I have an application set up in Azure AD with Single Sign-On with SAML. I need to be able to edit the Attributes & Claims programmatically via the Microsoft Graph API. I've scoured the API documentation but cannot seem to find a way to access Attributes & Claims with it.
Not sure if it matters, but specifically, I'm trying to edit the conditions of a specific claim.
For now, editing attributes & claims through graph API is only possible through custom claim policy. Please refer to this article on how to edit claims in SAML app through graph API
Please note that once you configure claims mapping policy via Graph API, you will not be allowed to edit the claims in Azure portal any longer, which is by design.
Hope this helps. Thanks!
Related
I am trying to integrate Salesforce with AAD, so I see two available options, either Saml or OpenId Connect.. I do not know which one is better, but I prefer OpenId Connect since it seems to be more modern. So I tried to register Salesforce App in AAD and Saml was the default options, so why is Saml the default option ?! is it better or what? Please note that I am building an API and I need to allow authentication and authorization with Single Sign On.
The Azure AD app gallery contains many popular applications that are already pre-configured to work with Azure AD as an identity provider. These applications will be available in the Enterprise applications and have SAML to perform SSO. Any application which is added directly from the Gallery the default method is SAML based SSO , password based SSO etc.. which depends upon the applications.
Kindly check the difference between the App Registration and Gallery application in Azure portal from the link
In order to get more detailed explanation about SSO types and protocols kindly check the document to get more detailed explanation.
If you have any further queries kindly let me know.
So here is my dilemma or my somewhat up in the air question .
I have set my self with with a scenario in such that I've enabled SSO on Salesforce using ADFS certs, but currently all users have access to go through salesforce using SSO. I'd like to limit SSO to only three groups "user groups defined in AD" to be the only ones to be able to use SSO in salesforce.
I know i need to delegate access but not sure if i need to do this on the ADFS side or the salesforce end.... on ADFS the only thing i've done is create the certificate and brought them in salesforce and then taken the XML generated and bring that into ADFS.
Any help would be greatly appreciated it .
After Searching the web and this form i came to realise that there is a Delegated Authentication and i might need to install a Delegated Authentication WSDL not sure if this step is necessary for ADFS 3.0 .
Many people seem to point to using Delegated Authentication , but i'm wondering if there is any way to get the same functionality using claim tickets on the adfs server.
Thank You Again :)
You seem to describe something doable via AD FS authorization rules. Read https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-an-authorization-claim-rule
Essentially what you do is on the relying party for Salesforce in AD FS, you create authorization rules to permit/deny based on AD group membership. Therefore, if user is in group, AD FS issues token. if not, they get a deny which means no token that would allow access to Salesforce.
Also see https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs because based on your AD FS version you may be able to do this via an access control policy instead of issuance authorization rules.
I am trying to create an AAD App Registration that includes additional claims in the JWT tokens that are returned to the client application.
The idea is that a SalesRepID fields need to be added to each of the AAD users. Then the SalesRepID be included in JWT claims through application manifest configuration.
Is this possible? What are the steps? An article or a code sample that shows how to do this would be a great help?
It's possible.
1) Add custom attribute by using Register an extension. (Please note that it only supports v1.0 application)
2) Set values for custom attributes.
3) Modify application manifest of the Azure AD application and return the extension property as claims.
Besides, Microsoft strongly recommends that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. For how to add custom attribute to Azure AD user with Microsoft Graph API, please refer to: Add custom data to users using open extensions.
Based on the code sample mentioned at URL: https://github.com/Azure-Samples/active-directory-dotnet-webapp-wsfederation , I implemented an application that uses WS-Federation (ASP.Net WS-Federation OWIN middleware) to authenticate users from an Azure AD tenant. Now I am looking for an approach to query the Graph API later in my application to fetch additional claims information required from application point of view.
Here in this scenario, I would like to know whether it is possible to query the Graph API or not. Do I need to update the existing WS-Federation protocol to OpenId Connect.
Can anyone help me to provide their guidance here.
The ideal would be to move to OpenId Connect, which would allow you to take care of both sign in and API in a single setup and flow.
If you want to stick with your current ws-fed setup, you can layer oauth2 on top of your implementation and retrieve the access token you need any time after the sign in. We have a sample showing exactly that, see https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-webapi-oauth2-useridentity/
How to programatically control the attributes that are attached to an AAD Premium user, related to MFA? Using the Graph API (C#, using the SDK), what calls can be made to make a user MFA or not, CRUD on phone numbers, etc?
Thanks.
As far as I know, there is no such API we can get the MFA attributes through Graph REST API, since there is no relative attribute in user entity.
However, we can using the Azure Multi-Factor Authentication SDK to build multi-factor authentication into custom Apps. More detail about this, you can refer here.
These attributes are now available in the Microsoft Graph Beta API. See the documentation at Azure AD authentication methods API overview.