The issue that currently we are facing is our users in China have delay in signing into Azure Ad.
I want to create an Asp.net application that acts as an identity service provider for other applications.
I want my users to login to my application using their Microsoft live accounts and my application should be able to cache the identities to avoid delay.
Is it possible to implement such a solution?
I tried to repro in my Lab and successfully tested that my user can login without any delay of time below are the steps:
Deployed my ASP. NET application to Azure> Go to APP service> Authentication >ADD identity Provider
In the identity provider>select Microsoft account >By Default App registration will be created /Or we can create new one. >Support account type Select your account type to login users select Any azure AD directory & Microsoft accounts.
After added successfully you can check or edit the identity provider.
And then tested my app which required Microsoft live accounts to sign-in users .
For further information please refer below links :
.To Enable multi-factor authentication in Azure Active Directory B2C.
. Considerations for using caching.
Related
One of my customers wanted to implement SSO using ADFS. I was thinking to do a POC for the same using ADFS in Azure. But one requirement is only some users have ADFS login and other user needs to use custom authentication using the identity provider.
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
My client just shared the federatedmetadata.xml. (Do we need to give the full URL DNS name + metadata URL when you create the new project?).
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
If you're open to it, you could integrate your application with an identity provider, and that provider does this for you.
For example:
Your application integrates with CAS as the IDP, and CAS presents this screen to the end user for the authn attempt. User can choose either option, and then once completed, they will be redirected back to your application to continue, and your application interacts with CAS to validate the user account/session. CAS itself is connected to your own account store, and is also integrated with ADFS.
What do you mean by "ADFS in Azure". The only way to do this is to run ADFS as a VM in Azure. Otherwise, you would use Azure AD.
Yes, you can federate ADFS with other identity providers so they both are accessible from the same login screen.
What other identity providers are you looking at?
ADFS is not a project, it's a server add-on and it's all done via configuration on the Windows server.
In terms of importing metadata, see this.
I have asp.net core mvc app that has only login with azure ad. What I want to do is. User logs in with their microsoft account and then it looks to my db, gets rights and then sets roles to user. So basically: clicks login --> sings in with his acc --> I look to db and set his roles --> He can now acces only some content. I really dont know how to do it so thanks for anything.
Slightly different answer. Try out the Add authorization using app roles & roles claims to an ASP.NET Core web app thats signs-in users with the Microsoft identity platform sample to see how the new Policy-based authorization in ASP.NET Core is used to work with Azure AD's app roles.
You'd replace the Azure AD's roles with yours and it should satisfy your requirement.
I have a multitenant application js client with masal and Web Api all is working good. User can log in and use the Api.
I'm trying to read the ad groups user belongs to with Graph Api.
It works fine for the user on the same tenant where the app has been registered but if I'm using user from different tenant I have 403 (Insufficient privileges to complete the operation.) error, trying to access /users/{userId}/memberOf endpoint.
After I registered applications on azure for client and server I set the appropriate permissions in Api permission section (Application permission) which I thought is the case but it must me missing something else.
Any idea what I'm missing?
Please refer to aricle below :
Understand user and admin consent
For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application. If they consent, then a representation of the application called a service principal is created in the user’s tenant, and sign-in can continue. A delegation is also created in the directory that records the user’s consent to the application.
Your application uses permissions(/users/{userId}/memberOf) that require admin consent, if an ordinary user tries to sign in to an application that requests a delegated permission that requires administrator consent, your application receives an error.
In Azure AD V2.0 , you can redirect the user to the Microsoft identity platform admin consent endpoint:
// Line breaks are for legibility only.
GET https://login.microsoftonline.com/{tenant}/v2.0/adminconsent?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/calendars.read
https://graph.microsoft.com/mail.send
See document : Admin consent on the Microsoft identity platform
Have .Net Core 2.2 MVC application and integrated with Azure AD for userAzure AD. User authentication and sign out is working as expected.
But if we copy the cookies AspNetCore.AzureADCookie, .AspNetCore.AzureADCookieC1, .AspNetCore.AzureADCookieC2 from the authenticated browser session using the EditThisCookie extension and logout then if we import again those copied cookies back into browsers and we are able to access the application. Application trusting the application and login automatically.
I'm using NuGet Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package
Is this behavior expected?
This depends on the permissions and authentication configurations that you have set for the users within your Azure AD tenant and within the application. If the users are members of your Azure AD tenant or of your application and you've set up SSO using an MSAL library like OpenID Connect, then their credentials might be stored and they can log in by default.
Are you trying to say that you do not want your users to be able to one-click SSO with their pre-authenticated credentials?
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?view=azurermps-5.7.0
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Is it possible to mix authentication types in a C# ASP.NET MVC web application hosted in Azure?
I have an ASP.NET MVC application written in C# that uses ASP.NET Identity as its authentication system.
A customer has asked if they can sign into the application using their Azure Active Directory (SSO using openconnect id).
I can recreate the application using openconnectid and assign their tenant as the AAD directory but users from my company can not log into the application because we do not exist in the customers Azure Active Directory.
We need to be able to log into the application because we perform data entry tasks for them using the web app.
Has anyone come across a similar issue?
Regards,
Graham
You may need to show login screen with 2 possible options. You redirect the user to their respective identity provider , they get authenticated and bring back the access_token/Id_token to access application resources.
Very much like different OpenID connect providers in the same application(FB, Google, Microsoft etc) and regardless of which provider user choose to get authenticated the token is same to access resources.