User based multitenancy using IdentityServer4 - identityserver4

We are trying to implement IdentityServer . Our requirement is resovle tenant by UserID(Prestore in SQL) not by using Hostname or tenantPrefix from URL. So, first user will provide LoginID in login page. we will resolve tenantID using given input and provide possible authentication scheme based on tenant configuration. Is it possible to achive using IdentityServer4 component.

Related

How to configure multiple login methods for Azure B2C in react

I am using React to build a login for my web app.
I currently have a login that handles login this way:
I am new to Azure and I don't know how to have the multiple login options like this site does.
Is this an Azure setting or something I need to add to my config file?
Is there a name for each sign in method I can investigate because without knowing the terms I find it hard to find any tutorial on getting both sign in methods to show.
Thanks
You can add additional sign in options like external AD,or social accounts like Google, Twitter, Facebook. Those are called identity providers [aka IdP], any ID provider that supports OAuth or OIDC can be registered with your Azure B2C directory to support this login methods. You can create your own 'user flows' in B2C supporting this, when you want to do anything custom you can author 'custom policies' using XML. Refer the MS doc on userflows, sign-in options.

Single Signin With AAD and B2C

We're trying to implement a single sign in using both AAD and B2C. The web app needs to allow internal and external people to login in. I'm able to implement each method individually, but is it possible to determine the login method based upon email addr. If they're an external person, I would authenticate with B2C. If internal, AAD.
Any suggestions or is this even possible,
For OIDC, "domain_hint" would work.
"The domain hint can be used to skip directly to the sign-in page of the specified identity provider, instead of having the user make a selection among the list of available identity providers".
Update
The usual way to do this would be to authenticate with B2C and then add a login button to AAD i.e. federation.

WSO2 identiy server - How to map a User Store to a service provider for Authentication?

We are trying to build an application which is going to use WSO2 identity server to authenticate with IDP initiated SSO .
I have tried out the travelocity.com example in the WSO2IS tutorials , and I can understand that the "default" authentication type as Local Outbound Authentication uses the Primary user store to perform authentication :
What I need to understand is , how do I map a UserStore to work with a particular service provider , I am performing SSO as IDP initiated ?
Is it something I can manage inside the WSO2 Management Console ? OR do I have to modify the authenticationendpoint webapp?
It isn't limited to the PRIMARY user store and if you have multiple secondary user stores, it'll try to authenticate the user with every user store until the authentication is success.
Limiting a user store to a certain service provider is currently not available in the Identity Server but you can write a custom authenticator and achieve this requirement. Here is a guide on how to write a custom local authenticator. Basically what you have to do is, overide the processAuthenticationResponse method and pick the user store accordingly.
Based on you described requirement, I would like to suggest another approach to achieve the same.
In WSO2 Identity Server you have the capability engage a policy in the authentication flow. So using a policy we can restrict which user stores are allowed for a particular service provider.
Check out https://medium.com/#Pushpalanka/application-wise-authorization-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758 for a detailed explaination.

Azure easy auth API

I've setup my mvc web app to use Azure easy auth. I need to pass the user role to the application code.
I've seen that easy auth already publishes an API, so that I can call /.auth/me and retrieve the user login. I can't find any documentation on this API - does it support other requests that can be used to pass a role?
Alternative would be to use the token store to call the graph API, but as I only need basic info, I wondered if there was a simpler way?
Thanks,
Mark
If you want to know which application role has been assigned for current login user :
you could check the roles claim in ID token :
Update :
Currently , you can't get group claims in azure ad B2C with easy auth , you could find same user voice here .

Identity Server 3 AngularJS with .Net Web API

We are planning to integrate Identity Server3 in SPA page application using AngularJS with .Net Web API.
1) Need to create identity token and oAuth token for the application and store identity token in browser cookie. So taking Hybrid approach and need to map the identity to create oauth token, so both users and api are protected. Able to create oauth token, but struggling how to do authenticate using custom login page (not using identityserver3 login page) where userid and password validated from Angularjs page and create identity token and store it in browser cookie.
Any one have implemented custom login approach with identity token creating using identityserver3?
2) How to integrate identity Server3 with Active Directory as user data store?
Please provide comments.
Thanks
Regards
Ramkumar.C
For Active Directory(AD) user store, implement Identity Server as a Relying Party to your AD implementation. You can then simply integrate it within Identity Server as an external Identity Provider. Details on how to do this are in the official documentation: https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html.
I assume you'll be doing this over WS-Federation, so you'll need to use the Microsoft.Owin.Security.WsFederation package.
If you want to use just AD as your user store, you can disable local logins in the IdentityServerOptions, set AD as the only Identity Provider for your Client using the IdentityProviderRestrictions property or use the acr_values property of idp when using the Authorization endpoint.
Regarding custom log in page external to Identity Server, many people have asked about this on the Identity Server issue tracker. Some have made implementations, but FYI: the team behind Identity Server do not recommend this approach.

Resources