Mixing Azure AD authentication with Forms authentication - authentication

I've got an existing MVC5 application that uses Forms authentication. Half of my users are internal employees that also exist in Azure AD. I'd like to give them the option to authenticate against AD but I don't want the other half to have to go through AD. All of the examples I've seen of using Azure AD authentication seems like an all or nothing thing.
Can't I just add a button to my login form for the AD users to go to the Azure login and get redirected back with a token? My other option is if they are an Azure user, take their email/password from my login form and try to connect to AD with it. This seems like a risk as I'll have exposure to their actual network credentials.

I haven't completed it yet but I've gotten far enough in that this feels like the solution to me. I'm going to add a link to my login page for Azure AD users that points to the AD OpenID url as defined here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-protocols-openid-connect-code/
The id_token that I get back identifies the user after it's unpacked as detailed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens

Related

Login page - simple, secure way to implement authentication against active directory?

I'm creating a small web app running on IIS and I need to implement a secure way to handle login authentication against active directory.
Currently, I have it set up with Windows authentication, so when users first go to the website it shows the login prompt from the browser, they login using their AD credentials, and then it allows them into the site.
However, I want to have an actual login page and have these credentials validated against AD instead of Windows Authentication. I've been researching for hours about LDAP but I can't seem to find good documentation/videos on how to set it up to communicate with AD. I've thought about using 3rd party services like Okta but I don't think I need to.
Does anyone have any ideas?

Website authentication with Azure AD and Azure AD B2C

Here's the context :
I have currently a Corporate Azure AD tenant (Teams, ...) and created a B2C tenant dedicated to my customers which I plan to use for my website authentication.
I guess It is the purpose of the "multi-tenant" option when registering the app but I wonder If I can limit only to the two tenants I own and not opening my website to anyone which has a Microsoft account (for what I understand reading the Microsoft documentation).
If anyone which had already set up a similar authentication process can guide me maybe or just give me some tips to do website authentication by checking if the user account is valid in one of the two tenants ?
Thank you in advance and feel free to ask if you need any more information (maybe I wasn't clear enough).
In Azure AD B2C using custom policies you can set up sign-in for Multi-tenant Azure AD which allows users from multiple Azure AD tenants to sign in, without you having to configure an identity provider for each tenant.
In the custom policy using https://login.microsoftonline.com/ as the value for ValidTokenIssuerPrefixes you can restrict access to specific list of Azure AD tenant users who can sign in.
Please refer the above mentioned document on how to sent up the configuration, as you can see in the add claim provider section how to configure multiple organizations/Tenants with the comma separator.
<Item Key="ValidTokenIssuerPrefixes">https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000,https://login.microsoftonline.com/11111111-1111-1111-1111-111111111111</Item>
Please refer documentation and samples which helps you in getting started with custom policies

Angular SPA authentication with Azure AD

Hi I am working on Angular SPA and web API core. I am trying to implement authentication and authorization. I have done as below for now.
Registered one application for my front end application and added required redirect uri and modified manifest file to enable implicit flow. Also assigned some of the roles to it.
Registered one more application for my back end. I added scope in the form api/clientid. Then added client application id which is created in step 1.
User is successfully able to login to application.
Now my JWT token has roles in claim. In my API I have added [Authorize(Roles = "Engineers,Admins")]
So If user has any role Engineers or Admins in the JWT token as claims then they are allowed to access my API's
So far my authorization works fine. But coming to authentication part, currently all users of my azure AD tenant able to do login(User can hit my front end url and add user name and password then It will ask MFA and they will be landed in application home page).
If user is part of any of the roles above then only they can see data in home page because in home page I am calling some of the API's and I have added [Authorize(Roles = "Engineers,Admins")].
If suppose user is not part of above role they are still able to login (login means they are able to add user name and password and MFA) they will be landed in home page but they cannot see any data because api will be accessed only if they are part of Engineers,Admins roles.
My question is If user is not part of Engineers,Admins roles why they are able to login and come to home page. They should be restricted in Login step itself.
I am not really sure I am asking right thing here or I only confused my self between authentication vs authorization.
Currently I am doing authorization based on roles. Same thing I can accomplish using Groups also. In claims I can return groups and create policies and do the authorization. If user is part of the group then I can authorize. I am trying to understand what advantage I will get using roles over the groups.
Currently I have dev, prod and non prod environments. But Azure AD is universal and for there is no environment for azure AD. So Is it a good idea to have separate application registered in azure ad between the environments or can I use same app registered in azure AD between the environments. If I create separate application for each environments what advantage I will get?
I am really trying to understand above concepts and can someone give me some insights on the above things? It will be really helpful to me If someone help me to understand this concepts. Any help would be greatly appreciated. Thank you

Authenticating AD user automatically and manually - WebAPI 2 server and SPA client

I'm developing an Enterprise/Internet Application with WebAPI 2 RESTful server and SPA web client (Angular2) —So I have two separated projects created using ASP.NET 4.6 Empty template and both use OWIN and are IIS hosted.
The requirement for Authentication is:
Active Directory user which is logged in to the workstation will authenticated automatically once she opens any page from app in the browser if user id/name found in the database, with no need to enter her user/pass. Let name this as auto-login. Else if it's not found in the DB it will redirected to the login page.
Also there should be a logout option which redirects user to the login page after logging she out.
In the login page any AD user can enter her/his AD user&pass and after successful check against database (existed) and AD (valid credential) she/he will logged in to the system (Obviously it may be different than user currently is logged in to the workstation)
In addition to the web client it will have other clients such mobile apps which will connect and be served by the WebAPI back-end. Users will login there using their AD user & pass too. Let name it manual-login.
According to the REST architecture and having both AD enterprise and internet/mobile users together, the authentication should be token based —this is what I found till now but I'm not sure.
I read about OWIN Authentication architecture and Windows Authentication and I checked MixedAuth, Now I think it is the nearest solution for this requirement as it lets app-defined users to authenticate side by side of windows/AD users. But even after dig into it and its SPA sample I didn't found my way yet and confused.
Anyone can help?
What should I actually do on the WebApi server and SPA Client to accomplish those authentication requirements?
Which middlewares should I add and how should config/manipulate them?
UseCookieAuthentication ?
UseExternalSignInCookie ?
UseOAuthBearerTokens ?
Can I rely just on Bearer tokens (using OAuthBearerTokens MW) and get same token for authenticated windows users to unify authentication model based on bearer tokens? If so, how?
How and where should I put my code for checking that AD user exists in the DB and if not so reject the authentication?
Thanks a lot.

Azure AD Authentication on Third Party AD Tenant

In my case there is already an existing tenant of an organization. We are supposed to use that AAD tenant for authentication purpose since it already has the users needed to authenticate. Howeever I do not have the Global admin rights on that AAD tenant. I can create an application on that AAD tenant. I have also created a website that uses that AAD tenant to authenticate. When I run the website in browser, it redirects to a login page. I am able to authenticate myself of that AAD tenant and can see the home page of the website. But, when my colleagues try ot login using the same url for the website, it redirects to a login page, however when they enter username and password it gives the following error:
"AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators."
Kindly suggest a solution for the issue.
Note: I am using VS 2013 for this project.
#Juan: Finally figured out the solution. You need to request the global administrator of the Azure AD to enable WS Federation for your application on the respective AD tenant.