I need my mobile application to allow authenticating either to 3rd party vendor (facebook, google, etc) or to my own WS-Federation identity provider (I'm using Thinktecture). Now, when logging in to my own WS-Fed idp I want to authenticate directly and pass the security token to Azure ACS (and not by using a dedicated login page). I need that because I don't want my users to authenticate using my provider by using a dedicated web page (and moving out of the context of the application).
Your help will be appreciated.
From your ACS management portal get list of identity providers of your realm from below link
https://YourNamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?
protocol=wsfederation&
realm=YourAppRealm&
reply_to=YourAppReturnURL&
version=1.0
Now try this:-
HTTP GET on the above identity providers link.
Parse login link of desired identity provider from the json response of above request.
Authenticate user with login link received in last step.
You'll receive your ACS Token
Note:
After step 3 user will be asked to authenticate himself and the identity provider will automatically send the authentication token to ACS, finally ACS will convert that token into new ACS token and return it as in step 4.
In this way you'll by-pass the login page and can grab ACS token in mobile application without moving out of the context of the application.
Related
We are trying to implement Single Logout functionality in Azure AD B2c using Itfoxtec Saml library.
We have tried multiple configuration options but the SingleLogout method is not working as expected.
We need a reference article or post on how to configure manifest file when using ItFoxtec library.
We have already referred below articles
https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test/TestWebAppCore
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
It sounds like you have achieved to do logout in Azure AD B2C initiated from your application implementing the ITfoxtec Identity SAML 2.0 component.
Single logout is the case where someone other than your application initiated logout or you want to do logout in an external IdP. For this to work you need to configure session management correctly in Azure AD B2C, maybe that is the missing part?
Also the single logout endpoint is separate in the refired sample. The endpoint is exposed in the metadata.
Please check the below points :
You can redirect the user to the end_session_endpoint.Try if it logs out completely with GET request to
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{name-of-b2c-login-userflow}/oauth2/v2.0/logout?post_logout_redirect={static-webapp-url}/.auth/logout.
a) The user may still be signed in to other applications that use
Microsoft accounts for authentication. To enable those applications to
sign the user out simultaneously, the Microsoft identity platform
sends an HTTP GET request to the registered LogoutUrl of all the
applications that the user is currently signed in to.See Microsoft
identity platform and OpenID Connect protocol - Microsoft identity
platform | Microsoft Docs
b) If you wish to support single sign-out in your application, you must implement such a LogoutUrl in your application's code. You can set the LogoutUrl from the app registration portal.or edit from the manifest like below.
Also try by giving front channel logout url which has to result in single signout.
Please check if you should call the Logout method like here > sample code. The SingleLogout is called by an IdP (Azure AD B2C) if it wants to initiate logout in your relaying party application.
Please check if you are using ITfoxtec Identity SAML2 component without a NameID, which may not be able to do logout or single logout. NameID is optional in login but not in logout and single logout.
References:
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
itfoxtec identity saml2 - How to single logout from Azure AD B2C
with ITFoxTech SAML 2 library? - Stack Overflow
Configure Azure Active Directory B2C as a SAML IdP to your
applications | Microsoft Docs
I am retrieving an Azure AD access token using MSAL.js at the client and passing it as Authorization header to web api hosted in WCF API Management. But I get an error along with all the proper response as well my username and email
Cannot validate access token. IDX10501: Signature validation failed.
Key tried: 'System.IdentityModel.Tokens.X509AsymmetricSecurityKey
The API is a WCF service configured with a custom policy binding for OAuth with the metadataEndpoint or even the v2 version https://login.microsoftonline.com/{tenantid}/.well-known/openid-configuration .
I guess the Azure AD Access token that I have is not meant for validating authentication again.
My guess I might be either missing permissions on the App registration but I couldn't find an API permission for exact authentication/authorization.
I believe with new Azure AD , we cannot authenticate the earlier manner by just passing a token and need to use MSAL standard libraries.
Could someone shed some more light on this.
I used an ID Token and then it worked. You get 2 tokens when authenticated so the ID token seems to work.
Is it possible to establish Azure AD SSO/session (with all required cookies) having only Access/ID tokens obtained using ADAL library?
Our scenario is quite similar with one described here:
We have Cordova app with ADAL library as plugin. We managed to authenticate users and get Access/ID tokens using ADAL. Then we initiate SAML SSO between Azure AD and our backend. It works fine the first time user authenticates using ADAL since it's popups microsoft login screen and after successful authentication it establishes a session with Azure AD. But when user logs out our app clears all cookies and next time ADAL gets's tokens from cache and does not provide the login screen which is OK. The problem is that SAML SSO does not work after that since session is gone (no cookies).
I know that ADAL is not quite designed to work with SAML, but maybe there are some dirty or not dirty workarounds to establish session with Azure AD having only access or id tokens?
No, it is not possible.
To get the session cookies, the user must login by themselves.
You can assist the user in logging in to the right account by specifying their AAD tenant id in the authority URI (instead of common), and by specifying login_hint=username#company.com with their user principal name in the authorization call as an extra query parameter.
They should then only need to enter their password (+ MFA etc.)
Here's my current situation:
Xamarin iOS mobile app (using MobileServiceClient to login)
Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication
I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.
I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
From this post:
IdentityServer 4 as Identity Provider for Azure App Service
Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?
Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.
Client:
Found a working library for OAuth2 and OpenID that worked for integrating with Okta:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples
with a Xamarin wrapper:
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId
Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.
After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:
Okta (identity provider)
set up a native application with an Implicit (Hybrid) grant on it
Mobile Client
use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS
Server / Web Api
converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore
One thing to note that tripped me up along the way:
in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature
read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/
This question is related to
passport-azure-ad, does it parse & validate token?
I've tried to master using the passport-azure-ad module. I successfully log in my user with OpenID Connect, pick up the access_token and use it directly my REST API's which are secured by app.get('myapi',passport.authenticate('oath-bearer',
{failureRedirect: '/'}),
function(req,res){});
However, if i try to log out from the session created by OpenID connect, the token is still valid untill it expires (typically 3600 seconds).
I'm using the access_token to secure my endpoint not hosted behind a API Gateway at Microsoft, so i guess revocation of the access_token is not straight forward.
Is there any way i can check if the access_token is revoked using passport-azure-ad ? What is the best practise?
According the description on Azure Document:
While directing the user to the end_session_endpoint will clear some of the user's single sign-on state with Azure AD B2C, it will not sign the user out of the user's social identity provider (IDP) session. If the user selects the same IDP during a subsequent sign-in, they will be reauthenticated, without entering their credentials. If a user wants to sign out of your B2C application, it does not necessarily mean they want to sign out of their Facebook account entirely. However, in the case of local accounts, the user's session will be ended properly.
So you can directly use the end_session_endpoint. You can find it in the metadata document for the b2c_1_sign_in policy endpoint, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=b2c_1_sign_in
As if you are using a common Azure AD application in v1, you also can find the end_session_endpoint in the metadata document at, e.g.:
https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/.well-known/openid-configuration
You can refer to Azure Active Directory B2C: Web sign-in with OpenID Connect for more info.
Any further concern, please feel free to let me know.