Authentication for a Multi-Tenant SaaS Applications - azure

We are looking for Authentication methods for a Multi-Tenant SaaS application. We have been exploring Azure B2C but have not been able to provide suitable user to organization (Tenant) management.
We are exploring options like;
Microsoft's Azure AD B2C or an alternate service
B2C's Multi Tenant support to provide user/data segregation by Tenant (or Organization)
Environment;
We are using .Net Core 2 for the application and api's
We will have native phone applications that use the api's
Must use a common login service for all applications (Phones and Web)
What we need to do;
Authenticate Users
The first user for an Organization(Tenant) would;
create the organization
sent invitations to their organization's users
Subsequent users would take the invitation link
create an account joined to the organization using
Email/Username and Password
or connect a Social account to the invitation
or other services supplied by Azure AD B2C like another Azure AD
From the login service return a JWT Token
Needs to include the Organization to secure organization data
the JWT needs to be passed to child API's
Child API's will need to validate the token without external calls
Any ideas, sample applications or alternate products ideas are appreciated.

We did find http://identityserver.io/
A quick summary from their website;
The Open Source OpenID Connect and OAuth 2.0 framework for .NET.
IdentityServer is OpenID Certified and part of the .NET Foundation.
We are currently exploring this, and wanted to add this as a possible solution to the question.

Related

Federating my Azure Mobile App with Customer AD

I have a Xamarin based Azure Mobile App. Today, it has OAuth 2.0 authentication with providers such as Google, LinkedIn, Apple and Microsoft. In the backend it uses Azure AD B2C to provide authentication services through the above providers. My question is as follows:
How do I allow users who are part of a customer Active Directory organization to:
(a) Use their organization's AD credentials to authenticate against my app Virtos?
(b) Do SSO with my Xamarin Forms App (in UWP, Android and iOS) so that they don't have to login explicitly into my app
Here is my use case: User John Doe from Contoso organization has an active directory credential such as jdoe#contoso.com. When he downloads and registers with my app (Virtos), he simply enters his id: jdoe#contoso.com. When enters his password, it authenticates against his organization's AD as an authenticated user and provides a token to my app. From then on, he should be able to log into Virtos using his contoso id and password. Essentially I am looking to replicate this pattern with users from multiple organizations.
Pardon the generic nature of my query but I have done the necessary research on this topic to the best of my ability. I am looking for samples, tutorials and how-to on how to federate my app with an organization's AD. I have found examples of generic federation between organizations but I am specifically looking for examples of federation between a Xamarin Forms front-end based Azure Mobile Service and a Corporate AD.
Any and all help will be appreciated.

Azure B2C Invite Consumer Users & Retrieve User Permissions

Can someone provide a general approach to meeting these requirements? I've spent a bit of time researching these various topics and attempting to implement solutions and I'm surprised at how much work is involved. Hopefully I'm missing something.
How do I invite consumer users to a B2C tenant so that they can authenticate into our application using their social accounts (ex: Personal Microsoft or Google accounts)? The only baked in solution on the Azure Portal I've found uses B2C local accounts. Note that I do not want to use a publicly accessible Sign Up flow.
Presently I'm looking into a custom process that would work by inviting users to a 'local' b2c consumer account and then allowing the user to associate their social account with the local account.
Once users have authenticated (using MSAL v2 Auth Flow w/PKCE), I want to retrieve a list of permissions the user has for our application.
I'm looking into two options here:
(1) use the auth token to verify user against an internal API that, in turn, makes a call to the Microsoft Graph API to get the user's group memberships.
(2) Create a custom claim that serves the same purpose as user groups
Administrative users of our application need to be able to invite additional users to the application.
I've found some articles that point, again, to using custom policies.
Thank you very much!
EDIT #1 -
Looking into using B2C & Microsoft Graph API I came across some decent, and recent, MS Resources:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations
And this important-to-me statement -> Microsoft January 28th, 2021:
"Although the OAuth 2.0 client credentials grant flow is not currently directly supported by the Azure AD B2C authentication service, you can set up client credential flow using Azure AD and the Microsoft identity platform /token endpoint for an application in your Azure AD B2C tenant. An Azure AD B2C tenant shares some functionality with Azure AD enterprise tenants."
I'll update my post when I find a solution. Thanks again!
You need to use custom policies.
For first bullet point, see my sample:
https://github.com/azure-ad-b2c/samples/tree/master/policies/link-local-account-with-federated-account
You could do either option. For option 1, AAD B2C can call your api which can call graph api to fetch groups. Then embed the info into the token. For option 2, you could write a role value to an extension attribute and return it in the token.
To invite users, you could use the invite sample. Essentially make an app that calls an API to generate these invite links and send those to the users email. The user clicks the link which allows them to complete their sign up.
https://github.com/azure-ad-b2c/samples/tree/master/policies/invite

Role based authorization with Azure ADB2C having mobile app(Xamarin Forms IOS app) as a client

We have a scenario where in mobile app(Xamarin Forms IOS APP) logs into the Azure ADB2C and generate a JWT token if the user is a valid user(user is configured in Azure AD B2C). We have a requirement where in, we need to generate a token based on the role i.e. based on the role with which user logs in, we want to generate a token and that token we are trying to use it in subsequent Web API calls.
Articles which we found out on this particular scenario was having web application as a client where in some mechanism of secrets were explained. In the mobile app client scenario, its not possible to have a secrets.
Followed the below mentioned article, but couldn't get any concrete information also
https://codemilltech.com/adding-authentication-and-authorization-with-azure-ad-b2c/
Any pointers on this particular scenario would be very much helpful to us.
Thanks!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" by this method you can add the groups to JTW token and also prevent users from sign-in if they aren't members of one of predefined security groups.

Azure Graph API - best way to onboard organizations (app registration and consent proces)

We are developing a SaaS to analyze customer's data within office365 via Graph API and application permissions.
I'm trying to understand the best(and most automated) flow for onboarding the customers. Ideally, the Azure Global Administrator login in our webapp using Microsoft Identity and gives consent to create an account (app registration or enterprise application) with the relevant application permissions. With these permissions our SaaS has access to analyse data.
As of right now, I'm only able to solve this through manual procedure in making the App Registration together with customer on their Azure Tenant which gives me the Client ID, Tenant ID and Secret for our SaaS to authenticate with. I'm assuming something more fancy is possible :)
Also, I was hoping for a method which involved a multi-tenant registration, if that somehow enables reuse of a single app registration or Enterprise application (e.g. in our own Azure tenant) across multiple tenants (customers).
According to your description: you want to use a single application registration or enterprise application between multiple tenants, then you only need to change the application to a multi-tenant application, because changing the application to a multi-tenant application allows any tenant log in.
Next, you need to request the consent of the administrators of other organization tenants. You can send the login request URL: https://login.microsoftonline.com/{Other company tenant_id}/adminconsent?client_id={client-id}. After the administrator consent, it will be added to other organization tenants as an enterprise application in.

multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory

I have the following services
Service1.SomeDomain.com
Service2.SomeDomain.com
Service3.SomeDomain.com
I have a Web application that has a client side script that will talk directly to each of the above services to retrieve information
Web.SomeDomain.com
I also have Native Mobile client applications which also will talk directly to each of the above services
Android
IOS
Windows/Windows Phone
Now this application will be a SaaS solution where customers can sign-up online create their own tenant and then create user accounts for there employees and add the employees to groups and change permissions of those groups.
Now i need a solution that a user can log on to a mobile application or Web and it be allowed to gain access to the above mentioned services depending on there groups permissions, but i want strong separation of each tenant
Looking at the tags it seems you are considering Azure AD. Good choice. Azure AD allows developers to secure their SAAS APIs and Web/Mobile Apps. Azure AD satisfies all the requirements that you've described - it even has client SDKs for the popular platforms.
The following should see you through:
Authentication scenarios supported by AAD (http://msdn.microsoft.com/en-us/library/azure/dn499820.aspx): will answer questions like - how can my mobile app access my multi-tenant web api on behalf of the user, or how can my web app sign-in the user as well as receive a delegated token to access my web api
AAD integrated multi-tenant SAAS application sample (https://github.com/AzureADSamples/WebApp-MultiTenant-OpenIdConnect-DotNet): covers special techniques for multi-tenant apps
Authorization using group membership (https://azure.microsoft.com/en-us/documentation/articles/web-sites-authentication-authorization/): describes how you can perform authorization in your application per the group membership of users.
Enjoy.
Hope this helps.

Resources