I've setup and configured an Azure Static Web App to utilize Azure Front Door as an entry point precisely following all of the steps here and am using Azure Active Directory for authentication.
After doing so, it seems that the consent page served from https://identity.azurestaticapps.net/.auth/login/done appears to be displayed upon every single login. (Note: This was not happening before configuring Azure Front Door).
Is anyone aware of why this consent page continuously shows on each subsequent login to the application?
Related
TLDR: Which is the correct way to check for login states across multiple web pages, a SPA or a Web App.
I'm looking to develop an internal staff website for a company I'm working with. We currently have a SPA configured and developed and working properly but as we are adding more features I'm thinking that we are going to need more than one single page.
Correct me if I'm wrong, but this is my current understanding of MSAL.js with SPAs. Let's say a end-user is attempting to access our staff page at [company].com/home, if the user has not authenticated with their account that is stored in our Azure AD, the end-user can authenticate only for that page and their session state can be stored in the local storage, so when they access [company].com/home, their login can be acquired silently and the end-user will not have to log in again. If they do not have an account, they will not be able to access any page.
Also, by this logic, if the end-user accesses [company].com/staffresources, they will have to also login for this page as well, in addition to the cached login for [company].com/home, and the same will follow for each page throughout the website. At least, that is my understanding, correct?
I do see that there is an option for a Web App, would this solve the issue to where the end-user would have to authenticate each seperate page that they attempt to connect to? Or is there a way to check for a login state using a SPA, if the user has not been authenticated, they are can be redirected to a [company].com/login.
Any direct links to proper documentation for a solution would also be greatly appreciated.
localstorage is segmented by domain, not by each individual page. If a user signs in with msal.js on [company].com/login they will be signed on every page under the [company].com domain.
We are implementing SSO with Azure AD for our SPA Angular application. We have successfully implemented SSO referring the documentation. But we have a requirement if the user is already logged in to AD, user need not to be redirected to the login page. User should automatically be redirected to the landing page. How can we implement this with Auth0?
I'm in thought of using a js libray like MSAL. But the issue is that the app is not hosted in Azure. Is there a way to figure out whether there is a active directory instance for a given domain.
If a valid session exists after already logging in with Azure AD you will not be asked to login again if your using MSAL.
I am serving SPA application with Azure AD B2C integration from Storage Container.
Everything works correctly with this address in browser ******.web.core.windows.net.
However when we add custom domain and CDN Profile and serve it on e.g. pets.dev.com, user gets redirected to B2C for authorisation and comes back to address ******.web.core.windows.net.
It is an expected behaviour since that is the redirected URL set by the SPA app when redirecting user to B2C.
Though when we change the redirect URL to e.g. pets.dev.com the app goes into endless loop when coming back from B2C. It goes to pets.dev.com and immidietly gets send back to B2C, B2C (as the user is logged) sends it back to pets.dev.com and loop repeats.
Any ideas what is wrong with the setup?
On SPA app I am using React with react-azure-b2c wrapper for MSAL.
I am writing a SPA web app that is registered as an app in Azure AD. Everything was working fine most of the week; however, when I went to work on it today, I wasn't getting the expected results.
I deleted and recreated the app registration, hoping it would fix the issue, but it made things worse. When I navigate to the URL, I'm redirected to log in to Azure AD. That part works fine. Since I just created the app registration, I would expect to be taken to a page to consent to the application, but instead I'm redirected back to my application.
I check the app registration in Azure, and it does not have me listed as a user of the application.
Because of all of this, I can't acquire tokens to call external APIs (which I have registered in my app registration).
I'm not sure why I am running into this all of the sudden. Any thoughts on why the OAuth consent is being by-passed? I'm starting to wonder if MSFT is having services issues or not, but more than likely, the problem is on my end.
Suggestions on how to troubleshoot are also welcomed!
There's two things you can do to give consent that will likely fix your app. From what it sounds like your app isn't consenting before ADAL.js you use acquireToken (which is a silent call and can't consent).
Go into the Azure Portal > Azure AD > the app you registered, then at the top hit Grant Permissions. This is the equivalent of admin consent and will consent for all users in your tenant.
Run your app and hit login. When you get redirected to the Azure AD sign in page, add to the url &prompt=consent, hit enter and reload the page w/ that parameter and sign in. This will force the consent screen and consent for the current user. You can also append on the prompt=admin_consent if you're signing in w/ an admin account.
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.