After submitting app to windows store, our app is rejected with the following message.
"We were unable to launch your app from the 'My Apps' launcher. When we launch your app from the My Apps launcher, during an authenticated O365 session, we are prompted to re-authenticate to your app."
What we did is, once the user logs into our app with o365 credentials, our app gets added to user's O365 my apps dashboard. When the user clicks on, our app in O365 launcher it launches the login page of our app instead of automatic login.
Step-by-step:
User visits our web page "http://portal.myedutor.com/users/sign_in"
User clicks on "Login with Microsoft credentials"
User signs in using O365 account
Now user has an active session with our application
User visits "http://portal.office.com" and signs in using same credentials
Within a couple of minutes user sees the "IGNITOR" app in "O365 My Apps dashboard"
Clicking on the app user is taken to the homepage of our application
Now the problem we are facing is, once the user clicks on our app in step-7 he is again asked to login, we are not able to send any session information on app click. We are using open ID protocol for SSO.
Kindly guide us how to maintain session in such scenario. Thanks a lot in advance.
One thing that might be missed here is when you register your app with Active Directory, you used the main login page for SIGN-ON URL, aka, http://portal.myedutor.com/users/sign_in.
However, in order to directly redirect you to the Office 365 login page, you should use Office 365 redirect URL in this case.
For example, when I was testing it locally, I make sure I used localhost:xxxx/account/singin for my SIGN-ON URL, like below,
Related
I have added a button in login page so that user can log into website through Microsoft account as well, This is the link of page where user is directed-to, after clicking on button, https://login.microsoftonline.com/. It is working fine when I am hosting application in IIS and even opens the Microsoft login page when I host it on App Service of my personal account. But the login page of Microsoft( link ) is not opening when I am hosting the same application in the App Service of my Corporate Azure Account. I understand that it is the access issue but I don't understand how can I get it fixed. I need to specify the steps to my IT help department in order to make the required changes.
We have configured our enterprise web application to be protected by Azure AD SSO. It works great. The first time the user navigates to the enterprise web application page, they are redirected to the https://login.microsoft.com login page and prompted to enter their username#company.com and then they are authenticated using the Windows credentials through Kerberos (or at least I think it's Kerberos. It doesn't require a password). They are now signed into our enterprise web application.
Now the user closes their browser, which closes the session with our enterprise application, then opens it again.
They go back to the enterprise web application page. It redirects to https://login.microsoft.com, and this time it remembers who they are, because it has the username#company.com in the "Choose an account" dialog. But it didn't automatically sign them in, making for a very unfriendly user experience.
The user now has to click on their account from the "Choose an account" screen, and there is always only just the 1 account there. It still doesn't require a password, but still it breaks the seamless flow of things.
How can we make the Azure AD SAML SSO set up so that it automatically logs in the user without having to click the account in the "Choose an account" dialog?
I wasn't getting response here so I cross-posted on MSDN (sorry). I got a prompt response here: https://social.msdn.microsoft.com/Forums/azure/en-US/f9e7c013-fbdc-4bbb-9e9c-22bf187f6c79/bypass-the-azure-ad-sso-8220choose-an-account8221-prompt-and-automatically-login-cookie-stored?forum=WindowsAzureAD
You have to pass the domain hint in order to achieve this. This
happening primarily because of realm discovery and domain hint will
help you skip this.
Ref:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal
Question: How can I custom brand my Azure AD application login page? (note: NOT my org's login page; see below)
I have a web application hosted in Azure where users can log in using accounts that are created and managed within the application. Since my application is used by many big organizations, I have added the capability for customers to also sign in using their account that's managed by their organization (single sign on). This was done using Azure Active Directory, which syncs the local AD accounts into Azure where cloud authentication occurs. Since this application is used by many organizations all with their own separate ADs, I created the Active Directory application within Azure as multi-tenanted. With all of this done, the new login process works perfectly, however, I can't figure out how to brand the Microsoft hosted application sign in page.
Please keep in mind the distinction between the application login page and the organization's tenant login page. There is ample documentation about how to brand the organization's tenant login page, but not the application login page. Consider the application flow to understand the difference:
User goes to my app's login page, and chooses "Login with your existing organization account".
The user is redirected to a Microsoft hosted login page for my application. At this point, Microsoft/Azure Ad only knows which application this is for; it doesn't yet know who is logging in or which tenant (organization) they belong to. This is the login page I need help branding (logo & page background).
After the user enters their email address (and even before they enter their password), the user is redirected to a different login page--the login page for the user's organization (i.e. their tenant). This page shows that organization's custom branding if it was setup. This is not the login page I wish to brand; it is my customer's responsibility to brand their org if they desire.
After the user enters their password on their organization's login page, the user submits the form. Azure then successfully authenticates them and redirects them back to my application where they are now authenticated as well.
NOTE: this should be possible as you can see Microsoft is doing it on all of their cloud apps as well (Office 365, Visual Studio, Azure Portal)
NOTE: this question was asked over 3 years ago, but only 1 misdirected answer was given, and Azure and Azure AD has changed drastically since then. See: Azure Active Directory Custom Branded login page dont work with third party application. Also, the Microsoft documentation only covers the branding of the tenant login page, not the application login page like I am seeking. See: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-add-company-branding.
What you observe is only possible for Microsoft owned applications.
The customers can only brand their organisation login page.
What you can do however, is to redirect the user to your org login page. Then the first thing the user will see is your company branding. After they enter their login name, they may see their custom org login page (if the organisation has customized the login experience).
If you such a feature (per app custom login page) is something worth looking at, you can create a feature request on the UserVoice site - http://mygreatwindowsazureidea.com/
Just as a note - per app custom login page is today only possible on Azure AD B2C via custom policy implementation.
I have built a Node JS Express Blank Web App using Azure Web App service.
Then, I have configured Facebook Authentication and inputted my app ID and secret, etc.
Then, it allows the feature that when I accessed the web URL of my web app, it will see if the user is logged in and ask for their permission.
But, what if I want them to click the facebook login button and then login in using facebook and display their Username and icon?
You can see the portal configuration here
Hopefully, the following will help.
1) Set Action to take when request is not authenticated to Allow Anonymous requests(no action) in the Azure protal.
2) Add authorization.json file and define URL Authorization Rules in this file to restrict access to certain resources within your app. More details, please check out this blog post.
3) Add facebook login button into your home page, while the button is clicked redirect the user to:
https://<yourwebsitedomain>/.auth/login/facebook?post_login_redirect_url=/welcome
this will navigate the user to /welcome after logging in.
4) Once the user logged in, you are able to get authenticated user info with this endpoint: https://<yourwebsitedomain>/.auth/me.
We're using Azure Active Directory with Federated Authentication. This is working without a problem - but we need the ability to have users sign in with credentials other than their logged in Windows credentials.
What happens right now is
User navigates to our web app and the Azure ADAL for JavaScript attempts to log in
The user is redirected to https://login.microsoftonline.com/common/oauth2/authorize?response_type=id_token&client_id=xxxx&redirect_uri=xxxx&client-request-id=xxxx&x-client-SKU=Js&x-client-Ver=1.0.2&nonce=xxxx
The user is presented with a username and password box.
Upon entering the username (even if it is someone else's username) (as soon as focus is lost from the username textbox), the page shows
It looks like this email is used with more than one account from
Microsoft. Which one do you want to use? Work or school account Work
or school account Assigned by your work or school
Upon clicking "Work or school account", the user is presented with
Redirecting We're taking you to your organization's sign-in page.
The page redirects to the url
https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
The user is automatically logged in using their active Windows credentials (even if they entered a different username on the previous page).
If I navigate to the URL https://ds1.mydomain.com/adfs/ls/auth/integrated/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1 using a Windows session with a non-domain (local) account, I get a standard Integrated Authentication prompt
So - it seems like our ADFS server is using Integrated Windows Authentication on an IIS Website.
My question is - how can I allow the user to log in as a different domain user for the web app. Is there a special ADFS login URL I can use? And if so, how do I tell the Azure app to use that URL. Or is there a way to disable Integrated Authentication in some other way, on demand?
Thank you.
UPDATE:
I see that if I point the ADFS URL to the basic auth endpoint
https://ds1.mydomain.com/adfs/ls/auth/basic/?username=me%40mydomain.com&wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=estsredirect%3d2%26estsrequest%xxxxx&popupui=1
I am prompted for basic authentication (exactly what I want)...so how do I tell my Azure AD or Azure AD App what login URL to use? And how can I control it conditionally?
You would need to either remove AD FS from the Local Intranet zone on the relevant machines so they prompt, or better, look in to the User Agent based targeting in AD FS and configure those machines to send a User Agent that triggers Forms Based AuthN.
Have a look at https://technet.microsoft.com/en-us/library/dn727110.aspx for more info on this.
Answer is actually pretty simple (with some help from Fiddler):
Add &prompt=login to the query string generated by the ADAL JavaScript when redirecting to login.microsoftonline.com. This causes the MS portal to redirect to the ADFS Forms Auth URL instead of the one using integrated security.