Adding Claims to a SAML token usign Azure AD Single SingOn - azure

We have an application that uses multiple IDP for authentication. We receive a SAML token with some extra claims where we authenticate on. We also want to use Azure AD as a trusted IDP, but how can our customer add the required claims to their returned SAML token?

There is no option to add claims to the Azure AD generated SAML token. To do this you have to add your application to the Azure AD Application Gallery. For Azure AD premium user this can be done for your own applications that accept SAM.
For non Azure AD premium user you have to add your application to the Azure AD Gallery, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/.

Related

Azure AD and Azure AD B2C using same JWT token

I have a scenario where the users are created in AZ AD B2C(It is an external facing application where users can be from different organizations as well as any individual). The application does this via jwt token from AZ ADB2C. The application also has embedded Power BI report which does not support AD B2C authentication. Is there a possibility to use the same jwt token to validate a user against AZ AD account as well?
Please let me know if the question is not clear.
In general no.
Azure AD and B2C have two different key sets so the signature will be different.
As will the clientID, audience and issuer.

How can I use idp_access_token returned by azure b2c service

I have setup a azure ad b2c service to sign up/ sign in my users and have used third party identity providers google and microsoft. After successful logging in, I get idp_access_token
back from b2c service. Can I use this token to directly connect to google and microsoft api
as azure docs mention, this token is issued by identity providers and returned as claims by b2c service. But the idp_access_token doesn't seem to be a valid access token and no claims are included in it.
To get a valid "idp_access_token", please check if you have to set "v2.0" in the metaurl of the OpenId Identity Provider Configuration:
https://xxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration
We maynot be able to edit metadeta url of already created one .So try create new one with "v2.0" in metaurl.
When a user signs with identity provider, like google or Facebook, your app gets the identity provider's access token passed in Azure AD B2C token.This idp_access_token can be used call the identity provider’s API, such as the Facebook Graph API i.e;Usually the embedded IdP access token is used to call the services that the IdP hosts. For details see Pass an access token through a user flow to your application in Azure Active Directory B2C.
Reference: techcommunity.microsoft.com blog
Note :
Azure AD B2C supports passing the access token of OAuth 2.0 identity providers, which include Facebook and Google. For all other identity providers, the claim is returned blank.
Even if idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As usually the
embedded IdP access token is used to call the services that the IdP
hosts. But Microsoft Graph data is hosted in Azure AD and not in
Microsoft Account side.
You can check this microsoft document to Set up sign-up and sign-in with a Facebook account using Azure Active Directory B2C or with a Google account using Azure Active Directory B2C
References:
Using Azure B2C login to access Microsoft Graph is the social login is a Microsoft account

In Azure AD associate IDP Identity to existing users

I've connected an Azure AD to a OpenId IDP (based on KeyCloak) using Azure AD B2C. The connections works well and user can use external IDP to create an user on Azure AD an login in an basic application that I use for test.
I would like to connect existing user in Azure AD to the relative IDP identity.
Using Graph API, in users detail I've notice that users created from IDP has in identities array an identity with "signInType": "federated".
In Update user graph API documentation seams that identities isn't an updatable value.
Is it possible to connect the user on Azure to my external IDP?
• You want to connect the user ID in Azure to the external IDP, i.e., you want the user in Azure AD to login with Azure AD credentials in external/other IDP. Thus, you will want to federate your Azure AD tenant with the external IDP for Azure AD to be provisioned in external IDP and use SAML SSO for authentication purposes.
For the sake of convenience, let’s assume here that external IDP is Google cloud. So, you want to connect your Azure AD users to the Google cloud IDP, for this purpose, you would want to configure a federation between Google cloud Identity and Azure AD such that Azure AD users are provisioned in Google cloud workspace and these users use SAML SSO for authentication in Google cloud using their Azure AD provisioned identities. To configure the same, please refer the below documentation link for that purpose: -
https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory

Cross Azure AD resources

If there are 2 companies with different domains, one is companyA and the other is companyB, they both have an Azure AD, Azure AD B2C and backend mobile application (backendA and backendB).
There are existing front-end mobile App mobileA which can access backendA after Azure AD B2C authentication of companyA and mobileB access backendB after Azure AD B2C authentication of companyB.
For my case, I want mobileA call the api of backendB after authentication of Azure AD B2C of companyA. But after getting the token from companyA, how backendB check the token is valid?
Thanks!
lihoma
You can register backendB in companyA's tenant as an app.
The mobileA app can acquire a token for backendB from its own tenant.
Then backendB will need to add support for companyA's tokens in addition to supporting companyB's tokens.

Claim augmentation with Azure AD authentcation

"I have an application where I have users authenticated with multiple directories all federated using a ADFS. There is a central ADFS that does the federated and routing to the correct IDP. Most IDP are ADFS that add claims to the SAML token by using the normal ADFS rules. We now have some customers that want to use Azure AD as IDP, but this seems not to allow to add claims like ADFS.
 
What would be the way to add custom claims to a saml token using Azure AD?"
You can do this by adding your application in Azure AD Directory Portal via the Application Gallery. This gives you the opportunity to add claims to the outgoing SAML Token.
If you have Azure AD Premium you can add your own application (that accept SAML 2.0) and configure the extra claims via the "Attributes tab"
If you or your customers do not have Azure AD Premium you will have to have you app added to the Azure AD Application Gallery. The process for this is described in https://azure.microsoft.com/en-us/documentation/articles/active-directory-app-gallery-listing/

Resources