An external hosted app can take the username and password in the querystring and auto login the user. How do I get these details from Sharepoint?
I know you can use SPContext.Current.Web.CurrentUser; if the application is hosted locally however it isn't.
How can we achieve single sign on from Sharepoint to the external 3rd party software?
Related
I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.
Scenario
There is one user store, namely an on-premises AD. ADFS provides authentication for SharePoint 2013 and Power BI.
The custom web app needs to authenticate users from AD. The web app back-end also requires access to the SharePoint REST API.
The objective is to achieve the above using a single sign on. If singed in to any one of the three applications, the user should not have to input credentials for any of the other two. As well, the custom web app displays content from SharePoint (iFrame and REST API) and Power BI (iFrame).
We have tried the following two solutions but have come across an issue in either case.
Solution 1
User inputs credentials in the web app.
The web app back-end uses these credentials to get a SAML token from ADFS.
The web app back-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication and retrieves a FedAuth cookie.
The web app back-end uses the FedAuth cookie to make REST API requests to SharePoint
The web app front-end uses the SAML token to authenticate the user with SharePoint through forms-based authentication. This allows SharePoint content in iFrames.
What doesn't work: Navigating to Power BI or including it in an iFrame will redirect the user to the ADFS sign in page. This is because the user has not been authenticated with ADFS in the browser yet.
Solution 2
ADFS SSO is used for the custom web app as well.
Navigating to any of the three applications redirects the user to the ADFS sign in page
The user inputs their credentials and get redirected back to the application with a SAML token.
Navigating to any of the other two applications will redirect the user to ADFS, which will redirect back to the application with another SAML token without requiring the user to sign in again.
This allows for both SharePoint and Power BI content to be included in the web app in iFrames.
What doesn't work: The web app can't make REST API request to SharePoint using the SAML token received from ADFS for the web app. We have tried to use that SAML token to request another one from ADFS for SharePoint on behalf of the user signed in. That did not work either. As well, SharePoint 2013 on-premises may not accept an on behalf of request.
Question
Is there a way to have SSO for all three applications while also having REST API access to SharePoint from the web app? The user should have to sign in only once, and preferably only in to the web app.
Registering your applications through Azure Active Directory is probably the best way to achieve what you are looking for. You can register the applications in Azure AD and then grant permissions to users by application, tenant, or policy. https://learn.microsoft.com/en-us/power-bi/developer/embed-sample-for-customers
https://learn.microsoft.com/en-us/power-bi/developer/create-an-azure-active-directory-tenant
As the mentioned https://github.com/jasonjoh/node-tutorial example is a web app.
but i want to use it as a web service for example :-
i want to run this app on one machine(on server) and other apps made in(mobile apps, desktop and web app) could implemented or consume this services.
once user consume it my service would return [https://login.microsoftonline.com/common/oauth2/authorize?redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fauthorize&response_type=code&client_id=9892b97f-0026-4t3f-aa4f-5cb2olpdee7e]
then this url will be open in user's device/machine browser, then user could enter his/her office 365 credentials and once he clicked on SignIn it should aging come in web service and then it authorize the user using access token which is stored on server in cookies and then get/read emails from user office 365 account.
so please suggest me is it a possible scenario ? or if you have any alternate way to do this please let me know.
Thanks in Advance
Yes, this could work. You would need a web front end for the user to sign in, but you could then use the access token from a web service. Another alternative, assuming what you mean by web service, is to run in an unattended fashion by using the client credential OAuth flow, which allows an organizational admin to grant access to all mailboxes.
We have a SharePoint 2013 web application using claim based authentication where identity provider is windows. There are some custom web services in a "sub-application" within SharePoint website in IIS. What we want is to make those custom web services claim aware. So that in custom web services we should know that who is the current logged in user in SharePoint, whether he is authenticated SP user or not etc.
When we access the custom web service using an AJAX Web Part then the web service know the current logged in user, but using a content query (XSLT) Web Part the web service shows Application Pool's user as current logged in user, sort of double-hop problem.
Any idea how to fix this issue or how could I use the STS of SharePoint site in my custom web services application?
I have a scenario where I want to get the single sign on experience between SharePoint and another ASP.NET website. They are both on same domain and both using windows authentication. Both website have anonymous authentication turned off and windows authentication turned on. Can anyone please help for the following scenario?
User go to SharePoint 2010 website
Login to SharePoint by entering windows username and password to landing login page
SharePoint 2010 contains iframed webpart which go to another asp.net website on same domain (different port number)
User should be able to access the another asp.net website without login
My problem is during step 4 where user have to enter the windows credential again to login to asp.net website. How can I resolve this issue?
Thanks,
SJ
Windows authentication is not automatically passed between applications. Since you choose to iframe the other site you will need to separately login to it.
I find it a bit odd that your users dont get automatically logged in, but then you maybe dont have domain login on your computers.
However this can be automated a bit with impersonation, check this thread http://forums.asp.net/t/304484.aspx