Azure custom application SSO using SAML and azure active directory - azure

I’m kind of new to azure active directory. What I'm trying to achieve is:
I have a .net core application (backend api) which will be called using an angular application.
My requirement is to authenticate and enable single sign on using azure active directory.
With some time spent, I came to know that there are 2 ways to do this,
Using OpenID Connect
Using SAML
I would like to do using SAML. I tried implementing SAML SSO as follows:
I registered one application under Active directory which redirects
to my angular application. I also read that, any application we are
registering in App registrations will use OpenID by default and
there is no UI available to make it as SAML but we can do the same
using manifest.
We can register application using Enterprise applications to enable
SAML
My question is,
Is there a way we can authenticate and enable SSO in my application
registered using App registrations?
What options I should choose to enable SAML SSO while registering
enterprise application? If I select my registered application in
enterprise application it gives me the following:
The single sign-on configuration is not available for this application in the Enterprise applications experience. localhost was created using the App registrations experience.
Please go to localhost in the App registrations experience to edit properties such as reply URLs, identifiers, claims, among others. Your account should have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object).
What will be the code changes in my angular and .net core
application?
Any reference would be very helpful.
TIA

You can't do it from App Registrations but you can do it from the Enterprise Application experience. To set up SAML SSO you need to go to the application > Manage > Single Sign-On > Select SAML. The Quickstart goes through all of the steps for setting up SAML SSO from Enterprise Applications.
For Basic SAML configuration values, see Configure SAML Single Sign-On.
You can use the SAML toolkit and accompanying samples to test the SAML single sign-on integration with Azure AD

I agree with Marilee's, her answer has provided some related documents on how to create an enterprise app and how to enable SSO with the app.
What I wanna add is that I think you need to figure out which app you are willing to connect together with SSO, I mean that you just said 'an angular application', so there's only one app, how does it relate to SSO ? And if you just need to sign in both frontend app and backend app, this document may help.
Wish you could solve it soon, and if you met more questions, pls add details.

Related

How to add an application to Azure AD with SSO option SAML

I have created an application within the Enterprise applications tab and I don't have an option to Setup Single Sign-On. How can I add the SAML Sigle Sign-On option to my custom application? thanks.
expected getting started options:
actual getting started options:
Also the Single sign-on tab under the Manage options shows me the message like this:
The message in the 3rd screenshot has told you about the reason.
Your SampleWebApp was created using the App registration experience. This kind of enterprise application doesn't support to configure SSO.
Only those created directly in Enterprise application experience can be configured SSO.
See the Prerequisites here.
In this document, you can learn how to add an app to your Azure AD tenant.
You can find this content:

IBM APP ID with ADFS using windows integrated authentication WIA

I Need help with APP ID service in IBM Cloud.
I have a configuration with a Loopback application residing in IBM Cloud which uses the APP ID service to perform SSO automated login.
APP ID service is configured with one identity provider:
SAML 2.0 Federation
SAML Federation is configured to work with ADFS which I have setup with an Azure virtual machine for test and our customers production ADFS.
The solution works and my SSO request is relayed:
> APP ID > ADFS
and authentication is performed and I can log in to the system.
Problem:
The problem is that ADFS is always using the Form-based Authentication, but I need to use the Windows Integrated Authentication i.e. the customer when logged in to the corporate network is never asked for credentials.
I have together with the ADFS administrator troubleshoot the windows side and can not see any irregularities.
Questions:
Does APP ID service support Windows Integrated Authentication and what can I do to enable it?
How to troubleshoot the workings of APP ID service, logs, etc.
You can customize the AuthnContext using the management API -
https://<region-endpoint>.appid.cloud.ibm.com/swagger-ui/#/Management%20API%20-%20Identity%20Providers/mgmt.set_saml_idp
urn:federation:authentication:windows is currently not supported.
However, you can try updating the authnContext to either urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified or just an empty object ("authnContext": {})
In my experience, it works for me by updating with an empty object.
Ref
Managing App ID with the API : https://cloud.ibm.com/docs/appid?topic=appid-manging-api

Integrating Native iOS Azure SSO with Multi-Tenant Web Application

Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.

Identityserver3 - authentication with different accounts

I have identity server and 2 asp mvc applications.
I'm using openId Hybrid flow to authenticate. Each application has it's own client id.
Both applications are not connected and both are using different user account to log in.
Is it possible to sign in to app A without having access to app B which is the case. Currently SSO kick in when I log in to one of the apps(either A or B).
Is it possible to disable SSO ?
I assume your requirement is to perform some sort of Role check before allowing the user to access MVC APP 2. This is possible in IdentityServer3 using extensibility point called ICustomTokenRequestValidator.
For further details refer to this discussion here. Also a similar SO question here

Enable single sign on

Hi I have to develop a framework to enable single sign on for an application that my organisation develops.I want the framework to be in GOLANG.I want to authenticate the users with azure active directory details.How can I achieve this?
Azure AD can provide auth via WS-Fed, SAML-P, OAuth2 and OpenID Connect. As long as you develop using one of those then your application can be registered in Azure AD as an application and can leverage the standard protocols listed above.

Resources