How to add an application to Azure AD with SSO option SAML - azure

I have created an application within the Enterprise applications tab and I don't have an option to Setup Single Sign-On. How can I add the SAML Sigle Sign-On option to my custom application? thanks.
expected getting started options:
actual getting started options:
Also the Single sign-on tab under the Manage options shows me the message like this:

The message in the 3rd screenshot has told you about the reason.
Your SampleWebApp was created using the App registration experience. This kind of enterprise application doesn't support to configure SSO.
Only those created directly in Enterprise application experience can be configured SSO.
See the Prerequisites here.
In this document, you can learn how to add an app to your Azure AD tenant.
You can find this content:

Related

Using the new Application Registration results in an error message on login

I have a legacy B2C application that runs just fine. I decided to upgrade to the new 'experience' since the message said they're discontinuing the old legacy blade as of Nov-21. So I followed the instructions on this page:
AAD B2C specifics
When I start up the application, I get this message:
Switching back to the legacy application results in a working login screen.
• Since your Azure AD B2C application is a ‘PublicClientApplication’, it has the property of ‘UseCorporateNetwork’ which is a Boolean that enables the application to benefit from Integrated Windows Authentication and SSO as these are cross platform capabilities. Thus, set this property to ‘true’ in ‘package.appxmanifest’ by enabling the capabilities, viz., Enterprise Authentication, Private Networks(Client & Server) and Shared User certificate.
Also, as IWA is not enabled by default as applications requesting the above type of authentication require a higher level of verification to be accepted for social identities using MSAL .NET.
Kindly check the ‘RedirectURI’ of your new Azure AD B2C experience as it may get overridden by that in ‘UserDetailsClient\App.cs’. Hence, replace the ‘RedirectURI’ in your Azure AD B2C application by the one that is overridden in ‘UserDetailsClient\App.cs’ along with the msal://auth. Maybe, this should resolve your issue. For more details, kindly refer to the below Github link below: -
https://github.com/Azure-Samples/active-directory-b2c-xamarin-native/issues/28
To anyone running into a similar problem, I discovered two very interesting reasons for this problem:
In the legacy, you could share applications between your web API and your client. In the new workflow, you need one 'application' for your Web API, and a distinct 'application' for your clients.
This code seemed important to getting the new flow to work:
this.PublicClientApplication = PublicClientApplicationBuilder
.Create(this.ClientId)
.WithIosKeychainSecurityGroup(this.KeychainGroup)
.WithRedirectUri(this.RedirectUri)
.WithB2CAuthority($"https://{this.AuthorityHostName}/tfp/{this.Tenant}/{this.AuthorityPolicy}")
.Build();
The 'WithRedirectUri' got me past the original error posted above.

Azure custom application SSO using SAML and azure active directory

I’m kind of new to azure active directory. What I'm trying to achieve is:
I have a .net core application (backend api) which will be called using an angular application.
My requirement is to authenticate and enable single sign on using azure active directory.
With some time spent, I came to know that there are 2 ways to do this,
Using OpenID Connect
Using SAML
I would like to do using SAML. I tried implementing SAML SSO as follows:
I registered one application under Active directory which redirects
to my angular application. I also read that, any application we are
registering in App registrations will use OpenID by default and
there is no UI available to make it as SAML but we can do the same
using manifest.
We can register application using Enterprise applications to enable
SAML
My question is,
Is there a way we can authenticate and enable SSO in my application
registered using App registrations?
What options I should choose to enable SAML SSO while registering
enterprise application? If I select my registered application in
enterprise application it gives me the following:
The single sign-on configuration is not available for this application in the Enterprise applications experience. localhost was created using the App registrations experience.
Please go to localhost in the App registrations experience to edit properties such as reply URLs, identifiers, claims, among others. Your account should have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object).
What will be the code changes in my angular and .net core
application?
Any reference would be very helpful.
TIA
You can't do it from App Registrations but you can do it from the Enterprise Application experience. To set up SAML SSO you need to go to the application > Manage > Single Sign-On > Select SAML. The Quickstart goes through all of the steps for setting up SAML SSO from Enterprise Applications.
For Basic SAML configuration values, see Configure SAML Single Sign-On.
You can use the SAML toolkit and accompanying samples to test the SAML single sign-on integration with Azure AD
I agree with Marilee's, her answer has provided some related documents on how to create an enterprise app and how to enable SSO with the app.
What I wanna add is that I think you need to figure out which app you are willing to connect together with SSO, I mean that you just said 'an angular application', so there's only one app, how does it relate to SSO ? And if you just need to sign in both frontend app and backend app, this document may help.
Wish you could solve it soon, and if you met more questions, pls add details.

Microsoft Azure Active Directory - Cant Add App From App Directory - OpenID Connect-based Sign-on

I have a purchased account of Microsoft Azure portal, but I cant add an Application from Enterprise Application directory specifically that Application who is having single sign-on mode: OpenID Connect-based Sign-on, it shows Add button as disabled., however, i can add any other application who is having any type of single sign-on modes like SAML-based Sign-on or Password-based Sign-on
URL
screencast1
screencast2
is there setting anywhere that I have disabled unknowingly?
PS : its not only about one app, i can't add any live app whose SSO is openId connect, in screencast i have given an app just to show disability of add button. so its not about infonix specific an app its General.
By default, Infolinx works with Azure AD. To get started, sign up for Infolinx using an account in your instance of Azure AD.
Suggest you to contact Infolinx, in case if you have any difficulties in sign up.

OpenID Connect log in in with Office 365 and spring security

I need to configure OpenID Connect using a Spring Security filter to authorize the consumption of my Rest API Web. I found a Google Login Example, but in my case I need it for Office365. I created my app in Azure and I have configured the corresponding properties. When I try to access my REST API it redirects me to the office login and when I enter the correct credentials this exception is thrown:
I don't know the cause for this particular exception, but generally there is a good tutorial at Microsoft Azure developer pages that explains how to use Spring Boot, Spring Security for authentication at Microsoft Azure Active Directory:
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory
With this implemented you can login at your web application with a Microsoft account.
In section "Add an application registration for your Spring Boot app" at step 2 you can choose whether you (or your app) want to support accounts single tenant, multi tenant or even personal Microsoft accounts (Skype, Xbox, ...).
There are only three two differences (in 08/2020) between tutorial and my working test-application:
you've got to set both properties "oauth2AllowImplicitFlow" AND "oauth2AllowIdTokenImplicitFlow" to "true".
the property in application.properties seems to be "azure.activedirectory.active-directory-groups" instead of "azure.activedirectory.user-group.allowed-groups"

ADAL JS - response_type="token" is not supported

I'm using adal js to auth with Azure AD. I have webApp and webApi. Pretty much my apps follow this sample https://github.com/AzureADSamples/SinglePageApp-WebAPI-AngularJS-DotNet .
I was able to login to my webApp and adal.js successfully acquired a token for my webApi and injected it into a request. All was working until recently. Then token acquisition for webApi stopped working with error:
"response_type 'token' is not supported for the application"
renewToken is failed:AADSTS70005: response_type 'token' is not supported for the application
Trace ID: 104c18e3-eb6e-42a4-a292-c6f170f27f65
Correlation ID: c2e65622-0c58-473a-8184-b3056fb1af58
Timestamp: 2015-03-27 22:53:12Z
I can clearly see that adal.js is building a request and puts "response_type=token" into a query string. So, my assumption is that something changed on Azure AD side.
I found one article that correlates response_type=token to implicit grant flow. I confirmed that my webApp has "oauth2AllowImplicitFlow" enabled. I have contacted MS support and waiting for resolution. Meanwhile, I wanted to share this with community and see whether someone has any information regarding the issue.
Thanks
If you are building client-side app, you need to enable Implicit flow from the application manifest.
"oauth2AllowImplicitFlow": true,
Open your application configuration azure portal, and download the manifest file from "Manage Manifest" menu.
search for oauth2AllowImplicitFlow and change the value to true.
upload the file again through the same menu.
Logout and login again to your app and it will work will a charm.
It can also be configured via the Azure AD portal:
From the application page, click on Authentication, and under Advanced Settings, select the checkboxes next to Access tokens and ID tokens to enable OAuth2 implicit grant for the application.
more info about OAuth2 Implicit flow >> link:
The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed...
recreating my webApp fixed the issue. I'm still investigation the root cause with MS. Manifests for two apps aren't different except their AAD Client IDs.
UPDATE
see my comments for resolution

Resources