?

If you need to logout from the application only (which has a lot of security outcomes - eg. user clicks sign-in again and they will be signed in automatically), you can just sign out from the Cookie authentication scheme (which will result in the identity cookies being dropped), see: https://github.com/AzureAD/microsoft-identity-web/blob/master/src/Microsoft.Identity.Web.UI/Areas/MicrosoftIdentity/Controllers/AccountController.cs#L108 for the specific implementation by Microsoft in Microsoft.Identity.Web.
Simply create a sign-out endpoint in your controller and do something like:
return SignOut(
new AuthenticationProperties
{
RedirectUri = callbackUrl,
},
CookieAuthenticationDefaults.AuthenticationScheme
);
However, I urge you to reconsider doing this, Single-Sign-Out has really a lot of security benefits.

Related

python3-saml and Azure AD - missing a point

Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library

possible to automate the ADFS SAML SSO MFA authenticator app code on a mobile app SSO flow?

I have a properly authenticating SAML service working with ADFS. When we switch on MFA - the SSO flow requests an access code from an Authenticator app. The only way this seems to work on a mobile device is to break out of the SSO app and go to the Authenticator app to retrieve a new code. Then the user has to return to the mobile app and manually punch it in. Is there an automation step or config setting somewhere that might make this flow more user friendly by automating the auth step within the existing SAML flow instead of having to break out of the app to retrieve the code ?
• Since, you have configured SAML SSO for ADFS with MFA, and selected ‘Microsoft Authenticator’ app as second factor authentication medium, in this process, you will have to enter the one-time passcode appearing in the app for 30 seconds in the authenticator app in the MFA authentication window. So, since this is not unlike OTP (One Time Passcode) which is received as a text message in your cell phone upon requesting for login through ADFS. As if it was a text message, it could be naturally copied by giving the app access to read text messages permission in ‘Apps and permissions’ section of the cell phone if it was Android. Similarly, I would suggest you to please give your app permission to read the data from Microsoft Authenticator app in your cell phone settings and accordingly test it.
• But as far as I know, your app may not have the configuration settings to do so as Microsoft Authenticator app is just an application that is installed from ‘Playstore’ unlike any other system app like text message, inbuilt app notification, etc. Thus, I would like to suggest you to please enable the setting ‘Draw over other apps’ for your app which requires authentication through ADFS for the Microsoft Authenticator app by modifying the ‘AndroidAppManifest.xml’ file which will make it possible to read the ‘One-time passcode’ generated in the Microsoft authenticator app and in effect will automate the two-factor authentication for your app login through ADFS.
Kindly refer to the link below for more information on modifying the ‘AndroidAppManifest.xml’ file: -
https://www.geeksforgeeks.org/how-to-draw-over-other-apps-in-android/#:~:text=In%20order%20to%20draw%20over,android.
Also, find the link below which states the configuration that needs to be done for enabling the Azure MFA as well as various prerequisites needed for that purpose: -
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

Configure MSAL without access to Azure AD administration portal

A customer changed to Azure AD, so we have to update our app accordingly. Unfortunately we don't have either access to the customers's Azure AD administration portal, nor do we have user credentials to test our app. We only know that ...
All starts here: https://myapplications.microsoft.com
Browser login consists of (1. dialog) email address, (2. dialog) password, (3. dialog) OTP token entry (OTP sent via SMS). Microsoft Authenticator works as well.
When through the authentication process, the page with the Azure applications appears. In our app, we'd like to avoid this page showing up, since the app should take over after the OTP token is entered in Microsoft Graph API (= authentication is completed). So authentication webview should close by itself after authentication is finished.
We read a lot about MSAL the last days, but since we have to code blindly (no sample login credentials/OTP available, no Azure AD administration access), it's kind of fishing in the dark.
We used this page as starting point: https://github.com/AzureAD/microsoft-authentication-library-for-objc
We use Xcode 13.4.1 with Swift.
By using Safari Web Inspector on the concerned Azure AD application, we populated the required MSAL constants as follows:
let kClientID = "2793995e-0a7d-40d7-bd35-6968ba142197" // probably not correct, see (a.) below
let kGraphEndpoint = "https://graph.microsoft.com/" // not found in Web Inspector data, but most MSAL code uses it
let kAuthority = "https://login.microsoftonline.com/common/" // found in Web Inspector data
let kRedirectUri = "https://myapplications.microsoft.com" // the URL after authentication is complete
let kScopes: [String] = ["User.Read"] // not found in Web Inspector data, but most MSAL code uses it
Questions/Problems:
https://myapplications.microsoft.com always shows the client_id 2793995e-0a7d-40d7-bd35-6968ba142197. As far as we understood, every Azure AD application has it's own client_id, hence 2793... cannot be correct since it's "generic". If the client_id is not correct, can we find the correct one using the concerned Azure AD application Safari Web Inspector data?
Above constants seem to work, but when our testers login, the last page showing all Azure AD applications remains open. Some sample MSAL test code from Github however close Microsoft Graph API after credentials were entered. Is this closure of the authentication webview triggered by the server (Azure AD setting) or the client?
After testers logged in through the app, then suspended the app (via App Switcher), then opened the app again - the complete Graph API login was required again. Silent login (aquireTokenSilently) didn't work. When using Safari, silent login works however. What could be wrong?
Does the Safari Web Inspector data tell us what the product bundle identifer is (which we need for msauth.$(PRODUCT_BUNDLE_IDENTIFIER) as redirect URI)?
So basically, we'd like to ...
avoid the Graph API portal page, which shows up after authentication is done
remain logged in after app returns from suspended (acquireTokenSilently())
use Authenticator if installed on the device
We've never worked with Azure AD before.
Any hint about mistakes/misunderstandings would help.
Many thanks!
----- UPDATE (27.07.2022) -----
As a reminder ... we neither have access to the Azure AD portal, nor do we have test credentials (username, password, SMS code [OTP]).
After lots of testing and simulating, still no success.
Using Safari, the flow for a regular user looks like this:
https://myapplications.microsoft.com
The authentication starts with the entry of the organization specific email address.
Azure detects this organization, checks the existence of the email address and asks fro the password.
Next, Azure either sends an SMS code or triggers the broker (Microsoft Authenticator). It's device configuration specific which one is used.
The page with the Azure AD applications opens.
On iOS/macOS (Xcode, our application), the above flow is similar. MSAL debug messages reveal however that no token is sent. acquireToken() only completes after the webview is cancelled (MSAL error -50005). It seems that a Web application doesn't require a token ?!
Now ... in our (iOS) app, we only would like to get the token in order to access the Web application with our (iOS) app (using the Bearer inside the URL request).
How can we get a token for an Web application without redirecting to that page at the same time (which doesn't return a token)?
Does Azure AD allow access to that Web application using the gained token?
A server side (Azure AD) solution would be an redirect_uri entry in the Authentication section (MY_BUNDLE_ID). But we have to do without.
You don't need to target the MyApps app (2793995e-0a7d-40d7-bd35-6968ba142197). You should target your own Azure AD App registration. For more information please take a look to MSAL iOS Swift Microsoft Graph API Sample.

Custom login form for Azure webapp with SAML authentication

we are currently developing a new web app with Azure B2C as IDP. The authentication method is SAML2.0, and everything is working well. But when a user wants to login, the web app is redirecting the user to the Microsoft login form, is it possible to use our custom login form?
I know are some possibility to rebrand the login form like logo and background, but it still have the Microsoft look and feel. I tried to create a user flow in Azure B2C, but i don't have the option to choose the authentication method SAML.
No.
This is standard across all Microsoft security products e.g. ADFS.
You always have to use the Microsoft login screen.

Azure B2C secured API can't be called when logged in using social providers

I have an angular website which is secured using Azure AD B2C. B2C is configured with local accounts and three social providers (MS, Google & Facebook) and everything from the web app perspective works great.
The web app calls a separate .NET Core web API which has a couple of secured endpoints. The web API has been set up as an application in B2C with all of the relevant scopes and the scopes have then been added to the web app as described in the getting started docs from MS.
If I'm logged in to the web app using a local account the API call's work perfectly however if I'm logged in using a social provider they fail. In the case of an MS account I see the following:
Frame with URL 'https://login.live.com/oauth20_authorize.srf?client_id=omitted for brevity'
attempted to navigate its top-level window with origin 'https://localhost:44314'.
Navigating the top-level window from a cross-origin iframe will soon require that the iframe has received a user gesture.
See https://www.chromestatus.com/features/5851021045661696.
Google and Facebook provide similar errors. It looks to me like somewhere along the line a redirect is being initiated to try and log in again.
On the Angualr app I'm using msal-angular (https://www.npmjs.com/package/#azure/msal-angular) which is configured as described in the link.
I've scoured the docs and google to try to find a solution but to no avail so any help would be greatly appreciated. I'm not sure if I'm just running into something that's not currently supported in B2C.
Thanks in advance.

Resources