I have experience in integrating AWS cognito with Azure AD (SSO). But I don't know how to implement similar authentication in GCP.
I want to authenticate the users in Azure AD to use the custom web app deployed in Google cloud run.
I see three options in GCP, but I couldn't find any resource to implement.
Google cloud identity
Google cloud identity platform
Firebase Authentication
This custom web app should only authenticate the Azure AD users in our organization.
Google Cloud Identity Platform and Firebase Authentication are effectively the same thing. There are a few additional features in GCIP.
To set up GCIP for Microsoft user, here's a link to the docs.
If you're using Cloud Function for Firebase, you can use a Callable Function to get the authenticated user, then handle your own authorisation.
If you want to use Cloud Run, then you can use the Firebase Admin SDK (even with GCIP) to verify the token and get the user ID (which you can then use to authorise the user via a database or with Custom Claims).
Related
I am not able to use Firebase Storage however I am using Identity Platform (firebase auth). Once a user is logged in to my web application, I would like them to be able to upload to a Cloud Storage bucket. The current way I am thinking about doing this is by have a Cloud Function which first uses firebase admin library to verify the token of the user and then generates a signed-url for the upload.
Is this the correct method for doing this?
Google Cloud Identity Platform uses the same SDKs and most of the same back-end as Firebase Authentication. The main difference in is the set of features it supports, and its pricing model.
If your project is set up for using Cloud Identify Platform, you can still use the Firebase SDKs for Cloud Storage to upload, and use Firebase's server-side security rules to control read/write access for it. A common security model to get started with is content-owner only access.
I have an Azure AD B2C in Tenant A. A SPA web app (FE) and an API Functions App (Node.js) in Tenant B.
FE is using MSAL to require login with Azure AD B2C. I want the set up Authentication in the API to accept bearer access token from FE.
How can I configure Azure to achieve that?
The Tenant that has your Azure Subscription which in turn has your resources doesn't really have to be the one used for App Level Authentication. It is just required RBAC.
The App Registrations for both could just be in the Azure AD B2C Tenant directly and you could provide the required details when setting it up like below
I need to login users via Instagram for my mobile application so I can make calls to Instagram API and get some information from the Instagram. Simply, my application will ask user to authorize Instagram access and able to get access token for API calls. Application should not ask user to login again once the user is authorized. I already setup my Instagram client-app to implement server-side authentication flow.
My challenge is I want to do this on by using AWS mobile services. I already setup custom authentication from MobileHub and came to point where I need to define my custom authentication flow (in this case it is Instagram authentication flow). Under AWS Cognito app when I go to Triggers tab, I see different options for defining lambda functions associated with my authentication (such as pre/post auth or define / create / verify auth challenge). I am not sure how to align Instagram Authentication flow with these functions. Or should I use something else. Also I am not clear how does AWS Cognito manages authentication flow: I don't want my users to go through authorization process every time they start my application. I believe AWS Cognito link users from my custom flow to some Cognito identity and able to authenticate when they use my application. I really appreciate any suggestions, or even code sample (if available).
Check this Document for Cognito Identity. Instagram is not there by default. So you have to use External Identity Provider, most probably using Open ID Connect Providers.
I'm currently developing a API to commercialized in a B2B SAAS fashion.
The goal is to authenticate the worker of the company. We have an SDK that should be able to do that. There is the possibility to force each user to set credentials specific for our service, but that will hurt integration with companies applications.
The idea would be to have some kind of authentication (client independent) that make it easier to authenticate users.
The question is: There is a easy way to create an automatic process that does not depend on the client type of authentication methods, for this type of task?
Thanks in advance.
Have you taken a look at Azure AD? It specifically supports multi-tenant scenarios.
Tenants can use Azure AD Connect to sync their on-premise directory to the cloud. Clients can use ADAL to acquire a token which your service trusts. The issued token contains a tenant-id claim indicating via which tenant the user logged in.
Just to add to MvdD answer, in Azure AD support three ways to sign in:
Federated Single Sign-On enables applications to redirect to Azure AD
for user authentication instead of prompting for its own password.
This is supported for applications that support protocols such as SAML
2.0, WS-Federation, or OpenID Connect, and is the richest mode of single sign-on.
Password-based Single Sign-On enables secure application password
storage and replay using a web browser extension or mobile app. This
leverages the existing sign-in process provided by the application,
but enables an administrator to manage the passwords and does not
require the user to know the password.
Existing Single Sign-On enables Azure AD to leverage any existing
single sign-on that has been set up for the application, but enables
these applications to be linked to the Office 365 or Azure AD access
panel portals, and also enables additional reporting in Azure AD when
the applications are launched there.
I am trying to host a HTML/JS based app on AWS. I need to implement a signup/login feature for this app, now I understand I'll have to have a database (mysql will work?) here. However is there an off-the-shelf way of implementing something like user sign-up for an app on AWS? I don't want to take care of numerous security and authentication scenarios my self.
The AWS SDK for Browser is made for this: https://aws.amazon.com/sdk-for-browser/
Social Login
Secure your web app's access to AWS resources without any server-side
code. AWS SDK for JavaScript makes it easy for you to integrate with
Amazon Cognito, which allows you to provide customizable levels of API
access to unauthenticated and authenticated users. Amazon Cognito is
easy to set up with Facebook, Google, Login with Amazon, and any
OpenID Connect identity provider. To learn how to do this, visit the
AWS JavaScript Development Blog.