We need to build a desktop (using angular4) and a mobile application (using react-native) that supports single sign on for our clients who are using ADFS in their organisations. We are looking forward to implement outh2 authentication on desktop and mobile app.
Can someone please guide how can we implement it. Should the app(s) be registered at azure-portal or apps.dev.microsoft.com? Do we need a backend API, what would this backend api do?
Thanks.
You need to register your app on azure.portal if you want to support sign in with Active Directory organizational or work accounts, which I believe is your case.
The apps.dev.microsoft.com portal is for registering apps that want to support sign in with both AD work accounts and Microsoft personal accounts.
You can read this article to get an idea of the different application types and platforms that are supported.
Related
I've got the Unity Xbox Live services example up and running allowing me to sign-in to my Microsoft Account via Xbox Live services in Unity.
I've also got Azure App Services (Mobile services) running in Unity to query and persist my data. App Services supports authentication out of the box including Microsoft Account support.
Does anyone know if I can use the authentication from Xbox Live services sign-in to authentication my web calls against my Microsoft Account in App Services?
It gets complicated :) although I can understand the frustration. Let me give a quick overview, but I'm happy to give more details as needed.
When dealing with sign-in, the first step is authentication - and there are three choices on such systems with Microsoft
1. MSA, or Microsoft Account, which is what most consumer systems use, such as Xbox.
2. AAD, or Azure Active Directory, which is typically for enterprise applications.
3. S2S, or Server to Server, which is typically done either with an SSL certificate or shared secret. (Note this is also similar to the app secret mentioned above, although app secret is less secure since the secret is with the app itself, but this and MSA do go together).
These three systems are very different in goals, designs and requirements so there isn't really an option to unify them.
Now lets assume that you are using only #1 above - signing in with MSA. You might wonder why you can't take the token returned for one set of services and use it with another. Now we are into the realm of user privacy and security isolation. Have you noticed when you sign into a game on the PC with XboxLive that you get a dialog box asking if it is okay? That is the consent dialog and is required so that malicious apps can't steal a token for one part of a system (say your outlook.com sign-in) and use it to grab data from elsewhere (onedrive, xbox, etc) without the user saying "yes, that is okay". This same thing happens with systems like Facebook, etc - it is a fairly standard system.
So, to enable this, each time you ask MSA for a token, you have to specify the site you are going to use it with, so MSA knows what consent to ask for - and to ensure it stays only to that site.
tl;dr - doing security right means more hassles :) But the good news is that the underlying system should be able to detect these and prevent the user from having to present a sign-in for each site - just one sign-in, but possibly multiple consent dialogs. And more code for the developer...
Does anyone know if I can use the authentication from Xbox Live services sign-in to authentication my web calls against my Microsoft Account in App Services?
AFAIK, for app service authentication with Microsoft Account, you need to create the application in Microsoft Account Developer Center, then you need to add Client Id and Client Secret for your Microsoft Account provider under "Settings > Authentication / Authorization" of your App Service application. For more details, you could refer to Microsoft Account authentication.
Based on your scenario, you could only use the Client-managed authentication for Microsoft Account. Additionally, the app service authentication for Microsoft Account uses LiveSDK for initiating the sign-in process. Though, I'm not familiar with Xbox Live services sign-in, based on my understanding, I assumed that you could not achieve this purpose for now.
Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.
I'm planning to create 1) react.js web app 2) react Native android/ios apps, and I want to create one unified node.js backend to serve as a single API for both web and mobile apps.
I would also like to take advantage of Azure's notifications hub and authentication. For authentication, I'll also need to have custom username/pw rather than just social accounts. What should I do? Can AAD achieve it?
I realized whilst Azure has great support for native iOS/Android Apps, it's not entirely clear on whether it supports React/React Native Apps as well.
To what extent would the javascript mobile App SDK help?
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-html-how-to-use-client-library/
Thanks!
To provide single APIs for both web clients and devices, and implement Notification push, you can use Azure Mobile Apps in Node.js.
For authentication, I'll also need to have custom username/pw rather than just social accounts. What should I do? Can AAD achieve it?
If you want to custom authentication on your Mobile Apps, you can refer to https://shellmonger.com/2016/04/08/30-days-of-zumo-v2-azure-mobile-apps-day-5-custom-authentication/ for details. And to use AAD, you only can authentication your users in your tenant in AD. (the user name is inthe format:<username>#<tenant>.onmicrosoft.com).
At last, as React/React Native Apps are based on javascript, so you are right, you can implement the Mobile Apps functionalities with JavaScript Client Library for Azure Mobile Apps
Here is a post in the similar scenario with you, maybe it will help you.
I am trying to build a cross platform (Android, iOS, Windows) mobile application using Xamarin Forms PCL project library. My requirements are simple yet involves a lot of services which I find to tie together.
Here is the mix of services that I want to use
Xamarin Forms
Azure AD to Authenticate against (Office 365 tenant)
Mobile Services Client with offline sync capablity
Azure Mobile AppService .NET backend
SharePoint Online to perform CRUD operations on List on behalf of the user
I want to look at some samples or reference implementation with this combination.
I have been struggling with this combination, in fact I got AD Auth to work with Xamarin forms PCL using some pre-release version of ADAL NuGet package, the latest stable version does not work. Similarly I also for the App directly communicate with SharePoint REST APIs but now that the Auth is broken I am not able to proceed.
Then I thought of using Azure Mobile App .NET Backend, now I got Auth working there but when a call is made to the mobile backend I am not able to access SharePoint list (CSOM) since the Auth is only to access the backend service, unable to impersonate as the user to access SP. I guess I need to use AppAuth but that too not working.
I realise that instead of focusing on my actual problem of building the App I am not exploring different ways to get the AD Auth and SharePoint Access working. Can anyone point to any reference to help me out here.
I suspect you have a problem in your AAD setup. I assume you're using ADAL to do client-directed login on your Xamarin forms client. If so, then what you need to do is set up 2 Active Directory apps, one for the native client, and one for the web backend.
Here's a sample that's for mobile services that shows a similar setup, but for Dynamics CRM: Mobile Services Dynamics Connector Setup
The main point is that you need to set up your client app registration with the following permissions. Assuming your backend registration is MobileBackend:
Client app permissions:
Azure Active Directory: Enable sign-on and read users' profiles
MobileBackend: Access MobileBackend
MobileBackend will have the following permissions:
Azure Active Directory: Enable sign-on and read users' profiles
Sharepoint: The sharepoint permissions you need
Once you've done all this, use this article for Xamarin authentication: Authenticate users with the Active Directory Authentication Library.
Hi I have to develop a framework to enable single sign on for an application that my organisation develops.I want the framework to be in GOLANG.I want to authenticate the users with azure active directory details.How can I achieve this?
Azure AD can provide auth via WS-Fed, SAML-P, OAuth2 and OpenID Connect. As long as you develop using one of those then your application can be registered in Azure AD as an application and can leverage the standard protocols listed above.