Using Header Variables for User Authentication - azure

I am not sure if I am asking this question correctly or not, but if a user is authenticated through MS Azure, can Azure send the identity of the user to another system through HTTP header variable?
If so, what if the HTTP server on the other system is Apache based and not IIS. Is it still possible? If yes, how is it done?
Thanks

The closest option available in the Azure AD offerings is Header based SSO.
Header-based single sign-on works for applications that use HTTP
headers for authentication. This sign-on method uses a third-party
authentication service called PingAccess. A user only needs to
authenticate to Azure AD.
If you could expand your question a bit more, maybe we can help with a better answer

So the flow as I understand is like follows..
Salesforce redirects the user to Azure AD
Azure AD authenticates the user (uses SAML) and sends the SAML token back to salesForce
The user who signed in to SalesForce now redirects to a Siebel App?
The expectation is that the user would not have to authenticate again for Siebel?
The quick answer is that Azure AD will authenticate the user using header-based, SAML or OpenID only if the Siebel app is registered with Azure AD.
Without registration, Azure AD has no knowledge about this app (Siebel) and wont deal with it.
During registration, Siebel developers can choose if they want to use SAML, header based or OpenId for authentication and Azure AD will automatically Single sign-on an already signed in user (like in this example the user has already signed-in to SalesForce) to Siebel and wont prompt the user for credentials.

Related

Single Logout Implementation using ITfoxtec Library

We are trying to implement Single Logout functionality in Azure AD B2c using Itfoxtec Saml library.
We have tried multiple configuration options but the SingleLogout method is not working as expected.
We need a reference article or post on how to configure manifest file when using ItFoxtec library.
We have already referred below articles
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
It sounds like you have achieved to do logout in Azure AD B2C initiated from your application implementing the ITfoxtec Identity SAML 2.0 component.
Single logout is the case where someone other than your application initiated logout or you want to do logout in an external IdP. For this to work you need to configure session management correctly in Azure AD B2C, maybe that is the missing part?
Also the single logout endpoint is separate in the refired sample. The endpoint is exposed in the metadata.
Please check the below points :
You can redirect the user to the end_session_endpoint.Try if it logs out completely with GET request to
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{name-of-b2c-login-userflow}/oauth2/v2.0/logout?post_logout_redirect={static-webapp-url}/.auth/logout.
a) The user may still be signed in to other applications that use
Microsoft accounts for authentication. To enable those applications to
sign the user out simultaneously, the Microsoft identity platform
sends an HTTP GET request to the registered LogoutUrl of all the
applications that the user is currently signed in to.See Microsoft
identity platform and OpenID Connect protocol - Microsoft identity
platform | Microsoft Docs
b) If you wish to support single sign-out in your application, you must implement such a LogoutUrl in your application's code. You can set the LogoutUrl from the app registration portal.or edit from the manifest like below.
Also try by giving front channel logout url which has to result in single signout.
Please check if you should call the Logout method like here > sample code. The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application.
Please check if you are using ITfoxtec Identity SAML2 component without a NameID, which may not be able to do logout or single logout. NameID is optional in login but not in logout and single logout.
References:
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
itfoxtec identity saml2 - How to single logout from Azure AD B2C
with ITFoxTech SAML 2 library? - Stack Overflow
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs

How do I programmatically login or get the JWT token of a logged in Google user in Azure AD?

I already setup the Google Identity Provider in Azure Active Directory and can invite users to my application. After the Google user accepts the invitation, I can see their user object in Active Directory. What I would like to do next is to programmatically login the user using the Google federation or get the JWT token of the logged in Google user.
For user objects created in AD, I can programmatically login the users using ROPC. I understand this is not possible for external users authenticated using Google federation.
• Kindly please take note of this that Azure AD does not support ROPC flow method of credential authentication for federated accounts. Also, when you are using ROPC method, your credentials are at risk of compromise as they are passed directly in the body of API authentication request. Thus, I would suggest you use client credential flow for this purpose as it can access the data from both sides.
• Since you want to programmatically login using the Google federated user to some application or SaaS platform, I would suggest you refer the below link which describes sufficiently how you can use the federated domain’s user login credentials to login to an application or a SaaS platform. In this link, it is stated that you should configure the Azure Policy regarding the Home realm discovery to false and configure the federated domain as its preferred domain for logging in. Also, if you want to retrieve the access token only, then you can use the ‘Postman’ application or ‘https://jwt.ms’ as the redirect URI for that purpose.
https://medium.com/#amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d

Single-Sign Out on Azure AD B2C

I have a 2 application using a single AD B2C tenant. I want to logout the user from both websites when the user signs out to either one of them. I'm using email for local accounts.
In AAD, there is a LogoutUrl registered on each application which receives a GET request to users currently signed in to. Source
I wonder if there is workaround for AD B2C like in AAD.
PS: I am using this repo as reference.
Azure AD B2C doesn't support Single Log Out and we weren't able to find a workaround.
I've understood that in B2C scenarios Microsoft has assumed that IdPs are "social-media" type and considered it is not of end-users interest to be logged out of Facebook when they log out of some service to which they've authenticated via Twitter. Makes sense in that scenario.
However, in government-provided IdP scenarios it is usually a hard requirement to be able to support SLO.
We considered it to be more of a limitation by-design in B2C than technical, so we moved to using another authentication service provider that supports SLO. Apparently a wise choice as I haven't at least heard anything regarding SLO and Azure B2C as of today.
According to the documentation that is possible:
When you redirect the user to the Azure AD B2C sign-out endpoint (for
both OAuth2 and SAML protocols), Azure AD B2C clears the user's
session from the browser. However, the user might still be signed in
to other applications that use Azure AD B2C for authentication. To
enable those applications to sign the user out simultaneously, Azure
AD B2C sends an HTTP GET request to the registered LogoutUrl of all
the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that
identifies the user and returning a 200 response. If you want to
support single sign-out in your application, you must implement a
LogoutUrl in your application's code.
The suggested answer was from 3 years ago.
Please have a read here.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#single-sign-out
Apparently, B2C does support single sign out, but I could not get it to work despite following the steps and I'm looking for answers on SO.

Using saml tokens in Azure AAD oauth authentication

I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.

Azure AD B2C - Sign out a user from all sessions

I have 3 websites using a single B2C tenant. I have been asked to set it up so that when a user signs out of one website, sign out of them all.
Likewise if their account is deleted.
I thought that I would have to introduce a call to Azure on every request to determine if the user is still logged in, but as far as I can see, there isn't a Graph API endpoint that would allow me to determine the user status.
Am I thinking about this the wrong way? Is there a way to do this easily using B2C, Graph API, the Active Directory client etc.?
Maybe there is an option when setting up the OpenIdConnectAuthenticationOptions for example.
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.
I might be late. But if that helps. A.c to docs
When you redirect the user to the Azure AD B2C sign-out endpoint (for both OAuth2 and SAML protocols), Azure AD B2C clears the user's session from the browser. However, the user might still be signed in to other applications that use Azure AD B2C for authentication. To enable those applications to sign the user out simultaneously, Azure AD B2C sends an HTTP GET request to the registered LogoutUrl of all the applications that the user is currently signed in to.
Applications must respond to this request by clearing any session that identifies the user and returning a 200 response. If you want to support single sign-out in your application, you must implement a LogoutUrl in your application's code.
This is called single sign out .
Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-overview#single-sign-out
Microsoft has an API for this by now. I link to the following blog, as the documentation is currently wrong.
microsoft developer blog: revokeSignInSessions & invalidateAllRefreshTokens
Request
POST https://graph.microsoft.com/beta/users/{id}/revokeSignInSessions
Response
HTTP/1.1 204 No Content

Resources