I'd working on creating a ASP.NET 5 web application and would like to use ASP.NET Identity to manage users. I'd also like to use Azure Active Directory in a multi-tenant configuration. As I understand more about claims, I expect we will eventually create our own custom claims as well.
I see ASP.NET Identity can configure providers (Facebook, Google) but is it possible to set up Azure Active Directory to authenticate with Facebook / Google and have it flow through ASP.NET Identity? My guess is that flowing through Azure Active Directory would make our subsequent migration to claims authentication easier.
If so, any pointers to setting this up and road bumps that may be expected would be appreciated.
Regards,
Rajesh
Classic Azure Ad does not integrate directly with Facebook or Google, however the new B2C offer does. See http://aka.ms/aadb2c
Related
I am looking at a solution to secure on-premise applications using a centralized Identity and Access Management (IAM) solution instead of baking a custom IAM solution. These on-premise application could be deployed across several of our customers globally.
I have looked at using the Azure AD B2C for this purpose but it looks like it can only provide Authentication solution and not Authorization, at least not out of the box. I haven't found a single working sample with does both AuthZ and AuthN. I am also not sure if Azure AD B2C is the solution for implementing a centralized AuthZ and AuthN solution. I have looked at Azure B2B briefly and feel this could be right for our use cases, but it is a bit confusing as to when to choose B2C vs B2B.
I am hoping to get any guidance towards the right approach to have a centralized AuthN and AuthZ solution for on-premise applications.
B2B is for partners, B2C is for customers.
You can get authorisation in the application by the application looking at the claims that are returned.
A better way is to implement conditional access.
"Control access based on location, groups, and apps. Conditional Access can also be used to control non-risk based situations. For example, you can require MFA for customers accessing a specific app, or block access from specified geographies."
This isn't a specific problem question but a "cry for help".
My problem is this. Our organization is in the process of implementing Office365.
Until now there were tens of applications with their own authentication and authorization but in the process most of them will be rewritten to use within O365 environment.
We are facing the problem of creating one endpoint (ASP.NET WebAPI app) which will be used to authenticate a user with his credentials from Active Directory (or B2B AD on Azure because some apps are used outside) and tell if this user is allowed to use app that asked to log him.
I'm just wondering through documentations and sample code but can't decide what will be a good practice in this scenario. Should we just build each app and use Azure Active Directory provider to authenticate. Or is it possible to setup ONE api that will hold all apps Ids and its userIds - then it will check user credentials against AD and give app token/cookie...
My best bet is to try this: http://www.tugberkugurlu.com/archive/simple-oauth-server-implementing-a-simple-oauth-server-with-katana-oauth-authorization-server-components-part-1
But create Provider for AzureAD. But then its still question about this B2B AD part.
Please help by pointing to some up to date resources..
You should register each of your B2B application within your Azure Active Directory and configure them to use AAD as the Identity Provider.
Then you can administrate everything you want (e. g. which user has access to which application) within the Azure Active Directory blade from the Azure Portal.
You are getting this backwards. If you have apps integrated with Azure AD you don't have to create endpoint which will validate users right to use apps but you are assigning right to use an app in Azure AD. This is whole point.
We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.
I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
I realize there are other (preferred) ways of implementing authentication with Azure Active Directory, but is it possible to use the standard ActiveDirectoryMembershipProvider with Azure Active Directory for an Azure website?
No. There is no way to use ActiveDirectoryMembershipProvider with Azure Active Directory.
. (Period) :)
Why?
ActiveDirectoryMambershipProvider uses Active Directory Application Mode (ADAM) server and talks to AD over LDAP protocol. Both of which are not supported by Azure AD. The replacement of LDAP in the Cloud is Azure AD Graph API.
You can however use the Claims Based Authentication / Authorization model and protect your web site with Azure AD. This will help with Authentication. Authorization - you can use the role based access control and have your Azure AD groups translated into ASP.NET roles.
Here is pretty long and well described process of how to protect a web site with Azure AD without writing single line of custom code.