I have done the Single Sign On (SSO) using the Okta SAML 2.0. I have created the account in Okta and then Created the App with options Web - SAML 2.0 and did the configuration that I found in some blogs. Then after I have followed the this blog to complete the Sign In Flow and its working fine but now I am looking for How to Log User Out using Single Logout URL? I tried to search but mostly I found solution for ASP.Net Core and Okta SAML API. I have not used OIDC, I have complete the Proof of Concept for Sign In using SAML 2.0. Does anyone have any idea on this?
I found the the way to get it logout from Okta from ASP.Net MVC Web Application is: from the ASP.Net MVC Web Application LogOut/LogOff (whatever the ActionResult name could be) ActionRetult, once the Application Session Cleared Redirect to
https://your_tenant.okta.com/login/signout?fromURI=your_redirect_here
and it will terminate the Session from the Okta as well. This is useful for when SSO implemented using SAML 2.0 into ASP.Net MVC Web Application NOT for OIDC (OpenID Connect) method.
More information can be found HERE
Related
I’m kind of new to azure active directory. What I'm trying to achieve is:
I have a .net core application (backend api) which will be called using an angular application.
My requirement is to authenticate and enable single sign on using azure active directory.
With some time spent, I came to know that there are 2 ways to do this,
Using OpenID Connect
Using SAML
I would like to do using SAML. I tried implementing SAML SSO as follows:
I registered one application under Active directory which redirects
to my angular application. I also read that, any application we are
registering in App registrations will use OpenID by default and
there is no UI available to make it as SAML but we can do the same
using manifest.
We can register application using Enterprise applications to enable
SAML
My question is,
Is there a way we can authenticate and enable SSO in my application
registered using App registrations?
What options I should choose to enable SAML SSO while registering
enterprise application? If I select my registered application in
enterprise application it gives me the following:
The single sign-on configuration is not available for this application in the Enterprise applications experience. localhost was created using the App registrations experience.
Please go to localhost in the App registrations experience to edit properties such as reply URLs, identifiers, claims, among others. Your account should have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object).
What will be the code changes in my angular and .net core
application?
Any reference would be very helpful.
TIA
You can't do it from App Registrations but you can do it from the Enterprise Application experience. To set up SAML SSO you need to go to the application > Manage > Single Sign-On > Select SAML. The Quickstart goes through all of the steps for setting up SAML SSO from Enterprise Applications.
For Basic SAML configuration values, see Configure SAML Single Sign-On.
You can use the SAML toolkit and accompanying samples to test the SAML single sign-on integration with Azure AD
I agree with Marilee's, her answer has provided some related documents on how to create an enterprise app and how to enable SSO with the app.
What I wanna add is that I think you need to figure out which app you are willing to connect together with SSO, I mean that you just said 'an angular application', so there's only one app, how does it relate to SSO ? And if you just need to sign in both frontend app and backend app, this document may help.
Wish you could solve it soon, and if you met more questions, pls add details.
I am using Microsoft Authentication (Azure AD) to log in a user to an app.
I have a separate node.js API which I'd like an authenticated user to call but as it is an external API how do I check that the user who is requesting a resource is authenticated?
What is the flow, are there any good Node.js resources?
You need to protect the node js api with Azure AD. After that, you can implement a client(the app you used to login) that is able to pass authentication tokens to the API.
Here is an sample which contains a web API running on ASP.NET Core 2.0 protected by Azure AD. The web API is accessed by an ASP.NET Core 2.0 web application on behalf of the signed-in user.
The scenario is the same as yours, but I only find .net samples.
Here's my current situation:
Xamarin iOS mobile app (using MobileServiceClient to login)
Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication
I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.
I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
From this post:
IdentityServer 4 as Identity Provider for Azure App Service
Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?
Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.
Client:
Found a working library for OAuth2 and OpenID that worked for integrating with Okta:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples
with a Xamarin wrapper:
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId
Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.
After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:
Okta (identity provider)
set up a native application with an Implicit (Hybrid) grant on it
Mobile Client
use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS
Server / Web Api
converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore
One thing to note that tripped me up along the way:
in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature
read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/
I am doing web sso integration (IDP initiated flow) for our web app(a CRM portal) in which users log in with AD credentials and accesses resources on a Service Provider(SP) by passing in our customer details.Our server is on windows 2012 R2(ADFS 3.0).Can I have the SP post the SAML request to a web api (4.6,C#) ,create the SAML 2.0 Response using third party assemblies(ComponentSpace) and send it to the SP after digitally signing and Encrypting the assertion rather than relying on ADFS 3.0 to generate the SAML 2.0 Response?.Our SP wants some custom attributes added to the SAML response and the claim info resides on a sql server database. Do you see any security problem generating the SAML response manually(Inside the Web API) rather than relying on ADFS 3.0?The reasoning behind manually creating SAML response is working with ADFS 3.0 is complex and our support team is too busy to look at our support tickets
After getting in touch with ComponentSpace support,it turns out that I don't have to use ADFS to create SAML response.All I have to do is get the claim details from sql server database and pass that onto their SAMLIdentityProvider.InitiateSSO() as described on their forum
Update:
Use of componentspace library was not an option because of the organization delays associated with getting the approval and I ended up creating the saml response manually thanks to this GitHub Repo
I'm trying to follow an Azure sample to integrate Azure AD into my MVC 4.6 web app via WSFederation provided here https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation
This sample uses cookies to store authentication token. After reading few articles, I'm bit confused with the choice of cookies to store authentication token generated by WS-Federation. Are there recommended alternatives?
Also, this web app would host webapi controllers too as part of same project.
Thanks for your help!
The is some misunderstanding about the store the token using cookies.
When the app is redirected to Azure AD and the users enter the correct username and passwords, the app will verify the token from Azure AD and sign-in the web app.
Then the cookies authentication middle ware would append the cookies based on the claims of sign-in user for the users visit the page without login-in again.
And based on the preview threads, it seems that you want to using the token to protect the MVC application and web API. As I metioned that the MVC web page is user-oriented, cookie authentication is recommend.