I am working on setting up Tableau server. I want end users who login with their Azure AD B2C credentials to see some of the visualizations we build in Tableau.
While setting up Tableau, I noticed that Tableau works with Azure AD Domain services only. Two of our user groups in Azure AD is synched with ADDS. So I am able to add those users to Tableau.
However, I do not see similar synchronization option between ADDS and AD B2C.
Question: ADDS is only for Azure AD and not for AD B2C? Any suggestions to achieve my goal mentioned in first two lines?
From official documentation
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
it is meant as a mean to help customer that are using active directory on premise to migrate their domain controllers to Azure domain services and still support authentication and traditional management using OU, LDAPS and Kerberos.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview#:~:text=Azure%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20provides%20managed%20domain,(DCs)%20in%20the%20cloud
Azure B2C
Azure Active Directory B2C (Azure AD B2C) is an identity management service that enables custom control of how your customers sign up, sign in, and manage their profiles when using your iOS, Android, .NET, single-page (SPA), and other applications.
basically this is meant to support modern authentication for applications using OIDS,OAuth2, SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/#:~:text=Azure%20Active%20Directory%20B2C%20(Azure,SPA)%2C%20and%20other%20applications.
so you cannot use AADS (Active Directory) to manage B2C authentications.
to configure Tableau with Azure Active Directory I suggest you use SAML as described in official documentation:
Tableau SAML
https://help.tableau.com/current/server/en-us/saml.htm
Azure B2C SAML
https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers
you should have something like the below
User navigates to the Tableau Server sign-in page or clicks a published workbook URL.
Tableau Server starts the authentication process by redirecting the client to the configured IdP (Azure B2C).
Azure B2C requests the user’s username and password from the user. After the user submits valid credentials, Azure B2C authenticates the user.
Azure B2C returns the successful authentication in the form of a SAML Response to the client. The client passes the SAML Response to Tableau Server.
5.Tableau Server verifies that the username in the SAML Response matches a licensed user stored in the Tableau Server Repository. If a match is verified, then Tableau Server responds to the client with the requested content
Related
Newbie to Microsoft SSO Authentication.
Have metadata, pubic cert and login url and Azure AD identifier and entityid.
When I was going through this SAML2.0 i see diff types of auth strategies like Federation Services, ADFS, Active Directory, Azure Directory... Getting confused and trying to visualize the type of authentication these details support.
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-nodejs-webapp-msal
Can somebody point me what type of authentication that we can provide with below details ?
metadata, pubic cert and login url and Azure AD identifier and entityid.
Regards,
likki.
We install adfs on Windows Server operating systems. It extends on-prem identities managed within AD to cloud applications through both SAML and OAuth. AD FS is meant for on-prem environments and does not authenticate through Azure infrastructure; it only authenticates against Active Directory.
AAD mainly serves as a cloud-based user management, as well as offers SSO capabilities for web applications. In fact, it authenticates users to their applications in much the same way as AD FS. The difference is that AAD authenticates via the cloud and AD FS authenticates on-prem.
Federation - When you set up SSO to work between multiple identity providers, it's called federation. An SSO implementation based on federation protocols improves security, reliability, end-user experiences, and implementation.
With federated single sign-on, Azure AD authenticates the user to the application by using their Azure AD account. This method is supported for SAML 2.0, WS-Federation, or OpenID Connect applications. Federated SSO is the richest mode of SSO. Use federated SSO with Azure AD when an application supports it, instead of password-based SSO and Active Directory Federation Services (AD FS).
So, if you want authenticate with cloud users you can go with azure ad or else if you want to use your on-premise user identities authenticate users for the application you can go with ADFS.
You can find more information here What is single sign-on? - Azure AD | Microsoft Docs
We have the following scenario:
an Angular app accessing a Web Api backend
our own user database
We are planning to use a third-party identity solution such as Azure AD B2C, AWS IAM or Auth0. To my surprise, I found that Auth0 has an integration with on-premise Active Directory, but Azure AD B2C seems not to support this (at least not that I could find out)
We want to get to the following scenario:
an Angular app accessing a Web Api backend
third-party identity solution that manages the users of the angular app (preferably Azure AD B2C)
users need to authenticate via the identity solution (e.g. using a social account)
some users are in an existing on-premise AD and also need to be able to access the angular app
So my problem basically is : if we would use Azure AD B2C, how can we let users that are defined in an on-premise AD, authenticate in our Angular app? Or with other words: can an on-premise AD be an identity provider for Azure B2C?
This scenario can be solved with AD B2C custom policies.
I found that Auth0 has an integration with on-premise Active
Directory, but Azure AD B2C seems not to support this (at least not
that I could find out)
One way I know to make this work through ADFS. Where you can Integrate ADFS in B2C. I will update this answer if I know any other way of doing this.
Update Start
You can use Shibboleth and Okta servers apart ADFS server.
Update End
users need to authenticate via the identity solution (e.g. using a
social account) some users are in an existing on-premise AD and also
need to be able to access the angular app
If you use custom policies, you can achieve all of these scenarios. You can integrate both social accounts and AD via ADFS (On Premise ADFS server which give access to On Premise AD users)
if we would use Azure AD B2C, how can we let users that are defined in
an on-premise AD, authenticate in our Angular app? Or with other
words: can an on-premise AD be an identity provider for Azure B2C?
As I said this is possible through ADFS server. All you need to do is enable ADFS service on your server and add Relying Parties and make B2C consume and allow your AD users to login with B2C.
Warning: If at all your server not have ADFS enabled first try it on other test server.
ADFS in custom policies can found at: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
I am using Azure B2C to connect my own openid connect server using OpenID onnect (Preview) provider. I configured every thing, system is working fine.
But one thing is when a new user logs in through my own openid connect server, Azure AD B2C creates this user in Azure AD which is connected to Azure B2C.
My intention is that, My client application has to call Azure B2C. Azure B2C should display list of identity providers. one among those providers is my own openid connect server. Then user can input his credential in my own openid connect server and verified and return back to Azure B2C with id_token. after this step Azure AD B2C is asking me to create this user in Azure AD. why this is happening ?
I cannot provide my user details to any intermediate systems. Please help me on this.
The same scenario is happening for gmail users also. but only first time login or when we change some signin policy attributes.
Based on my experience, even for externally authenticated users (social sign-in) AAD B2C always creates an object in its local store (which is actually an Azure AD directory). I can't speak authoritatively, but a couple of reasons for this would be 1) the ability to generate and maintain an immutable ID for a user that is somewhat independent of the social IdP, and 2) the ability to collect and store additional attributes which are not available from the social IdP.
I believe you can make the process invisible to your users - they don't necessarily have to be prompted to enter additional attributes or to create a user - but it will still happen in the background.
We have chosen Azure AD for authenticating users for the Enterprise Web applications developed using MVC and hosted on Azure Cloud Platform.
We are trying to plan & develop a common portal for the users to which they can login using Azure AD login screen. This Portal will display the links to the cloud applications to which the user has access and they could access the cloud application from this portal.
Please let me know whether this is feasible since I have read in many places that the Azure AD token assigned to the user from Azure AD is valid only for one resource or registered application. Does that mean that when they try to login into another Cloud application registered to the same Azure AD from the portal, they will need to login again or re-use the Azure AD token for the portal in the browser session cookie for logging into the other applications?
It's true that your users authenticate against an application registered in Azure AD and that the issued token is only valid for that application.
However, the user establishes a session with the authorization server (Azure AD) and will not be prompted for credentials when redirected there to authenticate against another registered application.
So your portal page can just contain links to the URLs for the applications. Each application redirects the user to Azure AD for authentication and the user is only prompted for credentials for the first application he/she logs in to.
We are developing a multi-tenant application and would like to be listed on Azure and support Azure AD as an IdP for our customers. However, a few customers that already have ADFS 2.0 setup didn't like the idea of sync'ing all accounts and passwords to Azure AD. So, is there anyway that when Azure AD receives a login request, somehow, have it redirect to ADFS and let ADFS do all the magic and return a token back to Azure AD which then returns JWT (using OpenID Connect) to our application?
I know that ACS supports such scenario but we are worried that Microsoft would soon drop support for it.
Thanks!
This document details how your customers can federate their ADFS instance with Azure AD:
https://technet.microsoft.com/library/dn550987.aspx