IBM APP ID with ADFS using windows integrated authentication WIA - ibm-appid

I Need help with APP ID service in IBM Cloud.
I have a configuration with a Loopback application residing in IBM Cloud which uses the APP ID service to perform SSO automated login.
APP ID service is configured with one identity provider:
SAML 2.0 Federation
SAML Federation is configured to work with ADFS which I have setup with an Azure virtual machine for test and our customers production ADFS.
The solution works and my SSO request is relayed:
> APP ID > ADFS
and authentication is performed and I can log in to the system.
Problem:
The problem is that ADFS is always using the Form-based Authentication, but I need to use the Windows Integrated Authentication i.e. the customer when logged in to the corporate network is never asked for credentials.
I have together with the ADFS administrator troubleshoot the windows side and can not see any irregularities.
Questions:
Does APP ID service support Windows Integrated Authentication and what can I do to enable it?
How to troubleshoot the workings of APP ID service, logs, etc.

You can customize the AuthnContext using the management API -
https://<region-endpoint>.appid.cloud.ibm.com/swagger-ui/#/Management%20API%20-%20Identity%20Providers/mgmt.set_saml_idp
urn:federation:authentication:windows is currently not supported.
However, you can try updating the authnContext to either urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified or just an empty object ("authnContext": {})
In my experience, it works for me by updating with an empty object.
Ref
Managing App ID with the API : https://cloud.ibm.com/docs/appid?topic=appid-manging-api

Related

Azure custom application SSO using SAML and azure active directory

I’m kind of new to azure active directory. What I'm trying to achieve is:
I have a .net core application (backend api) which will be called using an angular application.
My requirement is to authenticate and enable single sign on using azure active directory.
With some time spent, I came to know that there are 2 ways to do this,
Using OpenID Connect
Using SAML
I would like to do using SAML. I tried implementing SAML SSO as follows:
I registered one application under Active directory which redirects
to my angular application. I also read that, any application we are
registering in App registrations will use OpenID by default and
there is no UI available to make it as SAML but we can do the same
using manifest.
We can register application using Enterprise applications to enable
SAML
My question is,
Is there a way we can authenticate and enable SSO in my application
registered using App registrations?
What options I should choose to enable SAML SSO while registering
enterprise application? If I select my registered application in
enterprise application it gives me the following:
The single sign-on configuration is not available for this application in the Enterprise applications experience. localhost was created using the App registrations experience.
Please go to localhost in the App registrations experience to edit properties such as reply URLs, identifiers, claims, among others. Your account should have the required permissions (Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object).
What will be the code changes in my angular and .net core
application?
Any reference would be very helpful.
TIA
You can't do it from App Registrations but you can do it from the Enterprise Application experience. To set up SAML SSO you need to go to the application > Manage > Single Sign-On > Select SAML. The Quickstart goes through all of the steps for setting up SAML SSO from Enterprise Applications.
For Basic SAML configuration values, see Configure SAML Single Sign-On.
You can use the SAML toolkit and accompanying samples to test the SAML single sign-on integration with Azure AD
I agree with Marilee's, her answer has provided some related documents on how to create an enterprise app and how to enable SSO with the app.
What I wanna add is that I think you need to figure out which app you are willing to connect together with SSO, I mean that you just said 'an angular application', so there's only one app, how does it relate to SSO ? And if you just need to sign in both frontend app and backend app, this document may help.
Wish you could solve it soon, and if you met more questions, pls add details.

Single sign from a windows service

My company utilizes single sign on using a few different providers (Azure, Integrated Windows Authentication, Open ID Connect) exc.. We have a windows service that runs on the clients server and makes web service calls on a regular basis to our web application. Currently we suggest the client install a Non SSO instance for the windows application to make calls into the web service.
My question is there a good way for the window service to makes calls into the SSO instance of our web application that will work for all SSO providers.
This feels like a problem unless you design for it architecturally:
Your web app should call a Web API
The Windows Service should call the same Web API
It is not standard for a Windows Service to call a Web app
In OAuth terms:
A web app will use Authorization Code Flow and get a token containing the logged in user id (sub claim)
A Windows service will use Client Credentials Flow and get a token that only contains a client id and no user id
Your Web API will need to deal with both cases
It feels like the client should only use one fixed SSO provider for the Windows service. Either that or you work out which one is used at runtime based on the iss (issuer) claim in the access token.

Angular 2 - Windows Authentication - without .NET - Node JS API

My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,

Authentication for web api using azure AD

I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.

Azure WCF Service with Azure Active Directory Authentication

I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
An azure active directory account with a couple users
ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
Create users/passwords for each company using the WCF service in
Azure Active Directory.
Allow only companies with a valid username and password pair to obtain an access token
Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
Added the WCF service as an integrated app in azure active directory
Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
Added a relying party application that uses the newly created testAAD identity provider
Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details.
I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
WIF 4.5
VS2012 Pro
C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update:
Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2
I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?
The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.

Resources