IBM App ID and Multi-factor configuration - ibm-appid

We have a screen in our app that gathers the username and password.
Using that username and password, how do we authenticate with IBM AppID and support multi-factor authentication?
What IBM App ID API calls are needed and what parameters should be used?
We have the MFA working in the login widget, but we have custom screens that we need to support. The MFA is not working in the custom screens.

Related

Integrating Microsoft Authenticator with Web Application

We have successfully integrated our web application to utilize Azure AD for authentication using a SAML2 component called SAML SSO from ComponentPro, but our application also provides for a user to sometimes submit their Username and Password (it's configurable) in order to check in a document or approve a revision. SAML has no provision for passing a username and password back to the IdP for "re-verification," so that's not an option.
What we'd like to do in this case is to integrate the Microsoft Authenticator tool so that when using Azure AD as the Authentication source, instead of prompting the user for their username and password, we prompt them for their Authenticator code that corresponds to their Business-created Azure Active Directory Account.
We've created the Microsoft Application, have the Application ID and the Application Secret Password, but searching everywhere, I can't find anything to finish this seemingly simple task.
Your assistance will be greatly appreciated!
All The Best,
John
Have a look at this https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-connectors
MFA (including the Authenticator app) and OTP-only authentication are available with Azure AD (Now even with the Azure AD free plan) and the link offers some more information on how to integrate with your application.

Authenticate to Azure AD Without Credentials

In normal Azure AD authentication we will authenticate to Azure AD using a valid AD username and password. But consider a situation,
In our current situation there is no user present. Instead of that we have only a physical device like (iPhone / Android) Phone present.
So my doubt is, without a valid username & password is it possible to authenticate to Azure AD by using a Device ID or IME Number.
In my use case, I am creating a retail mobile application in which a sales man and a shop present, for salesman we have a username and password. But for the shop the retail outlet, our client will give a physical device; So by using the ID or configuring it in Azure is it possible to bypass the login.
So my doubt is, without a valid username & password is it possible to
authenticate to Azure AD by using a Device ID or IME Number.
No, it's not possible to achieve this.
Why:
For Native Application, Azure AD use OIDC/OAuth 2.0 for authorization and authentication. This also needs to user sign in AAD with their credentails:
For your scenario:
I understand what do you want to approach. But it's not possible. Although AAD is very powerful, but it cannot leave out User Identity. Even Intune is a device management service and can mange mobile devices, but it also needs to enroll devices with a user identity.
One method which can leave users sign in is Oauth client_credentials flow, but it's for service to service call. It's not for Native Application and even this flow cannot use device ID.
So, what I suggest is :
Though use Device ID to authentication is a easy way to do authorization, but AAD doesn't support this. If you feel it's trouble to let user login your app with user credentials, you can try to use AAD B2C. With AAD B2C, the user can use social account to sign-up and sign-in your application.
Hope this helps!

How can I authenticate a windows app with AAD B2C without the B2C login pages?

I have an mvc app that provides both a website and a webapi. I'm happily authenticating users of the website. Now I need to allow a windows app to call the web api methods directly. I don't want the windows app to redirect to a login page. I need the windows app to hold either a secret key or a username/password. That way it can authenticate itself automatically.
I'm concerned that it seems b2c cannot handle client credential flow - which I think I want. Is there a way to silently provide the username and password to B2C?
Azure AD B2C does not implement client credentials or ROPC flows of OAuth2. But ROPC is on Azure AD B2C roadmap.
In your case, if you have multiple users using the Windows Application, then you need ROPC because the token retrieved using that mechanism has user context (achieved via user authentication).
Using client_credentials flow means that your Windows Application needs to keep the secret and will authenticate as application only, without any user context. This is ok for daemon and background processes running in a protected environment, but not for apps that you expect to be used by users.
At this point, your best option will be to redirect to Azure AD B2C login pages. Although it is not the same as native experience, the advantages here are that if as you add more options (e.g. MFA, string and language customization, new login options in the future), your client application will not need to be changed, and all your UIs will get those features.

[Azure Mobile App Service]How to login without password on Facebook sign-in?

I activated Facebook sign-in with Azure's Mobile App Service, but the service asked to enter an ID and password.
Instagram or other famous application can login without entering the password as "Continue as a Name" if it is already logged in to FaceBook.
I would like to authenticate Facebook on Azure without entering ID or password, how can I do it?
For Server-managed authentication, your app would authenticate the user through a web view. I checked the server-flow in my Xamarin.Forms app, and found you need to enter the Facebook account info for logging. While browsing the mobile app via the browser, the login page would show "Continue as a Name" if I have already logged in to FaceBook (www.facebook.com).
Note: When using sever-flow, the page asking for Facebook account is under Facebook domain, Azure would not peek or save your Facebook account info.
I would like to authenticate Facebook on Azure without entering ID or password, how can I do it?
Based on your scenario, you need to leverage Client-managed authentication in your mobile app, and you need to install the Facebook app on the device for test. Additionally, you cannot install other apps on the iOS simulator and there may be restrictions on the Android Emulator. So, you generally need to test client flow for social providers on an actual device.
If you integrate the Facebook SDK, then your app will automatically switch to the Facebook app and ask you to approve the authentication request there. For how to integrate the Facebook SDK, you could refer to Facebook login for iOS and Facebook login for Android.

How to create API on Azure App Service with email, Facebook and Google login options?

I saw on Azure Portal that we can enable authentication using Facebook, Google, Twitter and Microsoft Authentication Providers, but there is no option to allow users to use their email and chosen passwords.
How can I allow these 3 options (remembering that the user can link the chosen email and password to a Facebook account for instance)?

Resources