we are currently developing a new web app with Azure B2C as IDP. The authentication method is SAML2.0, and everything is working well. But when a user wants to login, the web app is redirecting the user to the Microsoft login form, is it possible to use our custom login form?
I know are some possibility to rebrand the login form like logo and background, but it still have the Microsoft look and feel. I tried to create a user flow in Azure B2C, but i don't have the option to choose the authentication method SAML.
No.
This is standard across all Microsoft security products e.g. ADFS.
You always have to use the Microsoft login screen.
Related
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
I have registered an application in Azure AD B2C. Once try to access the application's login URL(E.g. - https://contoso.com/api/v1/login), it redirects the request to Azure AD B2C URL(E.g. - https://contoso.b2clogin.com). On successful login it redirects to the application home page(E.g. -https://contoso.com/api/v1/home).
Is it possible to achieve the same functionality by providing the user's login credentials on the application login page(https://contoso.com/api/v1/login) itself and not redirecting to the Azure AD B2C login page? The backend application can validate the user using Azure AD B2C URL behind the scene and return the authentication token on successful login.
Please suggest and provide some node js code if possible.
You can use B2C Custom domains for a better user experience:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow
Update:
Using MSAL 2.0 without implicit flow in your app registration allows it opening a popup.
Node info here.
It is possibe by using ROPC flow - https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
You should keep in mind though that OAuth2 best practice discourages from using this flow - https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13#section-3.4
My company has developed a web-based application for internal and external use. The application is developed by angular + asp.net WebApi and authorised by OAuth. Users have to use the username and password given by us to login. The application works well. Recently, clients made a new request to login our system through Azure AD SSO. They want us to integrate their Azure AD.
Requirements:
On login page, there should be a new option for users to login our system by connecting to their Azure AD.
Alternatively, if their employees are connected to their system and then visit to our website, they will be automatically logged in our website without entering username and password.
I have no knownledge about Azure AD SSO and still get confused even I did some search on google. Can someone give me some advice or hints?
Using Msal with Angular you can implement the Azure AD SSO login. There are multiple code samples and microsoft documents available to achieve your requirement.
Please go through the documentation and code Sample.
In the Angular sample there is a function as mentioned below which verifies the user credentials if the user is already logged in or not.
checkoutAccount() {
this.loggedIn = !!this.authService.getAccount();
}
I want users of my application authenticated in a couple of on-premises ADFS servers.
I setup Azure B2C working together with ADFS as SAML identity provider.
The setup process is described here in MS official docs https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp
That was complicated, but now my custom policy B2C_1A_SignUpOrSignIn works, in meaning that it redirects to B2C login page with buttons first, then I click a button and system redirects to ADFS login page, where asks users for login and passwords.
But how to integrate it with a .NET or Node.js application?
Any code examples?
Samples for different platforms can be found at Azure Active Directory B2C code samples.
If a sample application references a built-in policy, such as "B2C_1_SignUpOrSignIn", then you must replace this with your custom policy.
I have an mvc app that provides both a website and a webapi. I'm happily authenticating users of the website. Now I need to allow a windows app to call the web api methods directly. I don't want the windows app to redirect to a login page. I need the windows app to hold either a secret key or a username/password. That way it can authenticate itself automatically.
I'm concerned that it seems b2c cannot handle client credential flow - which I think I want. Is there a way to silently provide the username and password to B2C?
Azure AD B2C does not implement client credentials or ROPC flows of OAuth2. But ROPC is on Azure AD B2C roadmap.
In your case, if you have multiple users using the Windows Application, then you need ROPC because the token retrieved using that mechanism has user context (achieved via user authentication).
Using client_credentials flow means that your Windows Application needs to keep the secret and will authenticate as application only, without any user context. This is ok for daemon and background processes running in a protected environment, but not for apps that you expect to be used by users.
At this point, your best option will be to redirect to Azure AD B2C login pages. Although it is not the same as native experience, the advantages here are that if as you add more options (e.g. MFA, string and language customization, new login options in the future), your client application will not need to be changed, and all your UIs will get those features.