I have customers using my application that want to use AD FS to retrieve e-mails from there accounts like GMAIL. Can i use Chilkat to retrieve the e-mails from AD FS accounts ?
Yes, but probably not in the way you intend.
ADFS is a mechanism for managing user entitlements in a Microsoft system. G Suite has an integration that can read and provision users based on their ADFS entitlements, as well as enable SSO using a SAML-like system.
You can use any software to access a G Suite account, but you probably won't be able to easily use the SSO infrastructure provided by the ADFS integration to authenticate.
Instead, you'll want to use the OAuth entitlement system baked into G Suite. This would allow users to grant access (authenticated in whatever way is configured by their organization) to access their email with your application that accesses their G Suite email using the GMail APIs.
The benefit of this approach is that you actually broaden your customer base because your application can be used on ANY gmail or gsuite account, not just accounts that use ADFS.
Related
I need to provide an SSO between two independent applications via the Azure AD SSO.
My app (A) use Firebase as the backend and currently isn't registered in Azure AD.
The second App (B) is registered in Azure AD via App Registration and I think has password-based login now (but it doesn't really matter). Can't say what technology it uses for the backend.
I've read a lot of Azure documentation but can't understand how exactly should I connect them with SSO.
I see that I can connect applications from the Enterprise Applications list. Is this the only way to do it? In this case, I need to publish my app to the Enterprise Applications gallery but it feels like an overcomplicated solution.
SSO feature and experience depends on the type of auth-protocol being used. It also varies based on that. Lets say, your app uses OpenIDConnect then the SSO experience would be something like what mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-oidc-single-sign-on
If it uses SAML as the auth-protocol it looks something similar to: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-saml-single-sign-on
and if its using Password-based SSO then: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-password-single-sign-on-non-gallery-applications
Specifically for Password-Based SSO, it provides SSO by storing the credentials in the browser extension. With password-based sign-on, users sign on to the application with a username and password the first time they access it. After the first sign-on, Azure AD supplies the username and password to the application.
Password-based single sign-on uses the existing authentication process provided by the application. When you enable password single sign-on for an application, Azure AD collects and securely stores user names and passwords for the application.
Choose password-based single sign-on when:
An application doesn't support SAML single sign-on protocol.
An application authenticates with a username and password instead of access tokens and headers.
In your case, both you apps (MyApp-A and MyApp-B) needs to be registered in AAD and they should support neither SAML or OIDC.
I'm building a multi tenant Service Fabric Application, that allows a tenant to specify a login type - Identity(asp.net)/Azure AD.
I have an Authentication service that checks to which tenant the user is linked to and then proceeds to check if the username:password for the user is valid, if valid it returns a JWT token to the gateway API/web API that then allows access to the rest of the services on the cluster.
This is further secured by roles to limit actions and data access etc.
Question 1
What would be a secure way to save the app id and secret given by that tenant if they use azure AD?
In my DB and encrypt the info, it would have to be decrypted to connect to the AD(Trying to keep in dynamic).
Question 2
I'm implementing my own sliding refresh tokens to obtain a new JWT after it expires, is there a better/standard approach?
Question 3
Is there a better/standard way to handle this multi-tenant sign in process.
Question 4
Is there a way to have optional claims set on the JWT Subject that would allow access to shared services but prevent access to tenant specific services if the claim value is incorrect?
Edit
Ideally the Roles should not be part of the tenants AD/B2C because they role are dynamic and managed from within the application.
Instead of building your own STS logic, have a look at IdentityServer, a popular and great OSS tool.
For example, have a look here for a multi-tenant example using asp.net core.
It supports adding custom claims to the token, by implementing a Profile Service. Services can be configured to use claims for authorization.
This blog post may also be useful.
I will very strongly advise you ride upon the Azure tenant model and let Azure AD manage all credentials and authentication. In today's world its a very bad idea to store and manage user credentials when there are plenty of Identity Providers available.
Recommended reading:
How to build a multi-tenant app with Azure AD
How to secure a Web API with Azure AD.
Libraries like MSAL.NET will automatically manage token caches and refreshes.
Use roles and groups in Azure AD
Claims in tokens issued can be customized to some extent.
disclaimer: I work for Microsoft
I have a scenario where web application uses MYSQL DB to store registered users. This web application is integrate with Skype for business online (Web SDK) to communicate each other via audio, video, chat and etc.
I am implementing functionality such a way that all the registered users(in MYSQL) should be able to access Skype Web SDK automatically without asking them to provide O 365 credentials. Because the users are already registered for my application, asking them to provide O365 credentials to Skype services is not a good idea.
So I want to build functionality such a way that when registered user(MYSQL) clicks say on 'Audio Call', in background three things should happen automatically. 1.Creation of user in O 365 if not existed, 2. Sign in with O 365 credentials, 3. Start audio call.
Is this possible implement with Skype web SDK(online) ?
I am new to Skype for business online thing, Kindly suggest if any other ways available.
and also let me about available Web APIs to bulk create O 365 accounts using Global administrator of tenant.
Currently, this is not possible. For authorising users the browser has to be navigated to Microsoft domain to authenticate users and generate the access token. Only after that, your user can be authorised and users can login into Skype Services.
What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.
There are two "roles" in the system, users will have one of the
roles. One role should allows access to some APIs (call it "VIEW"),
the other role allows access to other APIs
All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
I would like to persist the session so I don't have to look up AD for every API call
I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.
I believe that Oauth would be my best option.
There are two "roles" in the system, users will have one of the roles.
One role should allows access to some APIs (call it "VIEW"), the other
role allows access to other APIs
For role based authentication, you can use [Authorize("Role" = "Manager")]. The token will be provided by the identity server and will contain the claim as Role.
All users are in Active Directory, so if I have a username, I can
check what role they are in- Some clients are on Windows boxes, the
others are on Linux
If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.
I would like to persist the session so I don't have to look up AD for
every API call
For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.
I would like single sign on. On the Windows machines, I don't require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.
For this one, you can have your Identity sever trust the WSFederation for windows Authentication.
So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.
I am not sure what you expect exactly. Anyway, first I'm gonna reformulate your question with requirements:
you accounts and role are in active directory
you want to manage roles based on an active directory group
you want anybody whatever the system (windows, linux, mac, mobile...) to connect on your application using the same authentication
you want to avoid your AD to be hit constantly (not at any call for example)
if the user is connected on an application that uses the authentication system, he doesn't have to do it so again on another application that uses the same authentication system
If these requirements are yours. I believe the only standard (and clean) solution is to use OAuth. I'm not gonna go in detailed description of OAuth, but this authentication protocol is the most standard one on the net (facebook, google, twitter...). Of course as you don't want to use facebook, google or twitter accounts in your business applications but your active directory accounts you'll have to install/setup/develop your OAuth identity provider using accounts of your active active directory server. Your choice will depend on how well you know ADFS protocol and its different flows (code, implicit, assersion) You have two solutions for it:
Use ADFS: install ADFS; it provides a OAuth portal that will work out of the box with asp.net mvc. This uses the code flow of OAuth that is the only OAuth flow supported by ADFS. For roles and its related AD groups, you'll have to map role claims with AD groups. (it's in the setup of adfs, you'll find many tutos on the net). You'll find lot of tutos as well about how to use ADFS with asp.net mvc/asp.net webapi. I mention .net here, but every technology has an implementation for OAuth authentication (nodeJs/express, php, java...).
Use thinktecture identity server (.net technology). This will provide all the foundation to implement a custom identity server with the least effort: http://www.thinktecture.com/identityserver / https://github.com/IdentityServer/IdentityServer3. It contains an addin to plug its accounts to active directory. With this, you can use implicit and assertion flows.
Use oauth2orize (for nodeJs): https://www.npmjs.com/package/oauth2orize. This will permit you to make the same than thinktecture identity server but in nodeJs. Apparently you'll have to make all the wirering with ad manually. With this, you can use implicit flows (not sure about assertion flows).
At application side, most of frameworks can authenticate easily using OAuth with a lot of existing frameworks. For example, even if you make a single page application, you can use adal.js or oidc.js for angular if you use angular. As I mentioned above, all this is taken in charge by asp.net mvc/webapi out of the box but I know it's the case for other server technologies. If you have more questions, don't hesitate as I'm not sure of what you expect exactly.
We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.