I am building a multi-tenant application in Azure and planning to use Claims (WIF). I do not have ADFS hosted for issuing tokens to the users of my applications.
What options do I have? Is there any commercial offering available?
Thanks & Regards,
Ajay
Azure provides it own token issure in AppFabric Access Control . Check Michele L. Bustamante 's Access Control in the Cloud: Windows Azure AppFabric's ACS for a very well written intro. There's also a demo video at Channel9 on using AC and a client's ADFS to control access to an Azure service, in this case Dallas.
You can now try ACS labs (early version of the service): http://acs.codeplex.com
It now supports WS-Federation.
my old post-->
AppFabric Access Control can currently only be used for REST endpoints (WRAP, SWT). If you Windows Azure app is a web site, you probably need an STS that supports WS-Federation.
You can build your own (and deploy it on Windows Azure) or you can rely on an STS hosted somewhere else.
To build your own I suggest looking athe starter sts
Related
I am a bit new to Azure AD and some of its features. I have a vendor application that wants to setup authentication & single sign on using our Azure Active Directory. The documentation they provided me with just walks through adding Azure AD SAML Toolkit as the enterprise application and configuring it accordingly. However, I noticed immediately that the description for that enterprise application was "This is the sample SAML app which customers can use to test the SAML single sign-on integration with Azure AD."
My question is, shouldn't a vendor application have setup an enterprise application for me to add to our Azure tenant or is it common and good practice for applications to use the Azure AD SAML Toolkit for production implementations?
So far I have found no reason documented that this is bad practice. We have implemented it for the vendor application and have had no issues up to this point.
I am trying to set IS4 as Identity Provider.
The first thing I tried was to create a federation trust between Azure AD and the domain where I hosted my IS4. once federated by using the "Get-MsolDomainFederationSettings" command in PowerShell I got values for the following parameters:
I have found the following "solution", that also comes with this documentation, but it is a paid solution, and I am looking for a free option.
Should I use standard protocols, e.g. OpenID Connect, WS-Federation or SAML2p, and how can this be configured?
Based on the question and clarifying comments here the answer as of today:
You cannot achieve the required target architecture as of today. Today the only officially supported federation for Azure AD is ADFS over WS-Federation protocol and Ping Federate as preview. There is an official documentation describing the federation options with Azure AD.
There have been some tests in the past, but there is nothing officially supported beside the two options mentioned.
Looking at SSO, you can however look at the other side of the things:
You have IdentityServer and already some applications registered for it
You want SSO for Azure (O365) users to this applications
You can achieve what you want in the following manner:
You continue using Identity Server for your apps
You configure an external provider for your Identity Server as described here
What you certainly cannot achieve is:
Making Azure (Azure AD) authenticate users over Identity Server (at least not in a supported way!)
Azure AD can only be used as an endpoint as per #astaykov.
It can be an STS but it cannot be a R-STS i.e. it cannot be an intermediate step.
The solution described above is a paid solution because it uses the RSK SAML stack.
However, you could follow the same steps using the Sustainsys .NET Core option which is free.
I have configured the Azure AD Authentication for my asp.net core project using the services of "Microsoft.AspNetCore.Authentication.*" packages. The project is expected to be deployed to Azure App Service as a Web App.
While I enabled Azure AD authentication, I also see there is an option to enable the same at the Web App level through Application Settings on Azure Portal.
I have question around which option is recommended. I do see when I don't leverage Azure AD authentication configured via nuGet packages, I don't have OpenId connect service plugged into the StartUp.cs file. And I think these services are pivotal in populating the authentication properties like User.Identity.Name. On the other hand with just portal enabled authentication, I don't see this information populated. So, I presume if I want to do further work with logged in user's identity, like leveraging current claims information for authorization, I won't be able to achieve that with portal only authentication.
Your assessment is basically correct. The portal-enabled authentication runs completely outside your application and isn't capable of setting User.Identity.Name when using .NET Core (that level of integration only works with ASP.NET 4.x).
My recommendation is to use the ASP.NET Core NuGet package so you can get the full integration. It's a lot more work to set up, but once you get it working you should be in good shape and get the full end-to-end experience you want.
If you are interested in using the portal-enabled Azure AD authentication support, then take a look at this StackOverflow question to learn how you can get it to work with User.Identity.Name.
I am developing a WP8 app, which requires authentication in order to get a token to call the web api backend. I don't want to create my own account management mechanism, because it seems silly in our day and age to implement my own account repository.
I am using Azure anyway, so I thought to leverage it for the user management and authentication/authorization. What better place to manage users than Active Directory. If I also use ACS, I can get both "native" accounts and using other providers (Facebook, Microsoft Accounts, etc.) right out of the box.
So I have been searching for DAYS and I can't find even one tutorial or example or even someone talking about a flow that includes WP8, Azure AD/ACS and Web API.
I can only find tutorials on authenticating with Mobile Services and I don't want to use that, as it seems much to simple for what I need.
Is this use case even supported currently? Can one authenticate users of a WP8 app using Azure AD and then receive a token for authorization with a Web API hosted in a VM?
Vittorio has just blogged about this:
A Sample Windows Phone 8 App Getting Tokens from Windows Azure AD and ADFS.
The article also has a link to his earlier one - Fun With Windows Azure AD: Calling REST Services from a Windows Phone 8 App (which may have been one you found?).
Is it possible to use an Azure virtual machine as an Active Directory server with ADFS 2.0 and integrate it with ACS ?
Regards ,
James Roeiter
Having AD server (with RMS also) in cloud is an ask which I have heard time to time from Azure users and it sure is a great addition to have it running in Windows Azure or any cloud. Various organization's IT is asking the same as well however As of now with current Windows Azure it is not possible.
A few might suggest that using Windows Azure VM Role however, I would say that there are concern over that as well do to persistence and other issues so I would say it is not possible with Windows Azure VM Role as well and there are other issues related with Active Directory product as well to run in Cloud scenarios.
If I answer it directly, I would say as of now it is not supported and suggested scenario to have AD on Windows Azure and will not work due to various reasons.
You can now install AD on Azure in a persistent state. Its still preview but I have just got an standalone AD on a separate network on Azure. I haven't finished wiring up ADFS and ACS but given a little time to get my head around it and I will be there.
Why would you like to put your AD server in Azure? If it just for testing - you can. However the current state of Windows Azure only allows you to have a VM Role, which is Stateless. That means, you may prepare your VM with the AD, all configured for ACS and fill up with users. However you can't rely on any changes to be persisted (including password changed, user edits). VM Role is stateless, which means you will lose your changes once the role is recycled or rebooted, or healed.
So the final answer for the current Windows Azure offering would be - don't do that now, unless you want to just play around and see if it works.
** EDIT **
I am not an AD expert, what I managed to do and have an "in-house-virtualized" lab is to have ADFS on VM integrated with ACS. Another VM running Windows 7, which is domain joined to my AD. Then a web deployed application which leverage ACS with ADFS integration. Everything works fine.
As for storing AD data on external persistent storage - I don't know if it is possible, and how to configure that (already told you I am not AD expert). But if you know how to configure the storage for AD, and if you can store it in an SQL Azure, it is worth to give it a try.
And, finally, as Sandrino mentioned read the provided link to ZDNet's blog post, which has information you might find helpful.