Logout user when disabled in AD - adfs

We have configured ASP.NET Zero MVC + jQuery application to work with AD FS login.
We cannot figure out if a person is currently login to website and we disable the person's account in Active Directory then how can we logout the user from website so that he cannot access website anymore.
I'm new to AD and AD FS, can anyone please guide me to a starting point?

Yes - as per #John, AD access and manipulation is via LDAP calls via the .NET AD API.
This is not part of ADFS.
If the AD account is disabled, the user won't be able to login once their session has expired.
In terms of the website, you would need to monitor AD and then clear the cookies (which is what logout does) as appropriate.

Related

Next Auth Azure Ad B2C signout problem session kills on app but not on azure AD

I am integrating Next Auth with Azure AD B2C i am able to create a login session when i login or signup on azure AD but when i signout using next Auth i am not signing out of azure AD and it automatically signins me in till the azure AD session expires that is 1 day after a day i will get option again to sign in.
Tried following documentation but got no result any help would be appreciated! The thing is next auth provides solution for signin sign up and stuff but the session at my app gets killed on signout but it kills the reason for MFA(multi factor authentication) if azure AD session is maintained which can be used again and signed in without credentials to my app!
You can either..
Force users to re-enter their credentials on each login
Reference: Next-Auth "Additional parameters" documentation
signIn("azure-ad-b2c", null, { prompt: "login" })
Defer calling signOut() until after you redirect to B2C, as B2C handles clearing its session
Reference: Benjamin Fox Blog, Azure B2C with Next-Auth
<button
href={`https://${process.env.AUTH_TENANT_NAME}.b2clogin.com/${process.env.AUTH_TENANT_NAME}.onmicrosoft.com/${process.env.USER_FLOW}/oauth2/v2.0/logout?post_logout_redirect_uri=${process.env.NEXTAUTH_URL}/auth/signout`}
>
Sign Out
</button>
where the /auth/signout page calls Next-Auth's signOut()

How to mark an Azure AD B2C App as Publisher Verified

I have a working Xamarin Forms app that uses Azure AD B2C to login to providers such as Microsoft, Google, LinkedIn, Apple, etc. The login process works smoothly except that I get the message "Let this app access your info? unverified". See picture below:
I know how to resolve this issue for an Azure AD application. See Publisher verification and app consent policies are now generally available
The Azure documentation clearly states that this is not supported for Azure AD B2C Apps. Is there an alternate way to get past the "unverified" messsage? This is causing a massive adoption problem for my app as downloaders are hesitant to login to an app with an "unverified" publisher.
Any and all help will be appreciated.
• Sorry, there is no way through which we can mark an Azure AD B2C application publisher as verified. Though, you can register that application as an internal Azure AD application and ensure that it is publisher verified which will in turn make the ‘unverified’ tag go away during the login process.
a) Also, ensure that the domain of the mail ID used to register for MPN (Microsoft Partner) account verification should be the same one configured as a custom domain and verified in your Azure AD tenant in which you wish to register the Xamarin form application.
b) The user account should be assigned one of the following roles: - MPN admin, Accounts admin or a Global admin in partner center account and application admin, cloud application admin or a global admin in Azure tenant.
c) This user account must sign into the Azure AD tenant using MFA and the publisher should agree to the Microsoft Identity Developer Terms of Use.
Please refer the below link for the documentation on marking an application publisher as verified in Azure AD: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-verified
Would also suggest you to please refer this below SO thread for more information as it explains further publisher domain verification in Azure AD: -
Mark an app as publisher verified in Azure AD B2C
I finally succeeded in marking my Azure AD B2C application as publisher verified. Now I no longer get the "unverified" description in the access screen. To do this, I followed the instructions here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-microsoft-account?pivots=b2c-user-flow#verify-the-applications-publisher-domain
It is especially important to know that the MPN id cannot be set by a user interface but you have to use Graph Explorer to set it.
The code below is an example of using Graph Explorer to set the MPN Id:
Where appObjectId is the object id of your AD B2C App. It is NOT the app id but the object id. The VerifiedPublisherID is your MPN Id that you wish to set.
POST /applications/appObjectId/setVerifiedPublisher
{
"verifiedPublisherId": "12345678"
}

Get user name and email address in asp.net form

Each user of my asp.net forms app logs into a PC with their Active Directory credentials.
How could the ASP.NET forms app get the user name and the email address currently logged into the PC?
There is no guaranteed way to find out which user they are logged into their computer with. However, you can:
Enable Windows Authentication so they need to authenticate with your website with an AD account
Add your website to the Trusted Sites in the Internet Options on their computer (this can be done in group policy) so that IE and Chrome will automatically send the credentials of the currently-logged-on user account. (Firefox uses its own network.negotiate-auth.delegation-uris setting)
If you skip step 2, then the user will be prompted for credentials. If the credentials sent in step 2 fail for whatever reason (for example, they are logged in with a local account instead of a domain account), the user will be prompted for credentials. Then they can type in whatever AD account they want, which may not be the same as what they are logged into their computer with. That's why I say that there is no 100% guaranteed way to know what account they are logged into their computer with.
If only some of your users have AD accounts, and some don't, then you can use split Forms and Windows authentication. I've done this before and described how I did it in a past answer.
Get User Name with HttpContext.Current.Request.LogonUserIdentity than Query to AD to get Email check How to get a user's e-mail address from Active Directory?

How to Fully Logout of Azure AD With OWIN and Redirect after?

I have a MVC ASP.net Web Application that is using Azure AD To Login. I have an action in my controller that is in charge of signing out that uses
Request.GetOwinContext()
.Authentication
.SignOut(HttpContext.GetOwinContext()
.Authentication.GetAuthenticationTypes()
.Select(o => o.AuthenticationType).ToArray());
This however leaves me stuck at the Microsoft "We Recommend you close your browser screen" and it never redirects anywhere. Then after if I try to login again it auto logs me in as if cookies are not clearing or it is retaining my login somehow. How do I fully logout and then redirect afterwards? If you logout of any Microsoft Office 365 product this is the behavior I am looking for. It logs you out without retaining any info/cookies and then redirects you back to the Owin Login Page. Any help or insight would be appreciated. Thanks.
What you can do is construct a sign out URI in your application and when the user clicks on the Logout link or button, you redirect your users to that URI.
https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}
Where {0} is your Tenant Id or the Azure AD name (Fabrikam.onmicrosoft.com) and {1} is the link to your application where a user will be redirected back after the sign out process is complete at Azure AD end.
Apart from that you have to clear the cookies at application front.
In this way you can redirect user to custom page and also you can start the process from beginning.
Similar thread for reference.
Hope it helps.

How to disable dynamic sign up with Open ID provider during client authentication flow?

Background: I'm using Open ID authentication in my asp.net website. Here is how it works currently - User would pick an Open ID provider from dropdown (google/yahoo/myopenid/etc..) and then click on Login button. The application would then pass the user to the provider authentication page. On successful authentication and authorization on the open ID provider site, user is directed to my application. So far, so good.
Problem: On the Open ID provider authentication page, if the user chooses/clicks Sign Up, then the provider is following its own workflow and the control never returns to my application.
Question: Is there a way where I can disable the dynamic registration on provider (i.e., the Sign Up)?, so that, the user would then be required to register with the provider and then use my application? Or
Is there a way that I can get the control back once the dynamic registration is done?
No. The OpenID protocol has no such provision and while it would be courteous of a Provider to remember to ultimately redirect their new user back to your site, not all do.

Resources