I have a SaaS product, it has it's own cloud-based authentication, and it is hosted in Azure. This works for most of my customers, but supposing a customer has their own on-prem AD - is it possible my SaaS product (cloud-hosted, external to the customer's network) can swap out my own authentication for the AD? What technologies/APIs are available to me for this?
Further Context
This is a vue app (client-side) with a .Net back-end (.Net core API in Azure).
I'm currently using okta, I pass okta data from a login form, and it returns a token.
If I could do a straight swap with okta for AD instead and call off to the client's AD server and receive a token (on successful authentication) and then pass that token as part of every request as I do with okta, that would be ideal.
What I've Tried
I know Okta itself has options for single-sign-on with AD, but I don't see the need for Okta if it's only going to be used as a way of interfacing to my customer's AD server, I'd like to just go 'straight there' instead.
Okta is not required to do Azure AD authentication. I have successfully completed azure ad single sign-on authentication using MSAL in Angular and Python.
Go to your portal.azure.com -> Azure Active Directory -> APP Registration -> Select you app -> Quick Start -> Select programming language -> Click download the source code.
To understand the code, use this link https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular
As you mentioned. you have used on-premise code, use the same code for authentication, this below tutorial explains how to do authentication
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa
Related
I'm investigating Azure AD B2C as a possible auth service, which we want to use for user management and authentication. We have a web application, Web API which we can easily integrate with AAD B2C and migrate our current authentication and user management.
However, I did not find any solution how to authenticate mobile applications and integrate it with azuere ad b2c. Our mobile app communicates also with web api but it does not need any user login. These applications are tied to a tenant and every mobile app instance has an API key that is used to authenticate the mobile app on the backend.
Is it possible with azure ad b2c to achieve that kind of authentication, that we will generate API keys for our mobile apps and will use the same ad in azure like the normal users? Is possible with azure ad b2c or we should use another azure service?
What are the best practices in this area? It is similar to the backend to backend communication where API keys are used. Thx.
The normal way for such a scenario would be to use the client credentials flow, where you use your ClientID + ClientSecret for a silent login in order to get a non-personalized AccessToken.
Although it seems that this type of flow is currently not supported by AD B2C. Have a look here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/application-types#current-limitations
As an alternative, that page is refering to the client credentials flow of the Microsoft Identity Platform (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow).
I guess it now depends on the detailed requirements of your application whether it could be an option for you to use.
So I want to provide access to users over Okta to Azure.
We have local AD which is not synced to MS Azure account
We have custom domain inside Azure AD
There is also 2nd part of this where we want to sync local AD mail field to Workday and add some O365 users to the same tenant which is another (native) Okta app.
So looking at docs, it seems I need to install ADConnect client which will import all users to the same O365/Azure tenant. Then on the Okta, there is native o365 app that I simply need to configure (it didn't look like problematic). But for the Azure part, the documentation is not really good and I am confused what should I do with Azure.
It seems I need to add Custom SAML 2.0 Application on Okta for Azure and configure External Identities-->New SAML connection on Azure. There also should be a way how to link Okta users to AzureAD ones but they have different domains. Did I get this correctly?
Thank you!
You can do the following:
Use AAD Connect to sync on-premise users to Azure AD
Integrate on-premise AD with Okta
Use Okta's native Office 365 application to integrate Okta with Azure AD for Single Sign On. When you use this application, you don't have to do anything on Azure AD. Okta will take care of everything for you. All you need to do is follow these steps: https://help.okta.com/en/prod/Content/Topics/Apps/Office365-Deployment/configure-sso.htm
I have an ASP .Net Core 2.2 Web API hosted as an Azure App Service. Then there is an Angular SPA which consumes this API, hosted on Azure Storage as a static website.
I am currently using Auth0 as our authentication and identity server. I am looking at replacing Auth0 with Azure, but I've spent a couple of days now trying to figure out what I should be doing and I am completely lost.
So, the purpose that Auth0 is currently serving, and which I would like Azure to serve instead, is to protect my Web API, as well as give it identity services so that the API knows which user is logged in. So when the front end makes a call to the API, Auth0 automatically redirects it to a login page. Here the user can log in using an existing account (including social accounts) or she can create a new account. Once logged in, Auth0 provides the front end with an access token. The front end then includes this access token in the header of every API call. The access token includes identity information which the API uses to know which user is making the call. All users are stored in Auth0. So when a new user uses the front end web app, Auth0 redirects them to the login screen, where they select "Sign Up", and create an account in Auth0. Any user can do this btw - it is a public web app which anyone can sign up and use.
So, when looking at using Azure instead of Auth0, what first confuses me is that there are various authentication services:
In the Azure portal, under my app service, under "Authentication / Authorization", there is a toggle switch labelled "App Service Authentication". If I turn this on, I can set up Authentication Providers.
In the Azure portal, there is Azure Active Directory, which I guess ties in with the above?
There is also Azure B2C.
What is the difference between Azure App Service Authentication and Azure B2C? Which one should I be using? What is the difference between points 1 and 2 above? Some examples I've seen use point 1 and some use point 2.
Sorry if this is a very vague question. I am just struggling to figure out in which direction to head. I found Auth0 quite simple, but unfortunately I cannot say the same about Azure authentication. I basically just want to figure out which Azure option would be best suited to replace Auth0 as I am using it now. Thanks
Azure B2C is the proper option to replace user authentication, however you would have to go with OWIN or another solution to actually provide application specific identity/authorization pipeline.
For public-facing site I would not go with straight up azure AD for customer logins, that’s targeted more towards enterprise customer with identities in federated, office365 or on prem Active Directory.
To be honest I’m surprised you’re planning on moving from auth0 to AAD. I’m thinking about doing the opposite.
I think the "replacement" would be using Identity Server, but there's no PaaS version for it on Azure. So you should go with Azure AD or Azure AD B2C.
If you want just to create users and groups you should use Azure AD. But if you have plans to enable 3rd party identities to access your app (such as Facebook, Google or Linkedin), then you should use Azure AD B2C. For more info, please read: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview
My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,
I have created a API app in Azure portal. Then after I have configured Azure Active Directory and Facebook for Authentication/Authorization in Azure Portal (Portal -> My API APP -> Authentication / Authorization). Now my requirement is some API should be Allow Anonymous and other APIs should ask for Authentication either from Azure Active Directory or Facebook.
Same issues like my case: Question-1 Question-2
Please help !!
I think, your solution may benefit from using other authentication broker service called Azure Active Directory B2C. Basically, you configure the providers you want on the backend side, then integrate it into your application. Then, you are able to use mechanisms like policies, etc, in your app. For WebApp integration with AD B2C - tutorial.
I would do that in your situation because i believe that it would be better to offload authentication boilerplating to the backend instead of doing a lot of custom things in the application.
Other way of doing that would be to use custom attribute that will add the capabilities to authenticate, cache user information, authentication context (regarding your question about how to detect if someone is logged in) etc.