I am facing a hopefully simple problem:
I need to create a wrapper app that contains a WebViewer control and should display a page in Azure portal.
I am developing the app in VS 2017 on a virtual machine which belongs to the domain 'DEV'. I would like to achieve that if a user from 'PROD' domain starts the app on their computer in the 'PROD' domain, they will be authenticated to AAD/Office 365 via SSO and can view the page in Azure (not a site in azurewebsites.net, but a site that needs you to be authenticated - i.e. portal.azure.com!).
I was not yet able to test the app on 'PROD' domain, but according to the answer below it would work, wouldn't it?
https://stackoverflow.com/a/9593258
If not can I go through the steps in the white paper mentioned and SSO the user manually (chapter 5.3, I assume)?
EDIT
Took me while, but here it is - I got SSO working, sort of...
In the end it seems that using a WebViewer control allows SSO but it still requires you to at least once enter your user name (user#tenant.com, for example) but you don't need a password. This might not be an optimal solution, nevertheless it is OK.
Thank you Wayne Yang for your support.
For your sceanrio, the user can SSO in PROD domain if the device has AAD joined.
But this should SSO to the joined AAD tenant. I also assume that you want to SSO to Azure portal with the ADFS. So, it also needs integrate ADFS with the AAD.
Why?
First, if your application try to sign in Azure portal via pop-up a broswer, and it needs SSO. AAD join can achieve this. If a device joined AAD, it will obtain a refresh token to your device. For windows 10 , IE and Edge can use the refresh token to SSO AAD endpoint.
Second, If you want to use ADFS, you must integrate ADFS with Azure AD. In this way, AAD authentication endpoint will redirect to your ADFS to approach SSO with your local domain.
Reference:
How to configure hybrid Azure Active Directory joined devices
Federate multiple instances of Azure AD with single instance of AD FS
Azure AD Connect and federation
Hope this helps!
Related
I am new to Azure AD. I have to implement two websites which uses Azure Single Sign On feature to login. I have gone through few documents and blogs but it wasn't helpful enough. Could anyone suggest me a relevant document or approach for beginners.
This approach I am using:
I made a new tenant.
Made a app in app registration
Assigned the users through Enterprise Application changes
But now i have to add another website to webapp and then make sure if user logs in anyone of those then it should automatically get logged in other website as well.
When you have multiple applications in your organization, it's better to use Azure AD and you are on the right path.
To configure an application for SSO there are multiple ways. Based on your requirement you can choose any SSO protocol from below for authentication.
There are protocols like OpenID Connect, OAuth, SAML, password-based etc. to configure SSO.
As you have two websites, register two webapps in Azure AD and configure SSO
While registering the webapps, make sure to add redirect URI or Reply URLs of those two websites respectively.
Make sure both webapps are using same SSO protocol.
As mentioned in the comment by #Anand Sowmithiran, while the user is authenticating, the login flow will detect that user is already authenticated and will provide the token seamlessly.
For more in detail, please refer below links to get some idea:
Can I use Azure for SSO to multiple websites - Microsoft Q&A
single sign on - SSO with multiple azure web apps - Stack Overflow
I am very new to SSO and am having trouble enabling cross company SSO. I work on a React SPA and used the MSAL React Library to implement SSO for our application. I created a non-gallery Enterprise Application in Azure, and used that subscription information to validate users on the application during login. This is all working as expected.
After providing our SAML SSO configuration to companyB, the user at companyB cannot sign on and is getting the following error...
"Selected user account does not exist in tenant 'XYZ' and cannot access the application '123-456-789' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
To me, that means I need to manually add the user who is attempting to log in, but that would negate the usefulness of integrating the two Azure ADs. I've provided all of my SAML configuration to companyB, and still no luck. What could I be missing?
In order to create the link between the two Azure ADs, the user just needs to create a non gallery application with SAML SSO enabled and the SAML config, right? Any insight into this issue would be greatly appreciated!
I realized my code was configured to only work for one tenant, pointing to the common login endpoint solved this issue.
My application is an Angular 2+ SPA, which uses Azure Active Directory and the back end API is implemented in Node JS. Currently, when an user tries to login, an Azure pop-up appears, User enter login/password which will get authenticated in AD, AD returns a bearer token which I use to authenticate Node JS API.
My requirement is, to use Integrated Windows Authentication (IWA). The Front End should use Windows authentication to get the bearer token from AD instead of asking user to enter login/password. How Can I do that? Whatever articles I see about this, all talk about IIS and .Net based application. Should I always use .NET based API to use Windows Authentication? Any hints would be greatly appreciated.
Just a note, the API is an enterprise application hosted in the cloud. All the users are internal company employees and are registered with AD.
Given you already have Azure AD sync setup, the following may be useful. AAD Connect allows you to seamlessly login with SSO:
https://learn.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso
Azure services doesn't support Windows Authentication, unless you setup a VM with IIS. I assume by your requirements "...Get the bearer token instead of asking user to enter login/password" mean single signon. That is, when a user is logged into the domain on their PC, they don't have to login again to your application.
There are a few ways to approach this depending on your AD configuration, but usually you have to configure ADFS for your organisation AD to allow your cloud app to authenticate you. If you are already logged in, it will simply redirect you and your app will receive the bearer token.
https://azure.microsoft.com/en-au/resources/videos/configuring-ad-fs-for-user-sign-in-with-azure-ad-connect/
Another option is to connect your organisation AD with Azure AD, using Azure AD sync. The following link helps with this. You would then configure your app to authenticate against Azure AD (as it currently does).
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad
AD configuration is not a simple configuration,
In relation to this question:
Azure AD graph API using on-premise domain
I have set up an federation between the on premise ADFS and Azure AD using the Azure AD connect tool. In the last step of the verification I ran into this:
I believe that it is because the ADFS needs to somehow be exposed to the internet. Probably using an proxy server. In the Azure portal the Domain is now marked as federated. I have tried to do a post to https://login.microsoftonline.com/{domain}/oauth2/token, it works when I use xx.onmicrosoft.com users created directly an the Azure AD domain. When I use a user#{domain} user syncronized from the on premise AD I still get
""error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password....." like I did before I set up the federation. I would actually expect to be somehow redirected to the on premise login screen
So two questions:
Is it nessesary to have the ADFS exposed to the internet via a proxy for the federation not to fail?
How can I properly test logging in to Azure AD using the on premise user?
Thanks in advance :)
-Dan
As an answer to my own questions.
What I was trying to do was have my customers users in my azure ad domain. What that means is that the customer cant have their own Azure AD or office 365 as the domain can only exist once on Azure. So this is not at solution.
Use https://{domain}/adfs/ls/idpinitiatedsignon
I am currently trying to understand the combination of Azure ACS with Claims-based Auth and the option of using a custom STS and I am only slowly getting through the (unfortunately few) info sources.
Before I spend more hours on this I would like to confirm if my plan is even possible.
I have multiple azure roles (web+worker) that are being accessed over the internet by both employees and customers. Additionally, employees access these roles and desktop apps from inside our local network.
User data comes from two sources. Our azure app has user data about customers and employees, our (local) AD only from employees.
To make the login experience as efficient (and ergonomic) as possible, when accessed via our local network, employees should be automatically authenticated (Windows Integrated Auth?) on both the desktop app (automatically because of Windows User Profile Context) and on the azure apps (hopefully w/o login page).
Customers, on the other hand, should enter their user credentials when accessing the azure app, but should not have to decide between different "Credential-sources", they should just get the username+password form.
In other words
Employee visits Azure app from local network -> Auto-login with Integrated Auth / AD data
Employee visits Azure app from internet -> Username+Password form
Customer visits Azure app from internet -> Username+Password form
While writing this question, two more came to mind:
1) Is it even possible to auto-login based on source/cookie/wizardry or would that require a manual user choice for selecting the "Credential-Source"?
2) If Azure ACS "knows" that AD account with Username X is the same as Azure App User Y, does it matter with which one logins? Can the app access the same claim-data on either login route?
Are you sure you need a custom STS? It sounds like to start you just want to enable your AD users to sign in to your azure applications using their windows credentials if they are on the domain (no password prompt). ADFS 2.0 and WIF will facilitate this. In addition, if you set up an ADFS proxy server so that when those same users browse to your app from outside of the domain they will get prompted for their domain credentials.
Now your AD users are set up, but if you want your applications to be accessible to users outside of your domain, you can federate ADFS with another organization's ADFS server, or use ACS to enable login using consumer identity providers such as Google, Yahoo, and LiveID, which are provided as built in options. If you did introduce ACS like this, you would configure your corporate ADFS server as an identity provider on your ACS instance alongside google, yahoo and what not, so that when your users browse to your site they will be prompted to select which identity provider they wish to sign in with.
Here's a fantastic whitepaper that demonstrates using ADFS to authenticate to cloud applications:
http://www.microsoft.com/download/en/details.aspx?id=13789
More detailed info about deploying ADFS (such as deploying the ADFS proxy) can be found in technet.
And for ACS, there are guides and samples on how to integrate it into azure applications, and how to add ADFS identity providers: http://msdn.com/acs
One thing that you could do is look at the user credentials when a page is requested in order to get the authentication info.
If you look at...
HttpContext.Current.User.Identity
You can get info about the user's identity. If they are on the domain you will see that they have a domain name and you could programmatically choose to direct them to a login page.
Let me also say that I've never tried to do this so I don't know if there's a built in way to do this by simply configuring something in web.config.