I want to create a simple backend application in node that can query AAD to get a list of OUs or Groups. My application needs this type of information to create groups of users in our system. I'm having trouble getting started here. I found this example which is in DotNet which does a Daemon server flow. I've found these informative links:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/#daemon-or-server-application-to-web-api
Basically I want to be able to make a backend request using certificate based authentication without any user involvement. I'm assuming an adminsitrator will need to allow my application to make this request through some authorization flow. I'm looking for a simple step-by-step guide to get this going along with some sample NodeJS code. Something similar to this example: https://github.com/Azure-Samples/active-directory-dotnet-daemon-certificate-credential
Assuming I don't have a windows machine will I need to somehow run Powershell commandsfrom some sort of mono emulator on my Linux servers?
I figured out how to get the basic certificate flow working. It's not well documented, however if you look at the tests/client-credentials.js in the source code for adal-node, you will see some examples.
If you're using Azure App Service web apps, you can follow this guide to integrate AAD with your application: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
To integrate with node.js, see this example for details:
https://github.com/Azure-Samples/active-directory-node-webapi
Once you have that, switch to using cert auth similar to the example you provided. Also you shouldn't need powershell. For more information on how AAD works see: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/
Related
So my project has got a two asp.net projects. One is for showing date(User Interface) and the another one is API(for background processes like login, database calls and etc.). Right now my app has Username and Password feature to login. I have setup a startup class in my API which authenticates the user and pass the user token. Now I want to add a feature to login through Azure portal.
Can anyone suggest me a good practice in this situation? Like I don't want to change my code and just add a feature. Should I make changes in API or Web or Both? Meanwhile I was reading about expose api in app registration. Will it be appropriate to use it just for login purposes?
Azure AD supports OAuth2, OIDC and SAML. See more information here. It is probably best to introduce the mechanism through the API first, since it would apply to the frontend as well (though slight modifications may be required there as well).
I'm trying to configure a SAML Authentication with Azure in a Flask web service.
Is the first time I'm doing this and I'm bit lost.
I'm trying to use the 'SAML_METADA_URL' provided in AZURE but I don't know what to configure in python side.
In Azure seems to be all setup, the app was added, have the client ID and CLIENT SECRET, ETC.
Anyone knows a good and specific tutorial for this?
Thanks in advance
You can refer to the SAML-enabled Python application guide, which explains how to use PySAML2 to add Okta support (via SAML) to an application written in Python, And refer to the steps for implementing a SAML SP in Python/Flask.
In addition, OneLogin also provides a SAML Python toolkit, I believe it will also be helpful to you here.
What I'm hoping to accomplish is a connection to Visual Studio Team Services through the Microsoft Account authentication provider. I've been following the documentation here (https://github.com/Azure/azure-content/blob/master/articles/app-service-api/app-service-api-dotnet-connect-to-saas.md) and have a couple problems with the implementation.
They use the Microsoft.Azure.AppService.ApiApps.Service package to get to the token from the api gateway
// Retrieve the token from the gateway
var runtime = Runtime.FromAppSettings(Request);
var dropboxTokenResult = await runtime.CurrentUser.GetRawTokenAsync("dropbox");
But when I publish my webapp I get a 500 error when trying to create the Runtime object, the remote Debugger literally just dies on the line below and I don't even see any logs in the api's streaming logs interface to give more info on the error.
var runtime = Runtime.FromAppSettings(Request);
Any idea on how to get to the token?
Documenation for implementing microsoftaccount authentication with a web api is kinda scarce, any links to examples or documentation that was helpful to you guys out there?
Also, is the apiapp.json file really even necessary? They create one in the example but authentication setup Via the Azure blades seems to work ok and leaving the apiapp.json file out of the api doesn't seem to matter either way. In the end I'd like my web api to maintain authentication via microsoft account no matter where it's moved to, so I figured there would be settings somewhere I would need to specify but can't really put that piece together either.
It looks like you're using the old model for building API apps (which involves a gateway) which has been deprecated. I believe its still supported, but the official way to build API apps has since changed, and you might find it a bit simpler to work with. More information can be found here: https://azure.microsoft.com/en-us/documentation/articles/app-service-api-whats-changed/
Documentation for leveraging Microsoft Account authentication is here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-microsoft-authentication/
Once you're all set up, there are a few different ways you can obtain the token. You can find it as an inbound HTTP header (x-ms-token-microsoftaccount-access-token) or you can use the App Service Server SDK to obtain it: something alongs the lines of:
var creds = await this.User.GetAppServiceIdentityAsync<MicrosoftAccountCredentials>(this.Request);
string accessToken = creds.AccessToken;
Any option available to authenticate users accessing my app on bluemix URL?
I want to make a set of audience to use my bluemix URL?Any leads how to implement this?
You can go to your app overview page and click on edit routes. You would see enable app authentication property which by default is OFF. Make that to "ON". After that you need to add member to your organisation who would have access to your app.
Attaching a sample screenshot for your help :
The SSO service is the way to go if all the users accessing your application have an IBM ID. In some cases we have used a more custom api key approach or even pre-exchanged certificates for which you would need to add some code for.
In bluemix you can add people to your organization, once you do that they will be able to manage your app, delete, restart, stop, etc.
Take in mind that you are the one who pay for the app so if they add memory or instances you will be charged for those expenses.
In order to add people to your organization:
Login to https://ace.ng.bluemix.net
Click on 'MANAGE ORGANIZATIONS'
Add/invite a bluemix user to manage your app
Complete documentation on using the OAuth authentication service with the SSO service in BLuemix is available here: https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
Examples and client code also:
https://hub.jazz.net/project/bluemixsso/SingleSignOnSampleClient/overview. The sample application can help you write your own client application to leverage the IBM Single Sign On for Bluemix service's capabilities. You can create your own copy of the code in your own DevOps JazzHub account as well, and then build it and then deploy it to your own IBM Bluemix space.
You need to try single sign on authentication provided by bluemix.
Below is the getting started link with this:
https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
You can get various option to authenticate users(via fb,google) etc and apply in your app.
Please review this link, about Single Sign On.
https://www.ng.bluemix.net/docs/#services/SingleSignOn/index.html#sso_gettingstarted
I hope this help you.
Good luck!
I am trying to create a sample application here with federated authentication with Azure ACS
I have a asp.net web application with a default.aspx page
I want to upload this azure cloud.I want to authenticate users using Active Directory login credentials how can I create an working sample for this.
I was searching and I found I can make use of Custom STS ?Is this the right direction ?
I found an example from MSDN
http://msdn.microsoft.com/en-us/wazplatformtrainingcourse_windowsazureandpassivefederation2010_topic2#_Toc310436991
but I clouldn't make this working till now. (I am getting a message --This page can't be displayed).
Can some one point me to a working sample with step by step documentation.
I am using VS2010 on Windows8 machine,and azure sdk 1.7
I dont have an ADFS2.0 supported server machine available now.So I am just trying to make MSDN example working
I followed all the steps as mentioned there,but
when I debug ,I can see control reaches inside "WSFederationAuthenticationModule_RedirectingToIdentityProvider method"
if my assumption is right,it should redirect to Login.aspx page ,
but instead is simply showing message "This page cant be displayed"
You can use the how-to guide on windowsazure.com: How to Authenticate Web Users with Windows Azure Access Control Service. This will also work for Active Directory by simply using your ADFS as an identity provider instead of Windows Live / Google, no need to create a custom STS for this.
If you want something with a little more screenshots, I wrote the following guide for one of my trainings: http://sandrinodimattia.net/blog/posts/federated-authentication-with-azure-appfabric-acs-v2-0-part-1-setup/