I have implemented user authentication with cognito and Azure AD (SAML) for static app running on EC2 instance in apache server.
I want to authorize user from AD group to access specific url from static web app.
For example : for users in admin group can only access pages with path /admin/*
For authentication I used ELB authenticate action which is working fine
Now I want to provide group based access to pages for static app running in apache running in ec2 instance.
Is there any with which I can authorize users without making any changes on application side. ?
Thanks in advance !
• I would suggest you create user pools supported by Amazon Cognito and authenticate them using corporate identities of Microsoft Azure AD. Thus, for this purpose, you will have to create user pools first in Amazon Cognito which are in fact nothing but groups containing user identities. For this purpose, kindly refer to the link below for more details on its configuration: -
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-cognito-user-pools.html
• Once you are done with the above, you can configure authentication for users using an application load balancer or elastic load balancing as you have done in case of users from Azure AD using Amazon Cognito. For configuring the user pool authentication in Amazon cognito, you will have to prepare to use an OIDC-compliant IdP, prepare to use for Amazon CloudFront and other things like user claims encoding and signature verification like that for user authentication. For this purpose, to configure the same, kindly refer to the below AWS documentation link given: -
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
Assuming I have a web app residing in Azure and using Azure AD, and I configured it to authenticate using Azure AD
settings -> Authentication / Authorization -> Authentication Providers -> Azure Active Directory
Now I want certain pages and URL paths to be publicly available (without need for authentication).
How do I configure that?
Somehow I stumbled upon the answer.
The way to configure that is described in the following article:
Expanding App Service Authentication/Authorization
You need to leave the "action to take" drop-down as "Allow request (no action)" and then the application may redirect the user to the log-in page as needed. This was not sufficiently explained in the Azure portal and led to some confusion on my part.
We are looking to publish an API in an Azure B2C model where customers will use our app to access API's published using Docker Swarm based Azure Container Services. Our assumption here is that this model will require Azure B2C AD as opposed to Azure AD.
All API calls will have an OAuth token issued from B2C AD.
We want to know what is the best approach to validate the token centrally before it reaches the microservices on Azure Container Service. We were using API Gateway to route the API calls to the correct microservice while also using the WAF capability in the API Gateway. However, we realize that the API Gateway does not provide a way to verify the OAuth token before it forwards the request to the microservices.
Also please note, as per the suggestions in Microsoft Documentation we have two tenants with one tenant running all services such as database and microservice and the second tenant hosting the Azure B2C AD.
Can you please suggest the best option to implement the OAuth Verification without having to implement this in each microservice.
One thing you could do is put Azure API Management Service between your clients and services, there you'd have an option to use validate-jwt policy to inspect tokens and authorize calls.
The following is a quick overview of the steps:
Register an application (backend-app) in Azure AD to represent the API.
Register another application (client-app) in Azure AD to represent a client application that needs to call the API.
In Azure AD, grant permissions to allow the client-app to call the backend-app.
Configure the Developer Console to call the API using OAuth 2.0 user authorization.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Please refer to the following document for steps in detail.
I'm currently trying to implement a multi-tenant Azure AD application that will use Microsoft Graph API's to monitor and analyze Office 365 "metadata" for members of the tenant domain. For example, the application might monitor One Drive user space over time. The architecture of the application will include an AngularJS SPA client along with a web application back-end. The idea is that the web application allows for both local registration (e.g. traditional sign up using an email address and password) in addition to Azure AD authentication. In the case of local registration, the user might be able to associate an Azure AD tenancy with the local account in the future, for example.
I'm struggling to understand how various authentication mechanisms should work. For example, I think that there should be two levels of authentication in the case of Azure AD: one authentication for the users of the client SPA, and another authentication used by the back-end for making continuous calls to the Microsoft API's, requesting refresh tokens, etc.
How might this architecture be implemented using the various Azure AD authentication scenarios Microsoft has already provided examples for?
If my initial inclination that I will have two applications registered with Azure AD (for example, the SPA registered as a native application, say, and the web application registered by itself), how will users allow access to both of them, and what would this workflow look like? In addition, what would the flow of user requests look like? The SPA would make a request to the back-end using its Azure AD token, but what will the back-end do to receive its authentication token and make calls to the Microsoft API's?
How might I best incorporate Azure AD authentication along with local registration into my application?
Generally speaking, you can associate your each user to his entity in Azure AD tenant in your backend server / database. As every user in Azure AD has several unique properties in the entity object. You can use the user's email or objectId as mentioned at Claims in Azure AD Security Tokens as the external column in your user table.
When your user authenticate your site via ADAL.JS, you can grab the access token in your backend server via the Authentication header. You can use the access token to request for the resources protected by Azure AD. And the access token is a JWT token, which you can decode directly to get the user basic claims as we mentioned before. You can retrieve the claim which you stored in your user table and match the special user registered in your server for requesting the resource protected by your self.
Problem Statement:
I want to download S3 contents through mobile app from multiple mobile devices.
Solution that I came across.
Solution 1
Create an IAM user in AWS. Create a policy to download S3 contents only for particular bucket and assign that policy to IAM user.
Whenever mobile application wants to download contents from S3, mobile application will call my server API which will return the credentials of IAM user.
Then mobile application will use these credentials to download the S3 contents.
Solution 2
Use AWS Cognito service.
However the problem with first approach is that I will have to manage credentials server side. Also someone can easily back track it and use those credentials outside application to download contents.
The second approach I am not aware of completely. However in the FAQ of AWS COGNITO service I did not found any solution to my requirement although it allows you to read, delete and put the content to any AWS service.
I need a suggestion regarding securely download S3 contents from mobile applications.
Amazon Cognito and the AWS Mobile SDK are designed especially for the use case of downloading content stored in S3 from a mobile app. You can use Cognito to provide temporary, limited-privilege AWS credentials to each user of your app. You can enable your users to start using your app as unauthenticated guests and/or authenticate with social logins or your own registration/login service.
To set up Cognito, use the Cognito console to create an Identity Pool, which is a store of user identity data specific to your AWS account. IAM roles define the permissions for your users to access AWS resources, like S3. Users of your application will assume the roles you create. You can specify different roles for authenticated and unauthenticated users. To learn more about IAM roles in Cognito, see IAM Roles.
When you visit the Cognito Console, a wizard will guide you through creating the Identity Pool and the necessary IAM roles. The integration between Cognito (which issues AWS Credentials to the mobile app user) and the other AWS Services is in the initialization of the SDK. Example code for initializing the SDK with Cognito on iOS, Android, Unity, and JavaScript are in the Getting Credentials topic of the Amazon Cognito Developer Guide].
Updates in October 2020:
AWS has shifted their "Mobile SDK" to AWS Amplify. Amplify still uses Cognito for authentication (login) and authorization (credentials/permissions) so the above is still accurate. You can get specific guidance on using Cognito with Amplify to set up Authentication here. Once you set up auth in Amplify, a specific example of using S3 is here.
Note that Cognito's docs focus on User Pools these days which allow you to implement your own full-fledged directory for storing and logging in users (for a cost). However, you don't have to use Cognito's user directory to store your users. Cognito Identity Pools (which still have no cost AFAICT) allow you to get AWS Credentials for users who are not logged into your app (so-called "Unauthenticated Identities") and/or allow users to login with other user directories (such as social logins or a user directory that you own and manage).
If you want ultimately flexibility, you can also use AWS STS to get credentials for accessing AWS Resources including S3. However, with STS's flexibility comes the need for more understanding of IAM/AWS and arguably more complex setup.
Please comment if there is anything I can do to make this more clear!