Currently our team has a web app and we use Angular as frontend and have azure app service for our backend API. We sorted our authentication with following the docs and it worked fine so far. We use code flow and our users are added to our AD in the azure portal.
If they land on our front end they are redirected to microsofts login page and are able to login with for example
user#myappdomain.com
password
One small thing I am not able to find in the documentation and is a requirement by clients, is it possible to login ( get an access token for our API ) with a login name without # sign or Identity Issuer.
For example:
userfromcompanyx
password
Excuse in advance for misused or wrongly interpreted jargon as English is not my native tongue. Does anyone have experience in this specific use case or can point me in the right direction? Appreciate all replies.
Currently, it is not supported with Azure AD
For you are scenario you can go with Azure Ad b2c where you can log in with a username or phone number without using an email id
Related
I am facing an issue with GCP and unmanaged users.
After using the transfer tool to invite someone in the organization, he unfortunately didn't read the email and the invitation timed out.
For some reasons I was not able to resend the invitation so I instead decided to create a new user.
However he keeps getting the following error now:
I checked the logs and I figured he is not using the same login type as other peoples, SAML is me and Google password being the user having the issue.
Can anyone help me on how to enforce using SAML on the authentication?
I am using Azure AD as IdP.
Thanks
This worked for me so I'll leave it here in case anyone struggle with the same issues.
In Azure Portal, select Enterprise Application and look for Google.
Then select Google Cloud/ G Suite connector
In Single sign-on ensure the contoso.com is replaced by your dns and ensure the last part framed in red is accurate to your own requirements.
Finally make sure you've enabled provisioning to have your users actually provisionned from Azure and not created in Google Workspace only.
Good afternoon experts,
I have a Django web application (it is not internet-facing) and so far I used the django.contrib.auth.backends.ModelBackend to authenticate the users.
However I want to integrate this webapp to an existing SSO solution (like Azure AD) so I thought python3-saml would be a good library to be used (more specifically I use python3-saml-django but it is just a wrapper around python3-saml).
Probably I am missing some fundamental point as I don't really understand how this should work.
When I used ModelBackend then I had a login form where the user could type their username+password which was checked against Django database and the authentication was completed. Should the same work with SSO too? i.e. the login form appears, the user will type their credentials but they will be checked in Azure AD instead of Django auth tables? Or the custom login form of that specific auth solution (in this case Azure AD -> Microsoft login form) should be displayed...?
The LOGIN_URL setting is configured in my Django app so if no user is logged in then automatically my login form appears.
Also I set the AUTHENTICATION_BACKENDS setting and it points only to django_saml.backends.SamlUserBAckend.
I configured AZure AD (registered the app and added a user, I tested it in Azure AD console) hopefully correctly. I also populated python3-saml's settings.json with login/logout URL, etc.
Whenever I try to log in with the Azure AD user I got an auth error (the user and password did).
I am just wondering if somebody could shed some light please how this should work? Can I debug the SAML requests / responses?
auth is token based in azure ad and it will redirect the user to the microsoft login. You will receive an auth token which then you can use to for authorization and providing secure pages.
First register your app in azure portal in azure active directory and also create a user flow.
Then download MSAL for python (using pip) which is used for auth using azure ad for python.
The basic architecture is that when the user tries to login the Microsoft login page will be shown, after signing in your app will receive a token which then you should use to show the logged in pages.
References:
quickstart for auth in python
userflow
MSAL Library
My company has developed a web-based application for internal and external use. The application is developed by angular + asp.net WebApi and authorised by OAuth. Users have to use the username and password given by us to login. The application works well. Recently, clients made a new request to login our system through Azure AD SSO. They want us to integrate their Azure AD.
Requirements:
On login page, there should be a new option for users to login our system by connecting to their Azure AD.
Alternatively, if their employees are connected to their system and then visit to our website, they will be automatically logged in our website without entering username and password.
I have no knownledge about Azure AD SSO and still get confused even I did some search on google. Can someone give me some advice or hints?
Using Msal with Angular you can implement the Azure AD SSO login. There are multiple code samples and microsoft documents available to achieve your requirement.
Please go through the documentation and code Sample.
In the Angular sample there is a function as mentioned below which verifies the user credentials if the user is already logged in or not.
checkoutAccount() {
this.loggedIn = !!this.authService.getAccount();
}
I am kind of confused about the integration process, so I hope to get some clearer guidance in my case.
Let say there is an existing web application(Angular + .Net Core) and I am working on the mobile version(Xamarin.Forms) for it. The web side and mobile side will share the same API backend for user authentication and other services.
So there is an existing tenant and related information (tenantName, tenantID, AppID, RedirectURL, policies, etc), and the redirectURL is for authorizing (https://.../authorize).
At first I thought I can directly used this information. I tried on the code sample and just replaced tenantName, tenantID ... When I clicked Log In button, it first showed me this error:
And then it directed me to the Sign In page. Finally, I signed in the web application in the simulator.
I feel like I should register the mobile app under the same tenant. If I want to help current web users log in the mobile version, how to integrate the existing Azure B2C properly with it for the authentication? Any hits would be appreciated. Thanks in advance.
Update:
I stayed stuck in the token part. I already enabled implicit grant. I used the sample code and add scope in the sample:
When you Register a web application, you should pay attention to the content after step 9.
Once the application registration is complete, enable the implicit
grant flow:
In the left menu, under Manage, select Authentication.
Under Implicit grant, select both the Access tokens and ID tokens
check boxes.
Select Save.
Select the Access tokens will give you the access token.
Ok finally get the access token in the AuthenticationResult. This is how I dealt with it.
After we define a scope, we need to configured permission.
Go to the registered application and add it to the configured permissions list:
After that I can see the accessToken in the result when I debug.
I've got an MVC 5 app that first logs in business users with their SQL Standard credentials, and then redirects them to the Azure AD login page. (We can't use any sort of SSO solution. The tool that the app exposes makes extensive use of SQL logins. We need the Azure AD to do MFA with the Microsoft Authenticator app. This isn't a publicly available application, it's for known vetted users only).
What I'd really like to do is populate the email address field on that login page with the email address we've got stored for the user in our database. I've looked around quite a bit and this doesn't seem easily possible. Any ideas? What am I missing?
In the sign in request, you can append &login_hint=username#company.com
The documentation for this is here: (CTRL+F login_hint) https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-the-sign-in-request