I’m workin in a project with React JS that needs authenticate user from a redirect using a url with the “login_hint” param. There is a federation in AD and a Cognito User Pool with SAML configuration referenced to that federation domain. I can authenticate user normally with oAuth configuration and use Amplify Hub for listening data, but a I can’t found a solution to solve the authentication by redirect.
Example:
User login on Site A using federated AD account;
User click in a link to access the Site B, under same federation
URL to site B in site A href attribute is “https://www.siteb.net/?login_hint=user#domain.com
Site B reads URL and get “login_hint” value to request the user token or session to AD
Finally, the Amplify sends silent authentication to Cognito
So, it’s possible using Amplify, or combination of the Amplify and MSAL… or that is not possible this way?
Related
I'm having a Frontend application built in Reactjs connecting to Azure AD using msal for authentication. After authentication, the user needs to click a button which calls a Django rest API which is also authenticated using Azure AD.
React FE and Django connects to two separate App registrations in Azure AD. Even thought 1) FE is added to Django's App registration as known client 2) Django is exposing the API and the scope is given consent.
When the authenticated FE sends requests to the Django Rest service with Bearer token,
it fails to authenticate the request saying 'invalid token'.
I'm able to authenticate FE and Django rest service separately but authenticated FE is not able to connect to the Django Rest service. Please share your thoughts on what else needs to be checked or any solutions.
Please check if any of these configurations can be worked around
Check if you have given your react app’s URL in the redirect URL in portal and code , so that once the Azure AD validates the user and it’ll return back to your react app with ID Token.Also, enable Access Token and ID Token.
Check if you have created a scope for your web api (in Azure Portal > Your API > Expose an API). Then configure it on your client app on the API Permissions menu tab. Then add it on your scopes collection in code settings.Also, add grant admin consent for that API permission.
Check the manifest of your azure ad app: Below value is probably null or one, should be two: If you are using v2.0 endpoint,
"accessTokenAcceptedVersion": 2,
If you are using v2.0 endpoint, the scope should be api://{server_client_id}/.default.
In the code setting.py for your application, you'll need to provide the authority to which your web app delegates sign-in. (ex: authority: 'https://login.microsoftonline.com/(your tenant id>',)
auth: {
clientId: '232a1406-b27b-4667-b8c2-3a865c42b79c',
authority: 'https://login.microsoftonline.com/e4c9ab4e-bd27-40d5-8459-230ba2a757fb',
//
}
When we perform a token validation, Check your jwt token in http://jwt.io
Audience: The token is targeted for the web API.
"aud" value that is being generated for JWT token by azure is also controlled by "accessTokenAcceptedVersion" property in AD application manifest.(see if issuer or iss has v2 to confirm as v2 endpoint )
If you have set the access token accepted version to 2, then the client id and audience needs to be same (i.e. no need to write api:// in audience)
Note that Implicit flow is the only flow supported for SPA. Authorization code flow is intended for webapps, mobile and desktop apps but not for SPA.Please refer this document
References:
See how to configure Azure AD and how to determine the settings for
django-auth-adfs.
You can check this and find your use case scenario.
Check v2-supported-account-types for authentication-flows
Check OAuth2.0 On-Behalf-Of flow
I'm trying to use AWS Cognito with a user pool using Azure AD as an Identity Provider (OpenID Connect).
I set up the User Pool in Cognito and specify the callback URL of my test app (https://localhost:44381) and I configure an App Registration in Azure AD that has the same URL in the Redirect URIs.
In the AWS Console, under App Client Settings, I click "Launch Hosted UI" to test it. It displays a page that lets me choose my configured Identity Provider (Azure AD). On that page, I can see in the URL what it has for "&redirect_uri=". It has https://mydomain.auth.us-east-2.amazaoncognito.com/oauth2/.
So I put that URL in both AWS Cognito and in Azure AD as the Callback URI/Redirect URI.
Then when I click through to the Identity Provider, it pops up the normal Azure AD login and lets me log in, but I get:
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: '60e47fff-e2cc-41d8-8405-283bafb33fbb'.
This is the application (client) ID from Azure AD.
Likewise, when I run this from my test app, I can see the redirect_uri=https://localhost:44381/oidc in the URL - but same thing happens - redirect mismatch. Though that exact URL is in both AWS and Azure AD.
How can I find out what it is trying to "match"? It's obviously changing something in the URL that I give it.
I'm trying to integrate Azure AD B2C with my App Service using the Authentication / Authorization menu in the portal (also called EasyAuth).
This is what I did:
Registered the application in Azure B2C
Recorded the App ID
Defined user flows (just Sign In)
Set up identity provider (Azure AD)
Tested the user flow, with Redirect URI pointing to jwt.ms, to see the result - works fine
Enabled Authentication / Authorization in the App Service in the Portal
Configured Azure AD authentication with the App ID from above and the link to the endpoint metadata
But now, when I access the App Service, I'm redirected to a "Logging in..." page which immediately goes to the jwt.ms page, with no JWT data, no login page, and no opportunity to enter my credentials.
Just an empty jwt page.
I couldn't find anything in the docs that can explain this.
What am I missing?
I want to login into https://lcs.dynamics.com from a C# console application.
When you navigate to lcs.dynamics.com, it redirects to https://login.microsoftonline.com/common/oauth2/authorize
Here I enter a username as xyz#contoso.onmicrosoft.com and the password, system authenticates and redirects to lcs.dynamics.com
For this to work in my Azure Active Directory, I have created an Azure AD Web API application with the redirect URL as https://lcs.dynamics.com
I tried both approaches, creating a native application and authenticating using username and password as well as a Web API and authenticating using a secret key.
In both cases, I do receive an auth token which I parse as Bearer <auth_token> and set as the header value but when I make the HttpRequest, the response is still the login page instead of it moving ahead.
What am I doing wrong here?
We need to support the following Authentication flows
User 1 logs into Salesforce using Salesforce Credentials
User 2 logs into Salesforce using Arcot +Ping + Siteminder credentials
User 2 logs into Custom App using Arcot + Ping + Siteminder credentials
Since all the authentication methods above are SAML, I need to find a way to address home realm discovery that is a unusual "mesh" of authentication flows.
Question
How should I set up the IDP and RPs to handle this scenario?
How would home realm discovery work?
I'm going to assume that you have My Domains setup and SAML 2.0 setup in your org, and you're trying to route an unauthenticated page request to its appropriate authentication source.
Since you can't distinguish between users 1 and 2 in the original unauthenticated request, you'll need an interstitial page that asks for user input, i.e. "Let me login with username/password" or "I login with single sign on". Point to this page in the "Identity Provider Login URL" section of your SAML settings. If the user chooses username/password, redirect the user to the My Domains login page where they'll login with un/pw. If they choose SSO, then send them to your IDP and propagate the SAML Request & RelayState to initiate the SAML protocol.
Similarly, unauthenticated requests to the custom app need to redirect to the IDP, so that they will initiate SAML. Is the custom app inside of salesforce (as a different tabset), or hosted outside of salesforce? If the custom app is separate from salesforce, you'll need to setup the identity provider so that it has 2 RPs: one for salesforce and one for this custom app. If the custom app is in salesforce, how is the user going to express intent to access salesforce vs the custom app?