Given a service like Okta, is it possible to use raw SAML requests to get a list of users from my Okta domain? We are hoping to use SAML to retrieve users from Okta and generate linked accounts based on those Okta users for them to sign in to our system using SSO, but we need user accounts in our system that are linked to Okta accounts, or any other SSO/SAML/idp provider.
You cannot do that with SAML. SAML allow user to access other applications from the IDp.
You will need to use their API and authenticate using Oauth, no SAML.
https://developer.okta.com/docs/api/resources/users.html.
What about using Just in time user provisioning based on SAML assertion attributes?
SAML is an Authentication/Authorization protocol, not a user management protocol.
If you're using OneLogin, check out their APIs: https://developers.onelogin.com/api-docs/1/users/get-users
Related
I already setup the Google Identity Provider in Azure Active Directory and can invite users to my application. After the Google user accepts the invitation, I can see their user object in Active Directory. What I would like to do next is to programmatically login the user using the Google federation or get the JWT token of the logged in Google user.
For user objects created in AD, I can programmatically login the users using ROPC. I understand this is not possible for external users authenticated using Google federation.
• Kindly please take note of this that Azure AD does not support ROPC flow method of credential authentication for federated accounts. Also, when you are using ROPC method, your credentials are at risk of compromise as they are passed directly in the body of API authentication request. Thus, I would suggest you use client credential flow for this purpose as it can access the data from both sides.
• Since you want to programmatically login using the Google federated user to some application or SaaS platform, I would suggest you refer the below link which describes sufficiently how you can use the federated domain’s user login credentials to login to an application or a SaaS platform. In this link, it is stated that you should configure the Azure Policy regarding the Home realm discovery to false and configure the federated domain as its preferred domain for logging in. Also, if you want to retrieve the access token only, then you can use the ‘Postman’ application or ‘https://jwt.ms’ as the redirect URI for that purpose.
https://medium.com/#amanmcse/ropc-username-password-flow-fails-with-aadsts50126-invalid-username-or-password-for-federated-90c666b4808d
We're considering to use Azure AD B2B OR B2C for SSO service. We will not be using Azure B2B built-in SSO login page OR B2C custom-policies based login page. We've our own custom login JSP page that we plan to use MSAL Graph APIs for calling Azure AD authentication services.
Questions:
Is this MSAL APIs applicable to B2C only, or can we use this with B2B tenant application as well? All the documents and guidance that I can take as an example uses B2C tenant app only.
If I am using MSAL OAuth 2.0 authentication services for my custom login page, I assume we don't need to rely on SAML SSO configuration. Or would it be possible to use mix of these services (i.e. SAML for basic login authentication, MSAL OAuth2.0 calls for self service account registration)?
I appreciate if anyone can shed some light on this.
Thanks.
B2B and B2C serve two different purposes. B2B is meant for you to use to invite external federated users to your directory using their own credentials whereby you can assign them access directly to your resources. On the other hand, B2C is a separate directory where you allow users to register, optionally using their own credentials from federated providers as well. If your aim is to SSO to a local AzureAD protected resource, then clearly you're going to have to tell that resource to use the B2C directory as an IdP as well. Hence, B2B is much simpler for SSO, but a big differentiator is scale. If you plan to invite a massive number of users, then this it is not a good idea to user B2B.
MSAL uses standard protocols such as OAuth 2.0 and OIDC to authenticate directly to any supported IdP, including Azure AD or Azure AD B2C. Being a guest user or not has no bearing on that process. It is also important to mention that B2C does require either a User Flow or a Custom Policy to function.
So to answer your questions to the best of my ability:
1- MSAL libraries work similarly for both Azure AD and Azure AD B2C. There may be some configuration differences in case of B2C to supply additional information regarding the policy name, etc. But they work all the same.
2- MSAL itself does not support SAML authentication. For that you'll need a library which can perform SAML authentication. While Azure AD supports SAML natively, Azure AD B2C requires you to setup a custom policy to configure SAML authentication.
Within our application we provide a DocuSign integration which uses DocuSign.eSign.dll from DocuSign C# Client.
We currently use the Legacy Header Authentication to authenticate.
One of our customers, would like to enable single sign on using Azure Active Directory. They have set up their account as described on Tutorial: Azure Active Directory integration with DocuSign already (for the DocuSign App).
How do we change our integration to allow Single Sign On using SAML? What API methods do we use? Does the DocuSign C# Client support this?
Legacy Header does not support SSO Authentication. For legacy header to work, users must have a password.
You will either need to grant a Login Policy Exception (to allow them to bypass SSO) to each user that needs to authenticate via the API, or you will need to implement OAuth token authentication.
An example of OAuth token authentication in C# is available on GitHub: https://github.com/docusign/eg-03-csharp-auth-code-grant-core
Once SSO is implemented by your client and has enabled mandatory SSO in their DocuSign configuration, then you should use OAUTH either using Authorization Code Grant-User Application or JSON Web Token Grant-System Integration to generate AccessToken for your Client API user. JSON Web Token Grant is normally used when System Integration is happening in your Integration with DocuSign. In Either way, you need to ask Client API user to provide User Consent to your IntegratorKey, so that your IntegratorKey can generate AccessToken on Client API User's behalf. Obtaining Consent explains how to get User Consent for Either User Application or System Integration. In Providing the consent to your Integrator, Customers will login to DocuSign via their SSO setup, in the same way how they login to DocuSign to access DocuSign WebApp.
I am not sure if I am asking this question correctly or not, but if a user is authenticated through MS Azure, can Azure send the identity of the user to another system through HTTP header variable?
If so, what if the HTTP server on the other system is Apache based and not IIS. Is it still possible? If yes, how is it done?
Thanks
The closest option available in the Azure AD offerings is Header based SSO.
Header-based single sign-on works for applications that use HTTP
headers for authentication. This sign-on method uses a third-party
authentication service called PingAccess. A user only needs to
authenticate to Azure AD.
If you could expand your question a bit more, maybe we can help with a better answer
So the flow as I understand is like follows..
Salesforce redirects the user to Azure AD
Azure AD authenticates the user (uses SAML) and sends the SAML token back to salesForce
The user who signed in to SalesForce now redirects to a Siebel App?
The expectation is that the user would not have to authenticate again for Siebel?
The quick answer is that Azure AD will authenticate the user using header-based, SAML or OpenID only if the Siebel app is registered with Azure AD.
Without registration, Azure AD has no knowledge about this app (Siebel) and wont deal with it.
During registration, Siebel developers can choose if they want to use SAML, header based or OpenId for authentication and Azure AD will automatically Single sign-on an already signed in user (like in this example the user has already signed-in to SalesForce) to Siebel and wont prompt the user for credentials.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.