SSO Implementation for Desktop and Web Application with Windows Credential - azure-active-directory

I have a windows application and a web application. Both are having a different login screen. Is there a way to implement SSO with the help of windows credential so that user don't need to login again for accessing the applications.
Note : I am new to ADFS , Domain Controller and SSO so don't have much idea on how that works.
Any leads is appreciated.

you can implement SSO for your corporate/internal/on-premises application using Windows Active Directory and Windows Authentication. A Domain Controller stores the Windows Active Directory database. ADFS will help you extend your Identity and SSO capabilities trusting 3ra party Identity providers. E.g. Azure AD. With this you will be able to access applications in both networks with a single set of credentials.

Related

Unable to set up single sign on for enterprise application in Azure AD

We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow

What's the best way to authenticate a user in a .net core 2 API programatically using Azure Active Directory

I'm working on an application that has an angular 6 front end and a .net core 2.0 back-end and am trying to set it up so that my application authenticates users via Azure active directory. The issue is that I want the .net core back-end to do all the authentication programmatically when I have the front end pass an email and password. Everything that I've seen so far online suggests to have the front end redirect to the Microsoft login page but we are using our application as a boiler plate project and want to be able to change the type of authentication easily in the back-end without having to change the angular front-end. Does anyone know how I could go about this?
You can use Resource Owner Password Credentials Grant .The process will like that you collect the user credentials in Angular app and post to .net core back end , then finish the authentication in back-end app with user's credential. But that is not recommended because The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
Also :
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.
Personal accounts that are invited to an Azure AD tenant can't use ROPC.
Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead.
If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

How use Windows Login in Winforms application to access SAML Service Provider

I'm working with a company that has a WinForms application running on a corporate windows network. The application currently connects to a web application server that has its own private username/password store. The web app server has JSP based UIs, but also has some web services which support JWT based authentication.
The company would like to use use accounts from its windows domain to authenticate the users rather than using a separate set of usernames and passwords. The company's domain has an AD FS server and the web application is a SAML service provider.
The question is, is it possible to use the identity information from the original windows login to get a SAML token from ADFS and then use that token to talk to web services on the web application machine?
We're looking at Windows Identity Foundation built into the .net framework as a possibility. Open ID Connect also seems like a possibility, but we don't want to have to present the user a web page for them to log in; we want to use the original windows login identity information to automatically grant access to the service provider.
Is this possible?
SAML support is already built into the web application, but if necessary we could add support for OpenID Connect.
ADFS does have the ability to generate JWT tokens but sadly not for SAML.
There is no way to convert a SAML token to a JWT one that is signed.
SAML doesn't really have support for web API / web services.
WS-Fed does but it's WCF not web API.
The easiest way is to convert to OpenID Connect. That does deliver a JWT token that you can use to authenticate to a web API. You need ADFS 4.0 to do this.

ClickOnce deployment: Is it possible to register application for Active Directory Federation Service?

Is it possible to execute Windows PowerShell command to register an application to ADFS using ClickOnce deployment?
I am working on a WPF rich client application. The application using REST API to authenticate and get data. The authentication will be performed by Active Directory Federation Services. As to authenticated and to get token, I have to register the client application with ADFS, can I execute PowerShell command through clickOnce setup to register application to ADFS?
You can register the client in ADFS using powershell, but that is something that is done only once in the ADFS server itself. So I don't see the benefit of including that registration through clickOnce. This document describes your scenario (WPF client + OAuth + ADFS), you can find more information there: Developing Modern Applications using OAuth and Active Directory Federation Services

ADAL for Windows Store SSO

How do I implement SSO with ADFS?
I try to setup SSO from a Windows Store App that is deployed locally with a Developer license on a Tablet that is domain joined (Win 8.1 Pro) but the login dialog of ADFS is shown. I would like that SSO takes over and that the token is automatically provided by the authenticationContext.AcquireTokenAsync method.
The ADFS is deployed to federate an on-premise Active Directory.
Any help is welcome.
http://www.cloudidentity.com/blog/2014/07/10/adal-v2-and-windows-integrated-authentication/ should do what you are looking for.
HTH!
V.

Resources