I would like to use Active Directory with a REST API Express backend: users would fill out a username and login form on the client side, and get authenticated with their Active Directory credentials, through the backend. Then, based on their user groups, they would see certain information. I have tried the node package passport-windowsauth, but I am not able to authenticate, possibly because I don't know what the bindDN or bindCredentials are. I have also tried node-sspi, and had better luck with this, but the issue with this is that it's only server-side, and as far as I can tell, I can't create a form that would then allow the user to authenticate from the client side. I am hosting this site on IIS, and using iisnode for the backend. How can I can achieve this Active Directory authentication with Node/Express server-side and a client-side login form, or in other words, not a .NET application?
Active Directory (AD) authentication is accomplished by binding to the Active Directory with credentials (not the credentials from the User form) supplied by your AD engineers. After binding, AD is searched for matching credentials (from the User form).
Basically you need to talk to your AD engineers about what you should use.
Then you need a /login/ route the user form sends to, the route accomplishes the login (AD bind, authentication) and returns to the client.
A simpler workaround can be to bind to AD with the credentials entered into the login form - a successful bind means the user is logged in. I would, again, talk to your AD engineers about how they prefer this to be done. I've run into problems in the past where it's taken a long time to authenticate users after binding so we used this as a workaround.
You might ask if your AD already has single-sign-on options - maybe they use Shiboleth or something similar.
You should try that package : https://www.npmjs.com/package/ad I'm not sure it will meet your requirements, but it's a very easy t work with Active Directory in a node/express back end.
Related
I'm working on a react app where the pages can be used both by authenticated and anonymous users. The pages show more features for the authenticated users.
If a user previously has signed in and revists the website, I want the user to be automatically authenticated, and am struggling to achieve this.
I'm using redirect methods because I don't believe popup is working well on phones (is that assumption correct?).
I have tried storing the homeAccountId in local storage and use that to get the account used and then calling login in the msal instance. I also set up a addEventCallback and listen for EventType.LOGIN_SUCCESS which I use to set some internal state about the logged in user.
I have tried using MsalAuthenticationTemplate but strangely this doesn't invoke a login. I have also tried to detect if this is a "first run" and then invoking the login, but that doesn't work all the time. Sometime I get a SSO error indicating I should provide a login_hint or sid which is not possible because I use B2C.
If I don't do anything the user can click the login button and if the user has a valid cookie with B2C the user is logged in without providing credentials which is a strange behavior for the user because my website indicate the user is not authenticated (and show no logout button).
So I can't really get this to work and are wondering if somebody has a concept for achieving this?
Please checkout the msal-react samples which all demonstrate the behavior you're looking for. The MsalAuthenticationTemplate would be the recommended way to do this and if you're still having issues getting this to work after reviewing the samples I would recommend opening an issue on our repo with code snippets so we can take a closer look at what's going on.
Also using localStorage, if you're not already, would help to maintain application state between browser sessions. sessionStorage is the default.
As for B2C not asking for credentials; server state is separate from client state. You can be signed in on the server without the application knowing about it. Until your application makes a request to the B2C server your application will show that a user is not signed in. If a session already exists on the server when you make a login request, the server may redirect you back to your application without asking for credentials again.
I'm currently working on a SPA with Electron that uses Azure to log the user in. For this, I'm passing the "domain_hint" query string in the authorize request to by-pass the login screen. Indeed, the user is inside a specific domain, so it gets logged in without any prompt.
I tried this connected to a VPN, and it works. However, when I disconnect from the VPN, it does not work anymore. I kind of understand why but then I'm wondering how I could work around this. I'm thinking about application such as Teams or OneDrive that ask you to login once then never ask it again, how is it working? Can I do the same with my Electron app?
So for teams, it uses modern authentication adal or msal, it's also an electron app. once the user logs in teams will store the access token in a cookie and maybe refresh token? then everytime you start it up, it will just use that. so yes, you can do something similar. you just have to store the relevant token. and grab it from storage to use
I've successfully integrated the saml2-js package with my node.js application, and I've confirmed that the authentication process is completing successfully. However, I'm not really sure how to properly put the app or routes behind the authentication. The saml2-js example doesn't cover that scenario (and maybe that makes sense). So how do I put the app behind the authentication?
I have successfully completed our SSO over SAML2.0 task in my organization, so I might be able to help you, at least I can share my experiences.
So here's how we did it
first of all you need to find out if a certain set of users want to do SSO. This isn't that trivial because before authenticating themself you don't know who wants to login to your system. In our case, we have big corporate users. So we can't just put a "Login by Okta" or "Login by ADFS" button for every customer, because some customer wants the IdP to be Okta, another wants it to be ADFS etc. We solved this by introducing subdomains, and we identify the corporate account by the url. Then we can check what IdP that corporate account wants to use and put a matching SSO button accordingly.
then, when the user clicks the SSO button you create the login request after which if the user successfully identified himself at the IdP you are ready to create a security context (a.k.a session). Then this session will guard you endpoints and app. When you created the session the user is actually "logged" in to your app.
I've scoured the api docs, as well as StackOverflow, and I've yet to find the answer to my question. And it is possible I'm misunderstanding how the system works.
Here's the scenario our client wants:
User logs into our website
At which point we authenticate the user in our system, and One Login via the api.
After the user logs into our dashboard, they can click an link and be redirected to their third party analytics app due to the fact that I've created a new session with One Login.
Here are the steps I've completed.
I've successfully received an access token via --> https://developers.onelogin.com/api-docs/1/oauth20-tokens/generate-tokens
I've successfully used the access token to generate a session login token via --> https://developers.onelogin.com/api-docs/1/users/create-session-login-token
I've successfully used the session login token to create a new session.
I'm receiving the proper cookies from One Login after making the create new session request, and - at that point - if I enter the URL onelogin.com/login, I am taken directly to the dashboard.
At this point I know I'm properly authenticated with One Login. However, I'm not sure how to directly access a third party app from a link on our website.
Thanks.
Two ways:
If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a session) --- redirects SAML to app
Use the launch endpoint - You can create a URL to an app by using this format: https://app.onelogin.com/launch/{app-id}. For example, you can provide a link to an app like this:
Time Reporting
Details on that endpoint can be found here: https://developers.onelogin.com/api-docs/1/embed-apps/get-apps-to-embed-for-a-user
Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade.
I want to built a SSO Service with nodejs.
I have been looking in oauth methods and passport examples, but did not come to a conclusion.
I want to have an Identity Server like https://id.mycompany.com, where the user can create and edit his profile. He also should see what services he can use from my company.
There will be another resource like https://app1.mycompany.com. If the user enters this page he will be redirected to id.mycompany.com to authenticate, and if so, he will be redirected back to app1 with access granted.
Is this an oauth2 mechanism? Because I don't want the user to decide if app1 gets access. I want to decide which user have access to resources of app1.
So I need kind of oauth, but without the client_id part in the redirect url, because I own all Servers.
Hope you can help me, or what I need to search for.