Entering the AWS management console, how does one build an SSO solution where authentication is done against Azure AD but authorization level is in AWS IAM?
Azure AD SAML claim will not include any security group data, since we don't want to overload SAML token with metadata. Same applies to Kerberos tickets. Hence using the Azure AD Graph API is out of question as well.
Basically the SAML assertion will only include data about authenticated user.
The AssumeRoleWithSAML API is role-driven, whereas we would need a SAML based solution that is user-driven (mapping incoming user data with IAM user). Any help is welcome.
Related
I'd like to start with a Google Service Account credential (either opaque access token or ID JWT) and end with an Azure B2C credential. Is something like this possible with Azure? I'm not seeing any APIs for doing it: https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
Note: this is conceptually similar (but different in terms of target identity) from another question I asked earlier:
Impersonate Azure Service Principal from a Google Service Account
EDIT: Our use case for this is exchanging Google Service Account credentials that represent an untrusted client (e.g. a user in the system), for a user token in Azure B2C. Unfortunately, this eliminates the client credentials flow, as mentioned in the comments.
Azure AD B2C only supports interactive federation flows with other identity providers.
Google service accounts are non interactive authentications. The only way AAD B2C can pass these credentials to Google would be through its REST API interface.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/restful-technical-profile
The credentials would need to be hard coded into the policy or through AAD B2C “policy keys”.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/secure-rest-api?tabs=windows&pivots=b2c-custom-policy
From what I can see, AAD B2C REST API interface doesn’t support an authentication method that Google needs. So I would conclude it’s not possible.
What are ways to include custom claims (user subscriptions or roles list as example) in a token before issuing it in Azure AD B2C, provided that claims are stored somewhere on own server (not available in B2C)?
Goal to have claims in the token to avoid additional round trip to the storage on every request.
Investigation on the topic brought me to following ways:
Add custom attribute via Graph API, configure to include in JWT. Attribute values should be kept in sync with our datastorage.
Custom Sign-In Policy like in this article https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-rest-api-step-custom but if I got it right, additional Step 6 is a user journey to publicly available API in non restricted way (request not secured by secret, might be used to get user claims by presented UserId)?
IdentityServer4 Federation gateway http://docs.identityserver.io/en/release/topics/federation_gateway.html that will allow to add any claims before issuing.
The first two mechanisms you outlined are the most common and recommended ways to include custom claims in an Azure AD B2C issued token:
Add a custom attribute and include it in the JWT. You can enable the custom attribute via the B2C UI or via the Graph API. You'd need to build your own mechanism to keep the value of this attribute in B2C in sync with your external source via the Graph API.
You can use a custom policy to add a step in your authentication flow to call a Rest API to obtain the claim and include it in the token. This call to the Rest API will be performed by the Azure AD B2C service and NOT the user's browser, so it'll be a service-to-service call (versus a client-to-service call), keeping any secrets you use for authentication with your Rest API safe (such as a Azure function code).
Background
I have two applications registered in azure, one is a web-based client and the other is a web-based service. The setup is similar to the example found here: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi
The user logs in to the client via azure b2c, and then the client queries against the service, authenticated via azure b2c, to obtain its data.
The Problem
The service is not receiving the expected claims in the bearer token.
Specifics
Azure B2C says that the claims you select for a given policy will be included in "a token", which I assumed would be the bearer token. Below is a screencapture of some of the claims I have selected.
However, on the service when I extract the claims from the bearer token, I get none of the promised claims. Instead, I get the claims shown below.
I am using UseOAuthBearerAuthentication identical to the example provided by microsoft on github (linked above).
Am I missing something?
How do I get the claims that b2c promises?
Application Claims are included in the id_token, not the access_token (aka bearer token).
This means that the Select application claims will allow your client application (native app or web app) to access these custom claims.
If you want to access custom claims from your back-end service, you'll need to call the Azure AD Graph using the client credentials flow and call the user endpoint like so:
https://graph.windows.net/<yourtenant.onmicrosoft.com>/users/<userId>
And retrieve the property with the following format:
extension_<b2c-extensions-app_appId>_<customAttributeName>
For example:
extension_e5bf5a2db0c9415cb62661a70d8f0a68_MyCustomAttribute
You can obtain the id of your B2C tenant's b2c-extensions-app via the Graph as well:
https://graph.windows.net/<yourtenant.onmicrosoft.com>/applications?$filter=displayName eq 'b2c-extensions-app'
See this post for more info:
Moving Azure AD B2C custom user attributes across new environments
I have ASP.Net Web API and I want to authenticate my API using Twitter Digits Auth and later will pass that Digits token to Azure Active Directory Auth Service.
I got an idea about Twitter Digits Auth but I'm confused how can I pass Digits token ahead to Azure Active Directory Auth Service.
Please see this diagram which I'm thinking to implement.
Does Azure Active Directory Auth Service mean Azure App Service Authentication and Authorization. If I understand correctly, this scenario will not work.
The Azure App Service Authentication and Authorization supports two kinds of authentication flow, client-flow and server-flow. The scenario you mentioned is client-flow which acquire the token from identity data provider first and then exchange the access token with Azure AD using that token. However in this scenario, we need to using the token issued from the identity data provider(Azure Active Directory, facebook, google, microsoftaccount, or twitter.) directly.
If I understand correctly, the Digits token is issued from Digits which the Twitter supports. This token is not supported for the Azure App Service Authentication and Authorization. You need to check whether the Twitter support to exchange this token for the token issued from Twitter.
More detail about the client-flow you can refer this document.
I have an application that authenticates users agains Azure AD using OAuth and I want to provide the ability to setup certain information associated to each user by his admin in Azure AD, so I can read it as part of the authentication process. I would also like to be able to use the claims functionality provided by Azure ActiveDirectory so the admin can define custom mappings between user attributes in his AD and what I am going to read, as explained here.
Apparently those claims can only be read from a SAML token that would be the result of a SAML authentication, but since I am already authenticating using OAuth I would like to avoid having to do that. My question therefore is: can those SAML tokens or the information contained in them be obtained somehow either as part of the OAuth authentication process or afterwards?
When you say "provided by ActiveDirectory" you mean Azure AD not on-premises AD?
There is no way currently to add claims to the token in Azure AD. They are "canned".
That link you refer to is for SaaS application in Azure.
The way to get information out of Azure AD is via the Graph API.