Been googling this for hours, and can't find a clear tutorial or anything..
I have an Azure account with active directories already enabled. I also have an InMotion hosting account that hosts numerous domains (each having their own respective cpanels).
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
So in theory, you would visit the domain, get hit with the Windows login Auth. page, and if login is successful, you are directed to the home page and can view the content.
Is this do-able through the .htaccess file? Or would I have to alter the actual Apache files? If so, how do I only make it applicable to only one domain?
To integrate the web app with Azure AD, we need to write the custom code to implement the logic to redirect the unauthenticated request to Azure AD and verify the token after users sign-in. ( refer here about the code samples to integrate with Azure AD)
And it is more easy if you deploy the web app on Azure. In this scenario, we can use the authentication and authorization feature provide by Azure which we don't have to change code on the web application.
How would I go about integrating Azure AD authentication on a domain that's being hosted by InMotion that only affects that domain and none of the others on that hosting account?
Based on my understanding, we integrate the Azure AD with web app and config the domain for the web site. Then we can visit the web app via the domain instead of ip address. In this scenario, only the web app you integrate with Azure AD will be redirect to the login page if users are accessing the page which require authentication when users doesn't login.
Related
We're trying to develop an ASP.NET Core web API which lets users authenticate through Azure AD and would like to retrieve files from NextCloud on behalf of this Azure AD user. Our infrastructure is composed of an Ubuntu server running NextCloud 12, a Windows Server running the ASP.NET Core web API and an Azure Active Directory instance with Azure AD Domain Services.
Signing in through NextCloud using LDAP (provided by AAD Domain Services) works without any issues.
We've been trying out SSO with SAML in addition to LDAP but we keep seeing this error message when signing into NextCloud:
Account not provisioned.
Your account is not provisioned, access to this service is thus not possible.
How exactly are we able to retrieve files from NextCloud by using the same Azure AD token we receive when authenticating with our ASP.NET web API?
SAML is not well versed to use with Web APIs - its protocol is heavily vested on the application being Web Apps - ideally you should use Open Id Connect with Jwt tokens.
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Do we have any in-built feature to authenticate and authorize a user from mobile iron to SharePoint?
User will be authenticated via mobile iron now he must be login to SharePoint seamlessly.
With MobileIron you can use Kerberos Constrained Delegetion (KCD) for seamless authentication to a system behind the MobileIron Sentry / accessed through the Sentry. There is a dedicated document available through support access from MobileIron where this stuff is explained in detail.
At this point I'll only point out the overall process to access SharePoint with the MobileIron Web#Work browser:
You have to deploy a user certificate through MobileIron for user
authentication.
Also you need to setup KCD for the Sharepoint Site /
Webserver: Active Directory (AD) ServĂceAccount for obtaining
Kerberos Ticktes from Domain Controller (DC), Configuring Service
Prinicipal Name for the ressource you want to access, and
authentication delegation for the service account & ressource.
Configure an Web#Work config with service definition to access the dedicated SharePoint Site with KCD.
If all is in place the access / authentication process is as follows:
When the device connects to the sentry to access the configured Sharepoint Site / Webserver it authenticates with the user certificate to the Sentry and sends the requests to the ressource. The Sentry goes to to the Key Distribution Center (KDC), that's a service on an AD DC, requests a Kerberos ticket for the user with the service account and attaches this ticket to the forwarded web request to the SharePoint web server.
As you can see it's not very simple to set it up but works fine and the users will love you ;-)
Here's what I'm trying to accomplish: I have a website built on a CMS that can authenticate over LDAP. I would like for users to be able to use their AD usernames and passwords to authenticate to the website.
Basically I'm trying to understand if there is a good way to make Active Directory available externally through an LDAP connection. What options are there for this sort of thing?
Researching online I've found some suggestions to set up AD LDS on our DMZ and have it replicate with our internal Domain Controller. It seems like that would work, but I don't have a very deep understanding of AD LDS, so I'm not sure.
Is there some standard way of doing this? Or is it generally considered best practice to just set up a separate user database for external use?
If you already have all your "externally hosted website" users in your AD domain, you should be able to do LDAP authentication against any DC.
If you do not want your "externally hosted website" users in your domain, then setup a LDS instance. (But I would not put it in the DMZ. Just open a point-to-point path through the firewall to the LDS instance for port 636.)
-jim
I have a scenario where I have a web application hosted externally (ie: the webserver is not a member of my internal active directory domain).
I would like to authenticate users of the web app using their active directory credentials.
Is there a product or some setup I can use to accomplish this?
Generally this is achieved by authenticating to the AD server with LDAP. I'd recommend using LDAP+SSL to keep the passwords from going out in plaintext, and other than that you should be fine - as long as there aren't any firewalls in the way.