Scenario
Our organization network in Yammer is configured with ADFS (SSO 2.0) which redirects to STS login prompt.
However, after integration in SharePoint CEWP using Yammer Embed or JS SDK we have to provide the credentials twice. Once for logging in to SP portal and other for yammer, where both the credentials are same.
Please let me know a way to avoid multiple login prompts.
Steps Tried
Set use_sso property to true as mentioned in yammer documentation.
Tried adding the yammer domains in trusted sites as mentioned here
Have you tried windows authentication? That way, ADFS will use the use_sso property to automatically login you in.
Related
I am new to Azure AD. I have to implement two websites which uses Azure Single Sign On feature to login. I have gone through few documents and blogs but it wasn't helpful enough. Could anyone suggest me a relevant document or approach for beginners.
This approach I am using:
I made a new tenant.
Made a app in app registration
Assigned the users through Enterprise Application changes
But now i have to add another website to webapp and then make sure if user logs in anyone of those then it should automatically get logged in other website as well.
When you have multiple applications in your organization, it's better to use Azure AD and you are on the right path.
To configure an application for SSO there are multiple ways. Based on your requirement you can choose any SSO protocol from below for authentication.
There are protocols like OpenID Connect, OAuth, SAML, password-based etc. to configure SSO.
As you have two websites, register two webapps in Azure AD and configure SSO
While registering the webapps, make sure to add redirect URI or Reply URLs of those two websites respectively.
Make sure both webapps are using same SSO protocol.
As mentioned in the comment by #Anand Sowmithiran, while the user is authenticating, the login flow will detect that user is already authenticated and will provide the token seamlessly.
For more in detail, please refer below links to get some idea:
Can I use Azure for SSO to multiple websites - Microsoft Q&A
single sign on - SSO with multiple azure web apps - Stack Overflow
Related to the outlook add-in for Acumatica... When our users try to authenticate with their azure login, we see the following error.
https://www.dropbox.com/s/le7t3ez5ua69qls/Screenshot%202020-04-23%2019.18.52.png?dl=0
NOTE:
we have 2 factor authentication on for our users through office 365, but i don't think that is the issue as i disabled and also tried using a app password which would bypass the 2 factor
we have customized the outlook plugin and it works just fine when use a regular login (direct username and pwd into acumatica as opposed to using single sign on)
We are running Acumatica 2020 R1, and have this working. I am not sure if it will work in 2019R1, but you can give it a try.
Our environment is synced with Local AD through Azure AD Connect. We have seamless SSO enabled with Passthrough Authentication, and the group policy trust enabled for the workstations. This allows the users to sign into office 365 from their domain controlled computers.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
When we enable automatic signon through AzureAD in the web.config, it works like a charm. We had issues in previous versions of Acumatica with our ADFS deployment. To enable automatic SSO in Acumatica you can modify your web.config:
<externalAuth authUrl="Frames/AuthDock.ashx" silentLogin="Federation" externalLogout="True" selfAssociate="True" instanceKey="" claimsAuth="False">
I would give this a try on off hours to see if it works with Outlook, and maybe change your production instance to sign in this way. You can always get to the login page by visiting https://acumaticainstance/Frames/Login.aspx?SilentLogin=None
Maybe setting auto signin will fix outlook and be easier for those users, and be more beneficial than the non-azure users?
I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app
There is an API to create users that can access the developer portal, but AFAIK there is no API to login users programmatically.
If I want to develop a totally custom developer portal (a separate web application on another host) and this is the only feature I lack.
I know I can switch to Active Directory authentication, but I wonder if I can login users directly created by the API manager (into its own database).
You can use the api https://learn.microsoft.com/en-us/rest/api/apimanagement/User/GenerateSsoUrl to get a Sign-In Url with a valid Token.
Powershell Cmdlet here
https://learn.microsoft.com/en-us/powershell/module/azurerm.apimanagement/Get-AzureRmApiManagementUserSsoUrl?view=azurermps-4.4.1
Yes, you can do it. We are currently doing it in a production environment (FantasyData.com). I believe they call it delegation, because you're delegating the login functionality to another website that you host. It's a little tricky to setup the redirects to work just perfectly, but once done, it works like a charm.
Here are the online docs for it, it's just a REST API.
https://learn.microsoft.com/en-us/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-user-entity#SSO
I have configured WSS with OpenID to enable FBA authentication. I have added a custom login page. Im able to authenticate using the OpenID account, however when i return back to the default.aspx page i get the 'Access Denied' page.
The Question is how can i tell WSS to allow OpenID authentication into the web application?
I have used the DotNetOpenId library.
I haven't integrated with WSS myself, but assuming you have it in FormsAuthentication mode, then the only other thing I think that could be blocking you would be that while you are logging the user in (with SetAuthCookie or RedirectFromLoginPage) you need to pass in the roles the user belongs to. If WSS is rigged to only invite users in the "WebUser" role, for example, be user to pass that into the login methods.
You can find out what roles are required and what your Authentication mode is from inspecting your WSS site's web.config file.
If you are using FBA you can add the openid account as an fba account. You can easily do this by using a custom login page. Here is a sample http://blog.xsolon.net/Posts/sharepointopenid.aspx