We're trying to develop an ASP.NET Core web API which lets users authenticate through Azure AD and would like to retrieve files from NextCloud on behalf of this Azure AD user. Our infrastructure is composed of an Ubuntu server running NextCloud 12, a Windows Server running the ASP.NET Core web API and an Azure Active Directory instance with Azure AD Domain Services.
Signing in through NextCloud using LDAP (provided by AAD Domain Services) works without any issues.
We've been trying out SSO with SAML in addition to LDAP but we keep seeing this error message when signing into NextCloud:
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
How exactly are we able to retrieve files from NextCloud by using the same Azure AD token we receive when authenticating with our ASP.NET web API?
SAML is not well versed to use with Web APIs - its protocol is heavily vested on the application being Web Apps - ideally you should use Open Id Connect with Jwt tokens.
Related
I have a webforms app running on .net 4.7.2, currently being hosted on Azure as a SaaS. It is a single software for multiple clients, each one with its own database.
Currently the user authentication is manually handled by us, but we are trying to implement a multi tenant strategy, using the AzureAD and OWIN tools.
The app service has an Identity Provider configured, from a test AAD. We can login with the provided credentials, but I can only configure a single microsoft identity provider.
I'm not sure where to go from here... After hours reading the multiple docs from microsoft, i'm still stuck.
By default, web app/API registrations in Azure AD are single tenant. You can make your registration multi-tenant by finding the Supported account types switch on the Authentication pane of your application registration in the Azure portal and setting it to Accounts in any organizational directory. So that people from other azure ad tenants will login.
multi-tenant SaaS web application sample
If in case if you want to use other identity providers, You can federate with IdPs that use the SAML protocol. SAML/WS-Fed IdP federation allows external users to redeem invitations from you by signing into your apps with their existing social or enterprise accounts. Federation with SAML/WS-Fed identity providers
And we have azure ADB2C, Azure Active Directory B2C provides business-to-customer identity as a service. Your customers use their preferred social, enterprise, or local account identities to get single sign-on access to your applications and APIs.
Reference Docs:
Sign in any Azure Active Directory user using the multi-tenant application pattern
Azure Active Directory B2C
We have an application running on Tomcat currently and using LDAP as the means to authenticate users to our enterprise AD.
It is required to migrate this application to cloud (on AWS EC2) and to integrate with ADFS over SAML for login with MFA enabled.
Wondering if there are any guides on the the steps to be followed to make this happen ? What are the configurations that I need to enable in ADFS for my application and what configuration changes are needed on tomcat server.xml to have the connector integrate with ADFS rather than LDAP. Thanks.
Regards,
Raunak
Not a Tomcat guru but from the point of view of ADFS and SAML:
You need to use a client-side SAML stack in your application. This provides the SAML plumbing.
You then need to add a SAML RP to ADFS.
For MFA, typically you use Azure AD to provide the MFA.
(There used to be an on-premises ADFS MFA Server - that is now deprecated).
If that is not an option, there are third-party providers.
Been googling this for hours, and can't find a clear tutorial or anything..
I have an Azure account with active directories already enabled. I also have an InMotion hosting account that hosts numerous domains (each having their own respective cpanels).
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
So in theory, you would visit the domain, get hit with the Windows login Auth. page, and if login is successful, you are directed to the home page and can view the content.
Is this do-able through the .htaccess file? Or would I have to alter the actual Apache files? If so, how do I only make it applicable to only one domain?
To integrate the web app with Azure AD, we need to write the custom code to implement the logic to redirect the unauthenticated request to Azure AD and verify the token after users sign-in. ( refer here about the code samples to integrate with Azure AD)
And it is more easy if you deploy the web app on Azure. In this scenario, we can use the authentication and authorization feature provide by Azure which we don't have to change code on the web application.
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
Based on my understanding, we integrate the Azure AD with web app and config the domain for the web site. Then we can visit the web app via the domain instead of ip address. In this scenario, only the web app you integrate with Azure AD will be redirect to the login page if users are accessing the page which require authentication when users doesn't login.
Do we have any in-built feature to authenticate and authorize a user from mobile iron to SharePoint?
User will be authenticated via mobile iron now he must be login to SharePoint seamlessly.
With MobileIron you can use Kerberos Constrained Delegetion (KCD) for seamless authentication to a system behind the MobileIron Sentry / accessed through the Sentry. There is a dedicated document available through support access from MobileIron where this stuff is explained in detail.
At this point I'll only point out the overall process to access SharePoint with the MobileIron Web#Work browser:
You have to deploy a user certificate through MobileIron for user
authentication.
Also you need to setup KCD for the Sharepoint Site /
Webserver: Active Directory (AD) ServĂceAccount for obtaining
Kerberos Ticktes from Domain Controller (DC), Configuring Service
Prinicipal Name for the ressource you want to access, and
authentication delegation for the service account & ressource.
Configure an Web#Work config with service definition to access the dedicated SharePoint Site with KCD.
If all is in place the access / authentication process is as follows:
When the device connects to the sentry to access the configured Sharepoint Site / Webserver it authenticates with the user certificate to the Sentry and sends the requests to the ressource. The Sentry goes to to the Key Distribution Center (KDC), that's a service on an AD DC, requests a Kerberos ticket for the user with the service account and attaches this ticket to the forwarded web request to the SharePoint web server.
As you can see it's not very simple to set it up but works fine and the users will love you ;-)
I need to run .NET applications in Azure and have them authenticate against my on-premise directory (via PingFederate). It appears that ACS is the only way to do federated authentication from Azure, even though it has been deprecated for over a year. It also seems that ACS does not support OpenID Connect.
So am I correct in thinking it is not possible to do federated authentication via OpenID connect from Azure? And does anyone know when federation with external identity providers will be added to Azure AD?
Federated authentication is supported by Azure AD. Most of our enterprise customers connect their Azure Active Directory to their on-premises directory for federated authentication with Office 365 and other SAAS apps connected with Azure AD.
You can indeed federated your Azure AD with PingFederate and use Azure AD' OpenIDConnect protocol to configure single sign on for your cloud application.
Sign-up for a free trial Azure subscription and create a directory. Use the documentation here (http://msdn.microsoft.com/library/azure/jj673460.aspx) and the following sample app (https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet) to connect your app' authentication with your directory using OpenIDConnect.
Then, add a verified domain to your directory and federate it with your PingFederate STS by following the guidance here (http://documentation.pingidentity.com/display/PFS/SSO+to+Office+365+Introduction).
We don't recommend using ACS for this scenario.
Hope this helps.