I'd like to connect my xWiki installation to Azure AD for user authentication. Does anybody have an idea how to achieve this?
Thanks
You might want to look at the dedicated extension pages describing how to use LDAP in XWiki: http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/ (both Authenticator and the Application to customize it)
Additionally, you might be interested in this paying app that is supposed to be specialized in Active Directory and should help you use it without too much work: https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication
Now, since Azure AD does not allow LDAP connection (according to your comment), you might want to look into using OpenID Connect. It seems to be supported by Azure AD (https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code) and XWiki also has a recently published extension to be able to authenticate with OpenID Connect (http://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID+Connect/). There`s also an introductory blog article on the feature: https://www.xwiki.org/xwiki/bin/view/Blog/Your%20new%20Identity%20Provider%20XWiki
Related
I am new to Azure AD. I have to implement two websites which uses Azure Single Sign On feature to login. I have gone through few documents and blogs but it wasn't helpful enough. Could anyone suggest me a relevant document or approach for beginners.
This approach I am using:
I made a new tenant.
Made a app in app registration
Assigned the users through Enterprise Application changes
But now i have to add another website to webapp and then make sure if user logs in anyone of those then it should automatically get logged in other website as well.
When you have multiple applications in your organization, it's better to use Azure AD and you are on the right path.
To configure an application for SSO there are multiple ways. Based on your requirement you can choose any SSO protocol from below for authentication.
There are protocols like OpenID Connect, OAuth, SAML, password-based etc. to configure SSO.
As you have two websites, register two webapps in Azure AD and configure SSO
While registering the webapps, make sure to add redirect URI or Reply URLs of those two websites respectively.
Make sure both webapps are using same SSO protocol.
As mentioned in the comment by #Anand Sowmithiran, while the user is authenticating, the login flow will detect that user is already authenticated and will provide the token seamlessly.
For more in detail, please refer below links to get some idea:
Can I use Azure for SSO to multiple websites - Microsoft Q&A
single sign on - SSO with multiple azure web apps - Stack Overflow
Currently I'm working on webapps and its VB code. I need to deploy it into Azure platform but I'm not sure about this 2 things. FYI, system that I developed don't have login page, which is based on current pc login username. So I retrieved current pc login username and check with my database whether current user allowed to use or not. When its in localhost, everything ok, I can retrieve username but when I deployed it to Azure it can't since I need to setup for Azure AD. But I'm a bit confused as my IT global ask me to do some codes to read from Azure AD. How to configure it with codes and also in Azure? Is there any difference between MSAL and SAML? Do I need to setup for both or should I just setup either one? I'm new in this so I don't know much of it. Hopefully someone can help me to solve it as I'm stuck for a month now. Thank you in advance.
P/S: My systems is in VBA codes, not in C# as I can see that many sample/example is in C# codes.
*Link with Azure AD and get user details like username/emails/etc once browse the webapps
SAML is a protocol used for authentication. A more contemporary protocol is OpenId Connect.
MSAL is a library that helps integrate your application with Azure AD.
I'd suggest you start with the Microsoft identity platform (Azure Active Directory for developers) and get yourself familiar with how to integrate your application successfully with Azure AD.
Some of the samples provided on that page teach how to make calls to Microsoft Graph, where you'd be able to get more details about the signed-in user.
Following scenario:
I have a web app running in the MS Azure cloud
The app provides a user logon with username and password
The new requirement is to provide the AD FS SSO for the web app, so that once a user has logged on the Windows machine, her AD credentials can be used to log on the web app.
Can anyone help with some background information and step-by-step instruction. Thank you.
Yes - you can do this by federating ADFS and Azure AD.
That provides SSO and lets the users authenticate on the intranet.
Do you have to use ADFS? If not, pass-through is a good alternative.
To connect the web app to ADFS, you could try to use the scripted setup for automated integration or use the manual setup to step-by-step.
For the details, you could refer to the docs.
Hope this can help you.
I'm aware of the limitation of B2C that dictates that it doesn't support
Daemons/Server Side Apps applications authenticating with non-interaction.
https://azure.microsoft.com/en-gb/documentation/articles/active-directory-b2c-limitations/
In my case,
I have a user on my application whom is available to enter their details but i want complete control of the Journey, i don't want to have to redirect to https://login.microsoftonline.com etc... to acquire the token.
I know the B2C Azure portal allows you to provide a static HTML page as a template for the login page, but this isn't good enough for my scenario.
My guess is this isn't currently supported but eventually will be.
I think that is not possible due to the nature of the service. Full control of the pipeline is possible when you use the service that provides such capabilities out of the box. Here, it is more like that user is "isolated" from some of the boilerplate functionality which is the benefit sometimes.
If you need to have a full control, i think that you will need to use something like Windows Identity Foundation and federated authentication which may be customized.
The type of authentication you are asking for is the resource owner password credentials. Right now, it is in scoping and they said it will be released by summer 2017. Note: Supports only for local accounts, not any external providers like FB, Google etc..
For more details https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/13817784-add-support-for-resource-owner-password-credential
You can upvote and let the team work on it
I have a few websites that are running mojoPortal and Yet Another Forum, and several custom websites with ASP.net web forms (vb.net). I plan to add additional ASP.net websites too. I would like to have a single sign on for all sites, be able to setup groups and roles per site, and store the user's full name, phone, email, and other custom fields.
Each website currently has its own ASP.net membership database. There are about 1000 total users. It would be nice to be able to import the current members into Azure AD, but it will be OK if each user has to create a new login account. I've never used active directory but it sounds like Azure AD will do what I want. I plan to move all websites to an Azure virtual machine.
Before I start testing, I want to find out if single sign on will work with various ASP.net websites, and how complicated the setup and configuration will be. Can I import users to AD? I guess if a website supports AD or LDAP, then AZure AD will work? I'm hoping it will be as easy as adding the AD connection string in web.config?
Thanks!
It probably wont be as easy as adding the connection string. The Ad SSO service needs to be implemented using WIF (Windows Identity Framework) in your application. If you are already using WIF then it could be that simple. If not then you will need to implement WIF.
See this blog post to help you get a better understanding of what is involved.
http://blogs.msdn.com/b/windowsazure/archive/2012/07/12/announcing-the-developer-preview-of-windows-azure-active-directory.aspx