How integrate Bluemix Public Accounts/User in LDAP? - ldap

Is it possible to integrate Bluemix Public Accounts/User (means IBM IDs) in a LDAP of Company User Management?
Reason the ensure on-boarding and off-boarding can be done on a central place inside a company.
Is this topic related to a ibm market place integration possibility?
https://www.ibm.com/support/knowledgecenter/en/SSZPE3_9.1.1/Platform/LDAP/LDAP_AD_integration_features.html

This can be done with a federated ID.
This ID can be used to sign up for Bluemix only if your company has already worked with IBM to register. Registering a company's domain with IBM enables users to log in to IBM products and services by using their existing company user credentials. Authentication is then handled by your company's identity provider. When you log in to Bluemix with a federated ID, you are prompted to log in through your company's login page. For information about requesting to register your company or organization's domain with IBM, or for more information about the process, see IBMid Enterprise Federation Adoption Guide External link icon. An IBM sponsor, such as an offering advocate or client advocate, is required when you request to register federated IDs.
Link: https://console.bluemix.net/docs/admin/account.html

Related

How to configure Auth0 to authenticate with other companies Azure Active Directory?

I have Auth0 configured with Social Connections > Microsoft Account.
This is linked through Client ID/secret to a Microsoft Azure Active Directory tenant in my Microsoft organisation, with an App Registration set to allow:
Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
All users with a work or school, or personal Microsoft account can use your application or API. This includes Office 365 subscribers.
When I log in through my app, I can authenticate successfully using my personal account eg. blah.blah#gmail.com
However, when I try to authenticate with my work account blah.blah#myawesomecompany.ai, which is managed with an Azure Active Directory, it fails with
"That Microsoft account doesn’t exist. Enter a different account or get a new one.":
I thought given the Microsoft settings it would allow it connect.
How can I make Auth0 allow Microsoft authentication with other company's existing Azure Active Directory?
Also - can I configure it to limit that feature to specific companies AAD eg. those I have specifically nominated?
Is there a way to configure this without having to upgrade to Auth0 Enterprise?
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application:
Note that: Make sure to use common endpoint for Multi-Tenant and Microsoft accounts.
For sample I used the below endpoint to authorize the users:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=https://graph.microsoft.com/.default
&state=12345
When I tried to sign-in with the personal account, the user logged in successfully like below:
And now I tried to login with other tenant user like below:
By using common endpoint, I am able to sign with personal accounts and other tenant accounts too successfully.
To limit the feature to specific companies AAD, check this blog.
Auth0 Enterprise is required to authorize tenants to the Azure AD Application.
For more in detail, refer below MsDocs:
Use tenant restrictions to manage access to SaaS apps - Microsoft Entra
Multi-tenant application with a whitelist on tenants authorized by Marshaljs
Assuming you want to use multi-tenant app to allow users from different company to sign in your application with their work account. Let's assume you create an Azure AD application in your tenant(tenantA).
Then in your app, you may set the TenantId as the tenant id so that even you created a multi-tenant app, you will only allow users in your tenant to sign in. And the sign in request may look like https://login.microsoftonline.com/{tenantA_tenant_id}/oauth2/v2.0/authorize?, with this link, you will be able to use account like user#tenantA.onmicrosoft.com to sign in, you can also use personal account which is invites to tenantA as a guest to sign in your account.
If you want users in tenantB to sign in your app with account like user#tenantB.onmicrosoft.com, then you must set the TenantId in your app as common which will make the auth request look like https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
Then when sign in the application created by tenantA with account in tenantB, you may see screenshot below. After consenting it, user#tenantB.onmicrosoft.com can sign in this application.

GitHub SSO - Enterprise Mandate

As a company, is it possible to mandate SSO for everyone who works for me? i.e anyone who registers with an #companyname.com email has to go through my Google SSO regardless if they're logging into and pushing code to a repo not maintained by my organization?
If your users are Enterprise Managed Users, you now (Sept. 2022) have the option of:
Automatic Single Sign On for Enterprise Managed Users – Public Beta
Enterprise administrators can now choose to redirect signed-out Enterprise Managed Users to their company's single sign-on (SSO) page. This feature is available as a public beta.
By default, enterprises with Managed Users enabled are hidden, showing a 404 error page any time an enterprise resource is visited by a user that isn't already signed in to the enterprise.
If you enable this feature for your enterprise, visitors to resources in your enterprise, org, or user namespaces will immediately be presented with an SSO redirect if not already signed in to your enterprise.
This redirect helps users sign in to the correct account, rather than giving them the impression that the link they were given no longer works.
You can find this setting in the Authentication security section of your Enterprise Settings, below the single sign-on configuration sections.
Read more about this settings at "Automatic redirection for Enterprise Managed Users".

Azure AD Application Required Permissions list does not include all APIs

I have created an application to use the Office 365 Exchange Online (Microsoft.Exchange) API. I set successfully set up permissions as described here MS Integrating Applications on an existing development Azure Account. See APIs available on original account.
However, now I want to set up a similar app in a new Azure account so I can have a different visible domain for the permission sign up process. However, on this new account the Exchange Online API is not visible to select as a required permission.
This account only exists as a place to register the App so it doesn't itself have any users or need any licenses but do I have to have a license associated with that account just to be allowed to add a particular API to the required permissions? The documentation doesn't mention anything about this that I can see.
do I have to have a license associated with that account just to be
allowed to add a particular API to the required permissions?
Yes, you're right. You have to have a Office 365 Exchange Online license for your Tenant.
Why:
These APIs are exsiting in the AAD as service principal (Enterprise Applications). If you don't buy Exchange Online license, it won't occurs in the Enterprise Applications in your tenant. Once you buy the license, it will be automatically added to the Enterprise applications, meanwhile you can use its API via AAD.
This makes sense because if you don't have the license, you cannot use the product and you cannot use its API neither.
The documentation doesn't mention anything about this that I can see.
Yeah, the documentation maynot mention this and it should be noticed in the documentation. You can sign in the documenation webiste via a github account and give a feeback to the documenation Team:
Hope this helps!

OKTA On-Prem Provisioning with SCIM Servers

I have the free developer edition. I want to provision users to my web site using SCIM. The docs say look under "dashboard/agents". I have no agents tab under dashboards.
https://support.okta.com/articles/Knowledge_Article/46749316-On-Premises-Provisioning-Deployment-Guide?id=kA0F0000000AY3C&q=scim&l=en_US&fs=Search&pn=1#code
Also for behind a firewall the document says download the "On-Prem Provisioning Agent". I have not been able to find that under "setting/downloads" or anywhere else. Where do I find that?
You will need to contact Okta Support or your Okta Sales contact to enable the On-Premises Provisioning feature.

send the API key through Apigee

My manager asked me if we can send the API key to our customers(developers in our client companies) through Apigee with formal and secured way. I checked the online documentation and couldn't find the information regarding to sending API key via Apigee.
Any one please provide more information on that?
Every Apigee Edge Org has a developer portal associated with it. This developer portal can be used by the developers to register themselves and create application and get the Api Keys.
You can provide the Url of the developer portal to the developers in your client companies and ask them to register on the developer portal and create apps to get api keys.
Please find the links to the documentation related to developer portal and how to get a developer portal for your organization.
http://apigee.com/docs/developer-services/content/what-developer-portal
http://apigee.com/docs/content/creating-developer-portal
Regards,
Sudheesh