The Riddler service does not have explicit documentation at the package level and is not addressed in the Routerlicious service.
There is some code level documentation
Riddler manages the tenants and then gives them to server for Alfred and Historian.
How should I be thinking about Riddler? Especially in relation to Alfred and Historian.
Riddler manages Tenants. In Routerlicious a tenant is a secret key & unique identifier pair. A tenant is usually a company or user group. The secret key is used to sign JWT tokens and the unique identifier identifies the tenant.
For example, during a hackathon we would give each hackathon team a different tenant. If we had a production service, we would give each company a different tenant.
Riddler lets you create and manage these tenants in Routerlicious.
In contrast, Historian and Alfred consume this tenant information. Historian and Alfred are not responsible for creating new tenants (new secret key, unique identifier pairs).
Related
I've successfully implemented the following sample/custom policy in our B2C configuration:
A B2C IEF Custom Policy which links a Federated login against a pre-created Local Account
Users from an Azure AD are allowed to login to our application if a Local Account exists. This Local Account includes a custom field that points to the oid of the AD user that wishes to login.
However, the sample is for single-tenant. I'm in the process of adjusting it for multi-tenant.
When linking an Azure AD user, is it okay to depend on the uniqueness of the guid/oid? Is the fact that a guid could be generated twice (even though it's really unlikely) a security risk? I.e. a second user with the same guid could have access to data they're not supposed to see?
I'm assuming it's not an issue within a single tenant - each user inside a single Directory needs to be unique. But is that true across all Azure AD Directories? Could one machine generate the same guid for two users across two different Directories?
Am I better off figuring out how to compare against the issuer and the issuerUserId in combination?
• The ‘issuer’ and ‘issuerUserId’ input claims values represent the ‘socialaccountprovider’ or the ‘identityprovider’ and the ‘value’ of the key claim in base64 encoded format respectively. Thus, the issuer value represents the social identity provider which provides the identity details for logging in to the Azure AD B2C application while the issueruserID represents the secret value that is used by the IDP or that social identity provider for providing the identity details in an acceptable encrypted format to Azure AD B2C.
• And AFAIK, GUID for an Azure AD user is unique as it itself abbreviates for Globally Unique Identifier. Also, in Azure, every user has a unique object ID no matter where the user comes from because the object ID is GUID format, and it will generate a unique GUID for each user when adding a user to Azure AD.
But there could be two same object id(guid), but it's a very small probability (very very small, for example if you have 100,000,000 users in all your AAD domains, then the probability of existence of two same object id is about 1/3.4×10^30, so you can ignore that). You need to perform a validation to guarantee the uniqueness of object ID and GUID in a domain, so in AAD, the GUID is generated based on machine information, current time, and other factors.
Thus, when you are talking about generating the same GUID for two users across different directories, you should think that for identifying a user, the object ID as well as tenant ID is used. In this case, if the object ID is unique then the tenant ID is useful to find the user in a multitenant scenario. For more information, kindly refer to the below links: -
Azure Active Directory User Object Id (Guid) uniqueness across all AAD domains
https://learn.microsoft.com/en-us/azure/active-directory-b2c/social-transformations
I have a multi-tenant Azure AD app to which users from multiple tenants will sign in and get access tokens for themselves. These tokens will be passed to my web app. Im trying to figure out how to uniquely identify a user. Within same tenant, object id is a unique identifier. But when users from multiple tenants are accessing my app, how do I uniquely identify them? Will I get the home tenant Id of the user in the access token?
We can uniquely identify the users from different tenants using their alias name such as User principal name,Users objectID.
In Azure AD , UPN is the User Principal Name. It is always in the
format which looks like an email address. Essentially it has 3 parts.
User account name, the separator (i.e. # symbol) and UPN suffix or
Domain name. Its primary purpose is to use during the authentication
and represents user identity .
Example: Tailspin sells subscriptions to its SaaS application. Contoso and Fabrikam sign up for the app. When Alice (alice#contoso) signs in, the application should know that Alice is part of Contoso.
After a lot of research I am still confused about using Azure AD. Here is what I want to achieve.
We maintain users in following order in SQL Server
Organization
Team
User
There can be multiple organizations and a user can be belong to multiple organizations but his/her role will be different like Agent or Team leader or Team manager.
I want to move away from this structure and create the same in Azure AD and authenticate users via Identity provider. How to maintain same sort of structure in Azure AD?
I am looking for an solution with minimal code changes. Any thoughts on this??
You can use Groups in AAD to achieve something similar.
Currently, the following scenarios DO support nested groups:
The concept (you can add groups as members of other groups)
Group membership claims (when an app is configured to receive group membership claims in the token, nested groups the signed-in user is a member of are included)
Conditional access (when scoping a conditional access policy to a group)
Restricting access to self-serve password reset
Restricting which users can do Azure AD Join and device registration
The following scenarios DO NOT supported nested groups:
App role assignment (assigning groups to an app is supported, but groups nested within the directly assigned group will not have access), both for access and for provisioning
Group-based licensing (assigning a license automatically to all members of a group)
Office 365 Groups
See the product feedback page and add your suggestions if you need something more complex than what AAD currently supports.
I have two microsoft email's. One is personal account and other is business account. Using microsoft graph API/ azure endpoint(since I am authenticating users using azure) is it possible to identify the type of account associated with the email.
Have a look at the tenant ID.
Taken from documentation:
A GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal (Microsoft) accounts, the value is 9188040d-6c67-4c5b-b112-36a304b66dad. The profile scope is required in order to receive this claim.
Assume I purchase a multitenant application (HR software) located in Azure AD Tenant 1. (synonymous to a resource forest).
I also purchase a health application owned by a different company located in Azure Tenant 2.
I don't own administrative rights to Tenant 1 nor 2.
Question 1
As the administrator of an Office 365/AzureAD forest, how can I allow users to log into to those tenants, but prevent the correlation of their user IDs between applications I don't own?
In other words, I don't want a hacker, or other entity to collude and "join" data between application 1 and application 2.
The values I'm concerned about include:
TenantIdenfifiers
http://schemas.microsoft.com/identity/claims/tenantid:
iss:
UserIdentifiers
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier:
http://schemas.microsoft.com/identity/claims/objectidentifier:
name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname:
Question 2
What other values besides the ones listed above should I be concerned about colluding to reconstruct an anonymized user? (e.g. msft graph, office APIs, etc)
The unique identifier of the user along with the tenant are always passed in regular Azure AD. You can't really do anything about it.
Those attributes are needed by applications. The tenant id is used to know what your subscription is, what data you have access to etc. The user object id can be used to identify the user, since the user principal name can be changed.
But your tenant's users can't log in to those tenants without them being added as guests there, and them accepting it.
Typically those apps you buy a subscription for are multi-tenant, so your tenant admin must allow sign-in to that app. After that is done your tenant's users can sign in there. In this case they are still signing in to your tenant, but the app has been given permissions in your tenant through the service principal created for it.
As for Azure AD B2C, you can affect what claims are given to the applications. But the gotcha is of course that B2C does not support multi-tenant applications. Not yet at least. Later we might be able to also allow Azure AD authentication in B2C. But even then the application owner controls the claims and the application.