My company utilizes single sign on using a few different providers (Azure, Integrated Windows Authentication, Open ID Connect) exc.. We have a windows service that runs on the clients server and makes web service calls on a regular basis to our web application. Currently we suggest the client install a Non SSO instance for the windows application to make calls into the web service.
My question is there a good way for the window service to makes calls into the SSO instance of our web application that will work for all SSO providers.
This feels like a problem unless you design for it architecturally:
Your web app should call a Web API
The Windows Service should call the same Web API
It is not standard for a Windows Service to call a Web app
In OAuth terms:
A web app will use Authorization Code Flow and get a token containing the logged in user id (sub claim)
A Windows service will use Client Credentials Flow and get a token that only contains a client id and no user id
Your Web API will need to deal with both cases
It feels like the client should only use one fixed SSO provider for the Windows service. Either that or you work out which one is used at runtime based on the iss (issuer) claim in the access token.
Related
Users in Azure Active Directory Azure
App Services for WebSite and Services
I am creating a Web Site that a Manager would authenticate with using an Azure Active Directory account. That website would offer up sales data on the staff they manage.
The service that returns the sales data for staff member A will be being called on behalf of the manager.
My question is what is the correct way to flow the "identity" of the logged in manager through the calls to the various services.
Do I simply protect the services with a System Level authentication at the level of the website and pass the manager's user identifier as a parameter in the request?
OR
Do I try and flow the oauth identity onward to the services so that they are called in the security context of the manager? If using this approach how would I do that?
In my opinion, if the your business doesn't have a high security requirement, the first option is great. But if you want higher security, you can use second option.
For second option, you need to register an application in your azure ad for your app service. Follow steps on this page. And register another application in AD to represent client app by following these steps. Then go to your client app and grant permissions to allow the client-app to call the backend-app. After that, the manager need to get access token before request the api in your app server to return sales data.
This Azure sample shows exactly what we want to acheive with an ASpNet Core Web Site calling own AspNet Core Service secured with our Active Directooy organisation
I am having some issues getting it to work but this sampple is what I was hoping for from asking this qeuestion. FWIW here is the seperate question covering the specific issue I am having implementing the sample, Why Http 401 when calling AspNet Core API secured with AAD. Our WebApp, Web API and AD Org
I am trying to develop a serverless backend for my xamarin app. and for that I chose azure functions.
Now I already know that Azure Mobile Apps provide an SDK for this purpose with which we can easily enable Authentication with multiple ways which are following
1. Azure Active Directiry
2. Facebook
3. Google
4. Microsoft
5. Twitter
Now I want to allow login with atleast 2 of these in my app, but I am not using azure mobile app as backend, instead I am using azure functions. So how can I achieve the same result with serverless?
Thanks in advance.
AFAIK, when using Easy Auth (Authentication/Authorization in App Service), the user would be directed to {your-app-service-url}/.auth/login/{provider} for logging with Server-managed authentication. Users who interact with your web application through the web browser would have a cookie and they can remain authenticated as the browser your web application. For other clients (e.g. mobile client), a JWT would be contained in the x-zumo-auth header, and the Mobile Apps client SDK would handle it for you.
According to your scenario, you are trying to use user-based authentication with your function. I did some test, you could refer to them:
Firstly, I created a HttpTrigger function wrote in C#, then set the Authorization level to Anonymous.
return req.CreateResponse(HttpStatusCode.OK, req.Headers,JsonMediaTypeFormatter.DefaultMediaType);
Note: I just return all headers with the special headers specified by App Service Authentication / Authentication. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN
X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON
For more details, you could refer to App Service Token Store.
Then I go to Platform features and configure the Microsoft Authentication Provider under Authentication / Authorization. For mobile client, just use the Mobile Apps client SDK for logging and invoke the function endpoint as follows:
In summary, you could use the Mobile Apps client SDK for authentication with your function app. And you could configure the Authentication Providers as you wish, then for your mobile client you could set the related provider name when calling LoginAsync for logging. For your function, you could check the X-MS-CLIENT-PRINCIPAL-IDP header and retrieve the current user info and token for the specific provider.
Since Azure Functions are built on top of App Services, like Mobile Apps, you can still use Azure Active Directory authentication or the API keys for the Http triggered functions.
Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.
I've got an existing mobile app that is integrated with Azure's mobile services. The mobile services are currently connected to Azure Active Directory with MFA enabled. I'm attempting to build a separate PHP-based web application that uses this existing mobile service and authentication.
Authentication
The only active directory of users is the cloud-based AAD. There is no local version and no office 365. After doing a lot of research, it appears PHP can integrate using SAML. However, there are either no PHP samples Azure Active Directory Code Samples or they're tied to Office 365 azure-sdk-for-php-samples.
How can I authenticate my users against AAD via the web-app?
Authorization
Once a user has been authenticated, how can I ensure that user has the same access levels as the user via the mobile service?
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login.
You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through the Mobile Service, you will get the exact same authorization rules as you have defined on that service.
The token will be client-bound, and you'll likely want to get it back to your server for making calls. The actual Mobile Services token is located in client.currentUser.authenticationToken, and you can set this as a cookie in the javascript code and then retrieve it on your PHP backend in a subsequent call.
Calls to the Mobile Service (via the REST API) from your PHP backend just need this token set in the X-ZUMO-AUTH header.
This approach should work for all providers, including AAD. MFA should not be a problem in this case.
I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
An azure active directory account with a couple users
ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
Create users/passwords for each company using the WCF service in
Azure Active Directory.
Allow only companies with a valid username and password pair to obtain an access token
Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
Added the WCF service as an integrated app in azure active directory
Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
Added a relying party application that uses the newly created testAAD identity provider
Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details.
I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
WIF 4.5
VS2012 Pro
C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update:
Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2
I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?
The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.