I'm planning to use Azure AD as a 3rd party key manager in WSO2 API manager version 4.0
It looks like there are only some predefined set as keymanagers. I couldn't find Azure AD in the list.
Is there any way that i can configure Azure AD as a keymanager?
Appreciate any insights on this.
Thanks
You will have to write a custom key manager connector[1] for this purpose.
[1] https://apim.docs.wso2.com/en/latest/administer/key-managers/configure-custom-connector/#configure-a-custom-key-manager
Related
I've been looking at implementing a Identity Microservice (as per the eShopOnContainers sample ... https://github.com/dotnet-architecture/eShopOnContainers) and I was wondering if it was possible to implement the Identity Microservice in such a way that you could use any Identity Provider you wanted, including Active Directory B2C?
Perhaps I'm over-thinking this but what I'm asking is, is it possible to have the Identity Microservice loosely coupled to AD B2C? Are there any examples (in GitHub for example) that demonstrate this?
Thanks in advance.
(Moving from comments to Answer)
Using Azure AD B2C you can have N number of Identity Providers Where the microservices is an architectural style that structures an application as a collection of loosely coupled services. In this use case once a user is authenticates to an idenitity provider the dozens of microservices needs to be authenticated. Please check out this blog for microservices authentication with Azure AD B2C
After much reading and research, I ended up using AD B2C directly to authenticate my client apps as well as my API endpoints exposed through Azure API Manager. My microservices use other forms of authentication as they are only accessible from API Manager (not publicly visible). I was able to use Custom Policies to implement my own logic when a user signs up/signs in.
Identity Server 4 looks like a great option if you want to have a finer level of control and configuration ... and I may end up using this solution in the future.
But for now, AD B2C meets all my needs so I'm happy to use it as if it was a microservice on its own.
We have a PII masking requirement and I happen to come across a post here: https://social.msdn.microsoft.com/Forums/azure/en-US/0b38fd1e-8aa9-45f7-91a7-fd0631ef8bba/dealing-with-pii-or-sensitive-data-captured-by-application-insights?forum=ApplicationInsights
My question is how we do this for API Management (APIM)? As I am not sure how to associate the Custom Telemetry with API Management (as per MICROSOFT APP Insights Team it is not possible to set Custom Cloud Rolename or use Custom Telemetry in APIM).
As right now its all configured thru Azure Portal and no custom telemetry to it, our backend services (API) do use Custom Telemetry but in Azure portal, the PII data is marked as coming from APIM and not the APIs itself. Any help? Can someone help on how we can MASK Such data coming from POST request logged in App Insights from APIM?
Application Insights cannot control on what telemetry APIM instances would send to Application Insights, this is something need to be controlled from APIM stand point.
Hopefully you have request/response body logging enabled in APIM. Can you please check what are the bytes of body setting setup with in APIM and please make sure its specified as 0 (zero).
Additionally you can also check out the purge functionality which can be leveraged to purge the data which is already residing in Application Insights based on user defined filters.
Hope the above information helps
I'm trying to authenticate users of bot framework V4 with Azure AD B2C sef ices with different social media providers. I'm stuck with it.
I have looked and try many of the DOTNETCore samples provided to use Azure ADB2C authentication. Some of them work ok (the ones with fabrikam are quite ok).
Would any one have some experience on that or any suggestions on how to proceed ?
One thing that is not clear to me is : can I just create some controllers from with my Bot Framework project with the proper Azure AD B2C settings (tenant, poloicies, appid, key, etc ... ) ? or do I necessarily have to create a Web App or a WebApi to which post the authentication requests ?
Here are the samples I have already tried with no much success from github :
- active-directory-aspnetcore-webapp-openidconnect-v2-master
- active-directory-b2c-dotnetcore-webapi-master
- active-directory-b2c-dotnetcore-webapp-master
and I'm a bit lost on what should be the right approach.
Any advice would be much appreciated.
Thanks.
you can take this one and adapt:
https://github.com/Microsoft/BotBuilder/tree/master/CSharp/Samples/SimpleFacebookAuthBot
The difference is that this sample is specific for Facebook, so it will generate an oauth string that will send the user straight to facebook's page. In your scenario you will need to generate an oauth URL that will take the user to AAD B2C's auth page (basically following these guidelines:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-reference-oidc/.
Also you can refer this latest thread for further reference.
Hope it helps.
I'm not able to create a cognitive service to use Video API.
Its currently not available from
Azure Portal.
Does anybody know the process of creating one.
For a variety of reasons, the Azure Portal only lists APIs for which a paid tier exists.
You should be able to find all the information you need on the Microsoft Cognitive Service Video API site, including a link to get a free tier API key.
I have a web role project in ASP.NET made for Azure deployment and need to have authentication.
I have to choose between Office 365 and On-Premise Active Directory.
Looks like both needs to be integrated to Azure Active Directory using Access Control Service.
What are the pros and cons of both?
Also if there are any other possibilities.
As astaykov mentions in his comment on your question you are not restricted to involving Access Control Services in this scenario. Not sure why he didn't submit that comment as an answer.
If you truly must go against your Office 365 or On Premise AD then what you are really saying asking is what is the difference between the two. I'll list some thoughts, but first if you want to implement these then here are some links:
Offerings from MS on Identity: http://msdn.microsoft.com/en-us/security/aa570351.aspx
Using ADFS V2 in your Azure Deployment:
http://channel9.msdn.com/shows/Identity/WIF-Workshop-9-WIF-and-Windows-Azure/ This is a little older material and I couldn't find much on using WIF to connect directo ADFS V2 that was more current. You do NOT have to invovle ACS in this at all. Sadly, this was misunderstood a lot when ACS was released.
Using Office 365/Windows Azure AD: http://msdn.microsoft.com/library/windowsazure/dn151790.aspx
Note: I have connected Web sites running in Azure to ADFSV2 directly, but I've not had a chance to work with the WAAD/Office 365 stuff yet.
If you choose to go with exposing your AD on premise then you would likely do this by exposing it using ADFS V2. This is what opens up the endpoint for the code running WIndows Identify Foundation (WIF) objects to reach out and deal with authentication. The upshot of this is that you don't have to worry about Office 365 logins or a WAAD separately and might be an interesting choice if you don't have those services for ANY OTHER reason but this one scenario. The down side is that you are exposing a proxy to your AD on an endpoint at your own location. If you lose connectivity to the internet then no one attempting to use the apps in the cloud would be able to authenticate. This is also the option I might look at if the users of the app in the cloud will ONLY EVER access it while behind your firewall (such as being at an office or even over VPN). This is because you can set it up so that your app uses a ADFS endpoint that is NOT exposed to the internet, but if they are behind your firewall it would still work. This pretty much ensures that only people already behind your firewall can use your app.
If you choose to use Office 365/WAAD integration then the upside is that you can sync with your onpremise AD to give single sign on to resources on your network as well as to the apps in the cloud. You also make access to your cloud apps more resilient because they have no need to depend on your exposed ADFS V2 endpoint. If you use Office 365/WAAD for any other reason (such as your employess use Office 365 for email, collaboration, etc.) then this is the option I would look at first.
You should look at ACS if you want to integrate with other identify providers such as Google, Facebook or even other companies. Technically you wouldn't have to use ACS at that time either, but it will certainly save you a ton of work to use ACS and not write the integration code on your own for each provider.