Is SAML authentication possible in Azure Web Apps? If possible, how can I configure Azure AD for SAML authentication? I tried finding a solution but the only Microsoft documents I've found regarding this is https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/saml-toolkit-tutorial . The problem within the document is that it doesn't specify any code related information
Yes - you need two things.
The application needs a client-side stack.
Azure AD has to be configured as an Enterprise application.
Related
I have a SAML 2.0 based Single Sign On working with Pingfederate, wso2 Identity server as well as ADFS. Its also working with Azure AD SAML 2.0 fedration. But I need to have my own setup to incorporate the recent changes by Azure on using multiple certificates for signing it responses which they claim to change dynamically.
Please point me to a quick setup resouce on this as I am new to Azure.
As per this,
Tutorials for integrating SaaS applications using Azure Active Directory
Configuring SAML based single sign-on for non-gallery applications
Your application may already be in the gallery (marketplace) in which case there will be a script or the latter provides instructions to do it manually via Enterprise applications.
I am a bit new to Azure AD and some of its features. I have a vendor application that wants to setup authentication & single sign on using our Azure Active Directory. The documentation they provided me with just walks through adding Azure AD SAML Toolkit as the enterprise application and configuring it accordingly. However, I noticed immediately that the description for that enterprise application was "This is the sample SAML app which customers can use to test the SAML single sign-on integration with Azure AD."
My question is, shouldn't a vendor application have setup an enterprise application for me to add to our Azure tenant or is it common and good practice for applications to use the Azure AD SAML Toolkit for production implementations?
So far I have found no reason documented that this is bad practice. We have implemented it for the vendor application and have had no issues up to this point.
I have configured the Azure AD Authentication for my asp.net core project using the services of "Microsoft.AspNetCore.Authentication.*" packages. The project is expected to be deployed to Azure App Service as a Web App.
While I enabled Azure AD authentication, I also see there is an option to enable the same at the Web App level through Application Settings on Azure Portal.
I have question around which option is recommended. I do see when I don't leverage Azure AD authentication configured via nuGet packages, I don't have OpenId connect service plugged into the StartUp.cs file. And I think these services are pivotal in populating the authentication properties like User.Identity.Name. On the other hand with just portal enabled authentication, I don't see this information populated. So, I presume if I want to do further work with logged in user's identity, like leveraging current claims information for authorization, I won't be able to achieve that with portal only authentication.
Your assessment is basically correct. The portal-enabled authentication runs completely outside your application and isn't capable of setting User.Identity.Name when using .NET Core (that level of integration only works with ASP.NET 4.x).
My recommendation is to use the ASP.NET Core NuGet package so you can get the full integration. It's a lot more work to set up, but once you get it working you should be in good shape and get the full end-to-end experience you want.
If you are interested in using the portal-enabled Azure AD authentication support, then take a look at this StackOverflow question to learn how you can get it to work with User.Identity.Name.
We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.
I'd working on creating a ASP.NET 5 web application and would like to use ASP.NET Identity to manage users. I'd also like to use Azure Active Directory in a multi-tenant configuration. As I understand more about claims, I expect we will eventually create our own custom claims as well.
I see ASP.NET Identity can configure providers (Facebook, Google) but is it possible to set up Azure Active Directory to authenticate with Facebook / Google and have it flow through ASP.NET Identity? My guess is that flowing through Azure Active Directory would make our subsequent migration to claims authentication easier.
If so, any pointers to setting this up and road bumps that may be expected would be appreciated.
Regards,
Rajesh
Classic Azure Ad does not integrate directly with Facebook or Google, however the new B2C offer does. See http://aka.ms/aadb2c