I am using Home realm discovery mordern policy. I am using Custom policies to log in with multiple azure ad tenants. now I have a tenant with more than one domain. So I need to understand that how can I provide multiple ClaimValueOnWhichToEnable metadata in the technical profile of this policy.
I got the similar situation and i have added multiple <ClaimsProvider> tags with <Item Key="ClaimValueOnWhichToEnable">domain.com</Item> for each domain with the same tenant details and it works as exepected.
Related
I am building an asp.net core web API project, with Angular client for front-end. We are using azure b2c as our IDP server, (for registration, authentication and related topics). So far the experience is great.
The issue we are having right now, is that we are trying to add 'admin' role to some of our users, who will be allowed to reach some endpoints of our web API, and do some operations that normal users won't be allowed to.
Since we are using asp.net5 web API for our back-end, in a normal environment, this would be done through [Authorize (Role = "Admin")] attribute, however in Azure b2c it seems not a straight forward thing to do.
Right now, we need 2 types of user roles: User role and Admin role.
Anyone knows how to add user roles in a azure b2c app, and then protect the back-end API endpoints for those roles?
Thank you!
There is no out-of-the-box support for RBAC / Roles in Azure AD B2C. However there are a lot of samples in the official GitHub repository. For example the "Implementing Relying Party Role Based Access Control" or "User consent for API Scopes".
These are the ways to implement RBAC using Azure AD B2C.
Here's the context :
I have currently a Corporate Azure AD tenant (Teams, ...) and created a B2C tenant dedicated to my customers which I plan to use for my website authentication.
I guess It is the purpose of the "multi-tenant" option when registering the app but I wonder If I can limit only to the two tenants I own and not opening my website to anyone which has a Microsoft account (for what I understand reading the Microsoft documentation).
If anyone which had already set up a similar authentication process can guide me maybe or just give me some tips to do website authentication by checking if the user account is valid in one of the two tenants ?
Thank you in advance and feel free to ask if you need any more information (maybe I wasn't clear enough).
In Azure AD B2C using custom policies you can set up sign-in for Multi-tenant Azure AD which allows users from multiple Azure AD tenants to sign in, without you having to configure an identity provider for each tenant.
In the custom policy using https://login.microsoftonline.com/ as the value for ValidTokenIssuerPrefixes you can restrict access to specific list of Azure AD tenant users who can sign in.
Please refer the above mentioned document on how to sent up the configuration, as you can see in the add claim provider section how to configure multiple organizations/Tenants with the comma separator.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
Please refer documentation and samples which helps you in getting started with custom policies
We are planning to setup three applications, two of them are based on WordPress, and third one is based on Magento. We will deploy these three apps on AWS. We are looking for a tool to centralize the management of all the users for these three apps. We could grant different privilege and allow the different users have different right to these three apps. So, we should choose AWS Cognito or SSO?
You can use both if you go with cognito route. Cognito User pools handles your user management (registration, login, granting tokens) while Cognito Identity Pool lets you use any of the identity providers including user pool to exchange tokens for temporary aws credentials based on what role you have attached to the group of users.
Identity pools also accept SSO with 3rd part authentication providers (federated identity). You can sign in users on your user pool using social identity providers (facebook, google, amazon) or create one using Auth0.
AWS Cognito is the right fit for your application. AWS SSO is essentially a layer between active directories and services like Cognito or Firebase. AWS SSO helps in delegating access to AWS services and provides SAML/Oauth gateways connected to the active directories.
AWS Cognito on the other hand, allows you to easily integrate your login systems with any auth providers like AWS SSO, Okta, Auth0 and social media channels too. Hence, definitely considering your requirements, AWS Cognito user pool is the best fit.
I am looking into using AWS-Cognito as a means to manage and authenticate users. I do not want to use aws api-gateway or any of their other services really. It seems though you can only create roles or policies if they are related to some other aws service. I'd like to have these custom roles or policies on the user's id token returned from Cognito. Is it possible to create these custom roles or policies or am I restricted to only roles and policies related to amazon services? I have found tried the Create your own policy, but it throws an error if it doesn't match a specific action or resource known to aws services. Thanks.
You can use Cognito User Pools to authenticate your users. Then you can call STS to issue temporary credentials based upon your own rules (policies). Look into examples using assumeRole().
If you want an integrated / managed service then use Cognito Federated Identities for authorization and Cognito Users Pools or Google, etc. for authentication.
Sort of confusing, but think of Cognito User Pools (or Facebook, etc.) as the Identity Provider and Cognito Federated Users as the Permissions broker.
I'm writing a cloud based multi tenant application. I'd like tenants to manage their own users - add, remove users - manage permissions etc. I'm kind of hoping there is a provider out there that already handles this. I don't want to have to write all those screens. I'd rather set up the list of roles and permissions and let the tenant admins go in and manage their users.
All I want if for a logged in user to get a list of permissions. I can code against those permissions in my application.
Does such a thing exist?
Disclosure: Answer provided by an Auth0 employee.
If I understood correctly you should be able to accomplish your goals using Auth0 solutions aimed at multi-tenant applications. There are a couple of resources that should help you get started, although I would give particular focus to Using Auth0 with Multi-tenant Apps.
In the section (A single Auth0 account for all tenants) you'll notice that the simpler management option would be to only have a single Auth0 account, however, your use case could be accomplished by having each tenant have their own separate account which would make it possible for them to manage their users from Auth0 built-in dashboard. (no need for you to write custom screens)
One account for all tenants is simpler and allows you to manage them in one place.
Only if you want to share access to the dashboard with tenants would a separate Auth0 account per tenant be required.
Also check section (Different roles for each tenant) for a possible way on how to handle your user role and permission information.
Additionally, there's a sample multi-tenant app where each tenant has its own Auth0 account on Github if you want to delve into the more technical aspects.
On the other hand, if your tenants already have their own authentication solution in place you can easily integrate that with your Auth0 enabled SaaS application. See Building multi-tenant, SaaS applications with Azure AD and Auth0 for a detailed example on Azure AD integration, but don't think you would be restricted only to Azure AD integration as Auth0 supports a wide range of identity providers (Identity Providers Supported by Auth0).