I have a NodeJS Application utilizing OAuth2. I do not have SSL. I am trying to authenticate using Single Sign-on with Microsoft. While it works on localhost, it doesn't work with network's IP. Any idea?
On MS Website it says I should be able to:
The Azure AD application model today supports both HTTP and HTTPS
schemes for apps that sign in Microsoft work or school accounts in any
organization's Azure Active Directory (Azure AD) tenant. That is
signInAudience field in the application manifest is set to either
AzureADMyOrg or AzureADMultipleOrgs. For the apps that sign in
Personal Microsoft accounts and work and school accounts (that is
signInAudience set to AzureADandPersonalMicrosoftAccount) only HTTPS
scheme is allowed.
I have the Manifest set to AzureADMultipleOrgs
The redirect URL should still be using HTTPS,
In general, they do not support transmitting tokens over unsecured channels. Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https.
Related
Fixed for all users - Web App URL - https//foo.bar.com
Entity ID - https//foo.bar.com/auth/callback?id=<unique-app-id>
Unique for each app
Callback URL - https//foo.bar.com/auth/callback?id=<unique-app-id>
Please suggest for Azure AD specific
We can achieve this by following approaches:
Configuring the application in different tenants in Azure AD.
Service provider can send ACS url to IDP, so that it can be redirected to that URL after login. Note: IDP initiated would use default ACS url in configuration in Azure AD.
we have a website hosted in IIS, we have pointed the multiple domains to the same website.
like
www.exmple.com
www.example.in
www.wxaple.co.uk
and so on.
similarly, we have pointed more than 30 domains to this website.
Before there was no authentication on this website, now we need to implement authentication. so we have used OpenID connect and Azure AD for authentication.
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code
This is working fine for one domain because we can configure the redirection URL for 1 domain. But how we can make sure this will work fine for all domains.
or any other approach to implementing this.
Though you have many domains in a website, when you login in your website the appId is the same. So, you could use the access token to request your domain website.
BTW, you need to add your domain into your Redirect Uri in App registered in your Azure AD.
I've registered an app in Azure AD and can successfully authenticate users against it while running on localhost.
The Azure AD app's Redirect URI is set to https://localhost:44352/sigin-oidc and the Logout URI is https://localhost:44352/signout-oidc
If I deploy my MVC app to Azure the host name will be different from "localhost". Do I have to register another app for deployment or just add a second redirect URI? But what about the logout URL then - only one can be configured there?
Second redirect URI. Here are some pointer on restrictions on redirect URIs.
Logout URI is only relevant to your application. Not the application registration.
If you are referring to the post_logout_redirect_uri, as described here - it must registered in the redirect_uris as well:
Or if you consider the logoutUrl as described in the Manifest - that is only used when you perform a Single-sign-out of all web apps, as described here. Frankly, there are very few reasons to use the single sign out capability of Azure AD. And, it requires of course that all apps are configured for single sign out.
I am registering a Native application in the Microsoft application registration portal with the goal of giving it delegate permission to my separately registered Azure Web API. As I understand, this is the normal setup for desktop or mobile application, because an authorization UI cannot be directly shown to the user.
Since my application is an Amazon Alexa skill, I must use the mandated Alexa redirect links. Within the Microsoft application registration portal these links need to be placed in the custom redirect URIs section of my native application platform (See image below). It would like me to use a URI like "msalaaaaa-bbbb-ccc-dddd-111111111111://auth", which I guess works for Azure mobile and desktop native applications.
Why does the portal not permit a http URI? When will this feature be implemented or do I have a miss-understanding?
Thanks,
Microsoft do not support transmitting tokens over unsecured channel. Currently, apps that are registered in the Application Registration Portal are restricted to a limited set of redirect URI values. The redirect URI for web apps and services must begin with the scheme https, and all redirect URI values must share a single DNS domain. For example, you cannot register a web app that has one of these redirect URIs:
https://login-east.contoso.com
https://login-west.contoso.com
I've got an existing mobile app that is integrated with Azure's mobile services. The mobile services are currently connected to Azure Active Directory with MFA enabled. I'm attempting to build a separate PHP-based web application that uses this existing mobile service and authentication.
Authentication
The only active directory of users is the cloud-based AAD. There is no local version and no office 365. After doing a lot of research, it appears PHP can integrate using SAML. However, there are either no PHP samples Azure Active Directory Code Samples or they're tied to Office 365 azure-sdk-for-php-samples.
How can I authenticate my users against AAD via the web-app?
Authorization
Once a user has been authenticated, how can I ensure that user has the same access levels as the user via the mobile service?
One option would be to have your PHP app serve a page using the Mobile Services JavaScript SDK and have it perform the login.
You'll get the same token that you would in your mobile app. To your question on authorization, as long as you're making subsequent backend calls through the Mobile Service, you will get the exact same authorization rules as you have defined on that service.
The token will be client-bound, and you'll likely want to get it back to your server for making calls. The actual Mobile Services token is located in client.currentUser.authenticationToken, and you can set this as a cookie in the javascript code and then retrieve it on your PHP backend in a subsequent call.
Calls to the Mobile Service (via the REST API) from your PHP backend just need this token set in the X-ZUMO-AUTH header.
This approach should work for all providers, including AAD. MFA should not be a problem in this case.