I am in the process of creating a .netcore API which calls Graph API, to get the user groups.
I was reading through the microsoft documentation , which showed I could use ADAL or MSAL.
I am not sure which one to use.
My API is used by a third party app, so I guess that will not have the same Application ID.
So is ADAL the best option for me?
I am really new to Azure AD can any one suggest a way to access the Access tocken with ADAL and without user login?
ADAL.NET is used with Azure AD v1.0 and MSAL.NET is used with Azure AD v2.0 .
MSAL(v2.0 endpoint) allows you to acquire tokens for users signing-in to your application with Azure AD (work and school accounts), Microsoft (personal) accounts (MSA) or Azure AD B2C. It will also soon support a direct connection to ADFS 2019 . ADAL(V1.0 endpoint) supports Azure AD (work and school accounts), but not personal accounts , and supports a direct connection to ADFS 2016 or ADFS v2 .
You can refer to below articles for more details :
Comparing the Azure AD v2.0 endpoint with the v1.0 endpoint
Differences between ADAL.NET and MSAL.NET applications
Related
We have a hybrid Active Directory scenario - an on premises Active Directory server synced with an Azure AD tenant.
We are in the process of migrating our on premise Exchange email accounts to 365.
We have a SPA (JavaScript) that displays calendar events retrieved from a dotnet core web API.
The web API only allows access to users in a specific AD group.
The SPA uses the Fetch API to call the web API with credentials.
The web API currently uses EWS to connect to our on premise Exchange server to read calendar events, using its app pool identity.
The above systems have been developed in-house and run on our internal servers.
We want to update the Web API to read calendar events using the MS Graph API, on behalf of the user. We would like to use the simplest available solution.
We have tried to use the AcquireTokenByIntegratedWindowsAuth method but receive the following error: 'Integrated Windows Auth is not supported for managed users'. My limited understanding of why this doesn't work is because we do not have an ADFS on premise.
One of the Microsoft samples shows a SPA acquiring an access token and passing the token in the header as part of the web API call. This would require us to update the SPA and web API code. We're willing to do that if it's the only solution, but I am hoping someone might offer an alternative where we only need to update the web API.
What is the best way to configure an application startup.cs to use both Azure AD and Azure B2C in .netcore? I see a lot of referencing indictating to use only Azure B2C, but due to the circumstances I need to use both Identity providers separately giving the users the option to choose which service.
But I am not sure how to go about it, and after configuring the startup, how would I use distinct "Authorize" on the actions within the same controller?
You can use the Azure AD B2C custom policy and Azure ad can be set as an identity provider.The end result is as shown below, where users can choose to log in with an ad account.
Found that adding multiple Azure Active Directory authentication providers in the same app using the current release of the Microsoft Identity Web library is not available (https://github.com/AzureAD/microsoft-identity-web/issues/549 ) but will hopefully be added soon.
What I know about IdentityServer and OpenID connect is:
The IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. That incorporates all the protocol implementations and extensibility points needed to integrate token-based authentication, single-sign-on and API access control in your applications.
Further more OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, but they do not define standard methods to provide identity information. OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
What I want to know is what is Azure Active Directory and How it is works? Did we use Azure AD with openid connect? or it is optional with openid connect? and If I've an webapi which is based on ASP.Net core 2.0 with identityserver 4. Did we deploy on azure without implement Azure AD? I m confused because I've an webapi project and a client project based on angular. when I deploy my client project as a new web app on azure its running fine. But when I deploy my web api on azure its not working. Means after deploying my web api when I do post request to get a token or when I want to register a user through my azure web api link it shows me 500 error in postman.
After facing this problem I post it on Here Stackoverflow but didn't find any helpful answers. So I again start searching and found that if we want to use openid connect with azure we must implement Azure AD. Here is the Reference. So in this question I want to know the difference between openid connect and Azure AD? and second question is. Is this possible to use openid connect without using Azure AD? Please explain your answer briefly. Thanks
I know the title looks a bit odd. I am asked to create a simple web application that will be hosted in azure cloud. The client has an on-premises adfs and wants the application to handle the sso from their organization. They do not want to use azure AD and are against it. Can you guys let me know if it's possible? I have seen a lot of samples with Owin and Oauth authentication but they all point to Azure AD with adfs authentication. Any samples would be of great help. Thanks.
Yes - and there are some samples here.
Update
No - there are no Microsoft samples because Microsoft does not have a client side SAML stack.
Refer I need a SAML stack — now! for some client side ideas - most have samples in the documentation.
I understand that the use of Azure B2C and ADFS together is not supported.
What are my options if I need both Facebook/Google for customers and ADFS for partners?
I know creating my own STS using IdentityServer, and fedearating to Azure B2C or ADFS would be an option, but then again - building my own STS is what I hope to avoid.
Regards
Larsi
UPDATE
B2C can federate with ADFS. Follow B2C MSDN Doc to federate.
OLD ANSWER
B2C at the moment does not allow federation to other STS.
Also it only supports OpenID Connect which is only available on ADFS 4.0 - Server 2016.
You can get this working by using IdentityServer as a bridge. Hook ADFS up via federation and B2C up via OIDC. Note that B2C uses an OAuth extension for the policies so you need some custom code in Identity Server to support this.
You can also use ACS and federate this with ADFS. (Although ACS will be deprecated "soon").
Refer: Azure B2C : Integration with IdentityServer
Or use a third party tool e.g. Auth0 as above.
Auth0 has tons of social providers!
This use case is trivial if you use Auth0.
Your app --> Auth0 -+-> Social logins (FB, Google, etc)
|
+-> ADFS Customer 1
|
+-> ADFS Customer 2
DISCLAIMER: I work there.