Azure WCF Service with Azure Active Directory Authentication - azure

I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
An azure active directory account with a couple users
ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
Create users/passwords for each company using the WCF service in
Azure Active Directory.
Allow only companies with a valid username and password pair to obtain an access token
Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
Added the WCF service as an integrated app in azure active directory
Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
Added a relying party application that uses the newly created testAAD identity provider
Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details.
I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
WIF 4.5
VS2012 Pro
C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update:
Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2
I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?

The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.

Related

Flowing user authentication across an Azure architecture

Users in Azure Active Directory Azure
App Services for WebSite and Services
I am creating a Web Site that a Manager would authenticate with using an Azure Active Directory account. That website would offer up sales data on the staff they manage.
The service that returns the sales data for staff member A will be being called on behalf of the manager.
My question is what is the correct way to flow the "identity" of the logged in manager through the calls to the various services.
Do I simply protect the services with a System Level authentication at the level of the website and pass the manager's user identifier as a parameter in the request?
OR
Do I try and flow the oauth identity onward to the services so that they are called in the security context of the manager? If using this approach how would I do that?
In my opinion, if the your business doesn't have a high security requirement, the first option is great. But if you want higher security, you can use second option.
For second option, you need to register an application in your azure ad for your app service. Follow steps on this page. And register another application in AD to represent client app by following these steps. Then go to your client app and grant permissions to allow the client-app to call the backend-app. After that, the manager need to get access token before request the api in your app server to return sales data.
This Azure sample shows exactly what we want to acheive with an ASpNet Core Web Site calling own AspNet Core Service secured with our Active Directooy organisation
I am having some issues getting it to work but this sampple is what I was hoping for from asking this qeuestion. FWIW here is the seperate question covering the specific issue I am having implementing the sample, Why Http 401 when calling AspNet Core API secured with AAD. Our WebApp, Web API and AD Org

Suitable Azure replacement for Auth0

I have an ASP .Net Core 2.2 Web API hosted as an Azure App Service. Then there is an Angular SPA which consumes this API, hosted on Azure Storage as a static website.
I am currently using Auth0 as our authentication and identity server. I am looking at replacing Auth0 with Azure, but I've spent a couple of days now trying to figure out what I should be doing and I am completely lost.
So, the purpose that Auth0 is currently serving, and which I would like Azure to serve instead, is to protect my Web API, as well as give it identity services so that the API knows which user is logged in. So when the front end makes a call to the API, Auth0 automatically redirects it to a login page. Here the user can log in using an existing account (including social accounts) or she can create a new account. Once logged in, Auth0 provides the front end with an access token. The front end then includes this access token in the header of every API call. The access token includes identity information which the API uses to know which user is making the call. All users are stored in Auth0. So when a new user uses the front end web app, Auth0 redirects them to the login screen, where they select "Sign Up", and create an account in Auth0. Any user can do this btw - it is a public web app which anyone can sign up and use.
So, when looking at using Azure instead of Auth0, what first confuses me is that there are various authentication services:
In the Azure portal, under my app service, under "Authentication / Authorization", there is a toggle switch labelled "App Service Authentication". If I turn this on, I can set up Authentication Providers.
In the Azure portal, there is Azure Active Directory, which I guess ties in with the above?
There is also Azure B2C.
What is the difference between Azure App Service Authentication and Azure B2C? Which one should I be using? What is the difference between points 1 and 2 above? Some examples I've seen use point 1 and some use point 2.
Sorry if this is a very vague question. I am just struggling to figure out in which direction to head. I found Auth0 quite simple, but unfortunately I cannot say the same about Azure authentication. I basically just want to figure out which Azure option would be best suited to replace Auth0 as I am using it now. Thanks
Azure B2C is the proper option to replace user authentication, however you would have to go with OWIN or another solution to actually provide application specific identity/authorization pipeline.
For public-facing site I would not go with straight up azure AD for customer logins, that’s targeted more towards enterprise customer with identities in federated, office365 or on prem Active Directory.
To be honest I’m surprised you’re planning on moving from auth0 to AAD. I’m thinking about doing the opposite.
I think the "replacement" would be using Identity Server, but there's no PaaS version for it on Azure. So you should go with Azure AD or Azure AD B2C.
If you want just to create users and groups you should use Azure AD. But if you have plans to enable 3rd party identities to access your app (such as Facebook, Google or Linkedin), then you should use Azure AD B2C. For more info, please read: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview

What is the best way for creating Azure AD Api/Web Client Application

The typical suggested approach when creating a client/server application (Typically for SPA apps) in Azure is to create one AAD application for the service (API) and another AAD application for the client application (E.g. Angular Spa). While I understand the mindset behind this, are there any implications creating one AAD application for both and share the same configurations values (ClientId...) between both applications? This simplifies the implementation, especially when there is only one type of client app (E.g. Web) that consumes the API tier.
I think you might want to take a look at the documentation as it might explain what the app registrations are meant for : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-overview
This specific tutorial goes over the SPA Scenario : https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-overview
The purpose behind creating an AAD App Registration for the Server is so that the client is able to request an access token for a the web API resource. For example, if you're trying to access the Microsoft Graph API, you would request xyz permissions to make a call to the Microsoft Graph's xyz API.
And the V2 Overview and the SPA Scenario Overview both go over this very thoroughly.
Note that you are not creating an AAD App Registration for your client, your creating one for your server and custom web API resource. So you would have a client requesting an access token with the server's information to get access to the web api.
In addition to that, you'll want to be clear on which endpoint you're using. This goes into that a bit further as well : How do I check to see if my AzureAD version is V1 or V2?
And here are some reasons why one would want to use the v2 endpoint : https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison

Integrating Native iOS Azure SSO with Multi-Tenant Web Application

Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.

Authentication for web api using azure AD

I need to implement authentication for azure web api using azure active directory.
client app(which consumes webapi) may or may not be in azure. how i need to authenticate user, where i should generate token if my app is not in azure(if it is IOS app). authentication should work in all cases even if client app is in azure or not.
Please let me now the best procedure to implement authentication.
You need to define the client app in Azure AD as a native app in the case of a mobile app. Then you define the API there, and add your client permissions to access it. You can optionally customize the available permissions through the API app's manifest in Azure AD. Then when your mobile app opens, you would have to authenticate with Azure AD, and then request an access token for the API. That you can then use to authenticate requests.
I can't answer this question in too great detail because it is quite a large topic and how it is done also depends on your platform. There is a sample app that you can check which does exactly what you want. The whole list of examples for native apps can be found here.
App Service to use different authentication providers Azure Active Directory,Facebook,Google,Microsoft,Twitter.
We can set any type of Authentication/Authorization in the Azure Portal.More info about how to use authentication for API Apps in Azure App Service, please refer to document.
By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.

Resources