I am using Logic app to create ACI Container group. I want to use managed identity to pull the container image from ACR, instead of using UserName and password to connect to the ACR as shown below. How to accomplish the same?
Consider using Azure Key Vault to store those information. You can turn on the Managed Identity for the Logic App which can have access to Key Vault secrets/keys.
Following blog provides detailed instructions on how to access Key Vault from Logic Apps with Managed Identity:
https://devkimchi.com/2018/10/24/accessing-key-vault-from-logic-apps-with-managed-identity/
Related
Now that Microsoft has removed the "never expire" option from Azure AD app client secrets (and because generally it's good practice) I'm looking for a way to auto-renew a client or generate a new one and then save that value to Azure Key Vault.
I know of various ways to save a value to the Key Vault but I can't see any nice ways to programmatically track the expire of client secrets and renew/create new ones.
Does anyone know how to start going about this?
I can call this graph api to add a new secret.
The result is succeed.
But I can't see the newly created secret in Azure portal -> Azure AD -> target application -> Certificates & secrets, I can only see it in the Manifest blade. It's weird.
I also found an answer about using powershell command to create secrets. New-AzureADApplicationPasswordCredential -ObjectId "YourAppObjectId"
I have an existing IdentityServer4 installation that is used to federate users between things like Google & Microsoft into a single login identity. In my situation, there are no local user credentials/passwords. Just the identity with an associated external provider. I'm trying to migrate to using Azure B2C and am hitting some roadblocks.
I've found that if I use the same ClientId and ClientSecret that IdentityServer is configured with, then I get the same IDs for users when signing in via an external identity provider. Which is great because I need them to be the same in order to try and migrate accounts over by reading them from the existing MSSQL database, and importing into Azure B2C using MS Graph.
I need to allow both Microsoft work accounts, as well as personal ones. So I need to use custom policies to allow for a multi-tenant configuration, since the built in provider doesn't support this.
However as soon as I flip my implementation over from the built in user flows and provider, to using custom policies, I don't get the expected issuerAssignedId anymore. Originally, the IDs looked something like AAAAAAAAAAAAAAAAAAAAAHGFdaj94jfdsgjifdh4ngd (made up, but you get the idea). Now with the custom policies, the issuerAssignedId being recorded in the B2C user looks like a GUID. So not just a different value, but a total different format. Am I missing something here? What would happen if someone has an fully operational AzureB2C install with built in functionality, and later identified a need to move to custom policies. How would users ever be able to look into their existing accounts with an external identity provider?
My TechnicalProfile for the multi-tenant sign is is essentially copy/pasted from their documentation, so I'm not sure what the deal is here?
I'm getting up to speed with Azure and trying to follow best practices for securing my WPF and Xamarin.Forms apps.
I'm using Azure AD for authentication and Key Vault for my secrets.
What about my Client Id and Tenant settings? These are required to make the initial connection to Azure to log in.
The endpoint URI is also required to make a call to the Key Vault.
Are the Client Id, Tenant, Key Vault endpoint considered secrets or am I over thinking this. I understand without authenticating, no one can access or make use of these.
What about checking these into Source Control? Is this Ok?
Greatly appreciate your thoughts and insights.
Karl
TenantId is hardly a secret. You can get the tenant metadata of any Azure AD tenant using the following Url
https://login.microsoftonline.com/{tenantID/domain}/.well-known/openid-configuration
For example
https://login.microsoftonline.com/microsoft.onmicrosoft.com/.well-known/openid-configuration
ClientId also travels in http Urls and thus is not that hard to find out. That's why the focus should be to effectively protect access to the app using either token validation or user assignment.
Managed identities for Azure resources is available to help avoid checking in any credentials in source control and is specially useful with KeyVault.
We are trying to build an application which is going to use WSO2 identity server to authenticate with IDP initiated SSO .
I have tried out the travelocity.com example in the WSO2IS tutorials , and I can understand that the "default" authentication type as Local Outbound Authentication uses the Primary user store to perform authentication :
What I need to understand is , how do I map a UserStore to work with a particular service provider , I am performing SSO as IDP initiated ?
Is it something I can manage inside the WSO2 Management Console ? OR do I have to modify the authenticationendpoint webapp?
It isn't limited to the PRIMARY user store and if you have multiple secondary user stores, it'll try to authenticate the user with every user store until the authentication is success.
Limiting a user store to a certain service provider is currently not available in the Identity Server but you can write a custom authenticator and achieve this requirement. Here is a guide on how to write a custom local authenticator. Basically what you have to do is, overide the processAuthenticationResponse method and pick the user store accordingly.
Based on you described requirement, I would like to suggest another approach to achieve the same.
In WSO2 Identity Server you have the capability engage a policy in the authentication flow. So using a policy we can restrict which user stores are allowed for a particular service provider.
Check out https://medium.com/#Pushpalanka/application-wise-authorization-wso2-identity-server-user-store-per-service-provider-dfea5f9ad758 for a detailed explaination.
We are planning to integrate Identity Server3 in SPA page application using AngularJS with .Net Web API.
1) Need to create identity token and oAuth token for the application and store identity token in browser cookie. So taking Hybrid approach and need to map the identity to create oauth token, so both users and api are protected. Able to create oauth token, but struggling how to do authenticate using custom login page (not using identityserver3 login page) where userid and password validated from Angularjs page and create identity token and store it in browser cookie.
Any one have implemented custom login approach with identity token creating using identityserver3?
2) How to integrate identity Server3 with Active Directory as user data store?
Please provide comments.
Thanks
Regards
Ramkumar.C
For Active Directory(AD) user store, implement Identity Server as a Relying Party to your AD implementation. You can then simply integrate it within Identity Server as an external Identity Provider. Details on how to do this are in the official documentation: https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html.
I assume you'll be doing this over WS-Federation, so you'll need to use the Microsoft.Owin.Security.WsFederation package.
If you want to use just AD as your user store, you can disable local logins in the IdentityServerOptions, set AD as the only Identity Provider for your Client using the IdentityProviderRestrictions property or use the acr_values property of idp when using the Authorization endpoint.
Regarding custom log in page external to Identity Server, many people have asked about this on the Identity Server issue tracker. Some have made implementations, but FYI: the team behind Identity Server do not recommend this approach.