I have been working on an end-to-end test using Cypress. Our website requires user to login to azure active directory before opening the portal. I found various ways to automate the authentication process using cy.request() but I am wondering if there is a way to login to azure active directory "manually", such as launching new window to prompt user to login or something similar, then start the test as we only have to automate the test of functionality of our website not the authentication.
Any idea is welcome.
Related
We are working on E2E tests for a web app that uses Azure AD and requires MFA code from a mobile Authenticator app during login. Is there any programmatic implementation of such Authenticator that we can use during user registration and subsequently in our automated tests? Changing login procedure is not an option.
Authenticator app is always used to get the authorization of a user which is already registered or added in the Azure AD by the administrator for a particular access of an application.
It cannot be implemented programmatically to automate for authenticator code. Because the purpose of MFA will be lost. MFA came into picture to avoid the malware attack or unauthorize access of an application. so, this is not possible right now and even it won't be possible in future as well.
I'm struggling with Azure AD authentication on my Blazor Server app, but only when deployed to an Azure App service.
My app is presenting the login screen, and appears to authenticate me.
Every page appears to result in just a single line
"You do not have permission to view this directory or page."
After login, I get that line.
I attempt to go to /counter, same line....
I do not get this after login when running from my IIS Express dev machine, after authentication, I get the index page, can nav to counter, fetch data, etc.
I take it there is something different between development environment and production.
I tried to deploy my debug configuration, same result.
I don't see where this "You do not have permission to view this directory or page." message is coming from, at all.. I don't see it on any components or pages.
I'm using the V2 end points for MSAL, and again, they seem to work okay in development
Do I need to add an attribute to my page or component? Do I need to set up a specific role somewhere in Azure App?
What should I have in startup.cs or program.cs?
Again, I've put my actual app aside and just spun up a new one with just the default counter and fetch data demo stuff, used VS to add Microsoft Identity, run thru the config steps for it, all successfully. Run from dev machine, it asks me to log in, I log in, it shows I'm logged in on the login control, etc. All looks fine. Hit deploy and spin up an App Service for it, deploys without error, starts up, asks me to login, I do, and I get the You do not have permission line
Anyone else experience this?
If you are logging using user ID under Azure Active Directory (AAD), you have to modify in Settings:
Authentication / Authorization
App Service Authentication, "ON" =>> choose: Log in With Azure Active Directory
Select 'ActivityProvider', AAD.
Configured (Express: Existing APP)
Manage Azure Active Directory: Manage Permission & Manage Application
For Manage Permission ==>> Add, In Delegate Permission, choose: Sign in and read user profile and refresh your browser to login again.
Also, check all your web app files though KUDU Console.
Follow this link,
<your_web_app_name>.azurewebsites.net > Debug Console (from top menu) > CMD/PowerShell > Site > wwwroot.
That should contains all your files.
I am using capacitor 3.0 to build a native iOS app with React.
The app's user is expected to login first.
I want the user's login to be handled by Microsoft Azure ActiveDirectory B2C and followed this tutorial to set this up:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react
Furthermore, Microsoft offers a Microsoft Authentication Library (MSAL, https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/login-user.md), which for a login redirects to a screen managed by microsoftonline.com to take the username and password. This is a standard login interface by Microsoft, which can be custom-branded but I have not made that change. Just using the standard MS UI.
This redirect works fine in a Web/desktop browser as it opens the Microsoft login screen within the same page without opening a new browser window.
However, when accessing the login from within the Capacitor built iOS app, the user is taken to an external browser for the login, which breaks the user experience.
Any ideas on why capacitor launches a browser for login when this is not the case with the regular React web browser (non-Capacitor)?
I am building app for our Organization where in we need to enable the login screen and authenticate the user/pass against MS Active Directory.
Any help with sample code will be very helpful.
I am using Flutter to build mobile application
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.