I have an MVC client app authenticated by IdentityServer4 using Windows external identity (not Azure Ad). It is working fine except that each time I run the app, the IdentityServer4 login page will display and I need to click on the "Windows" button to continue. My guess is, there must be a way that I can bypass these unnecessary steps, taking "Windows" as default, and login "silently". Can that be done? If so, how?
Related
My company is using this service Aha! Ideas for internal idea-sharing. Everything is set up correctly with Aha! and the page site loads and requests the email for the user. Once they put it in the Microsoft credentials from the host machine so an SSO and they are redirected to the secure page. On machines where the user has not authenticated against our domain on the workstation, they are redirected to the Microsoft login and after they login, the user is redirected to the site.
So Great!! that is all working perfectly.
Now, I go into App Studio in Microsoft Teams and set up the site to load as an App in the Sidebar. I have added the main URL as a tab, I have set up the Valid Domains and included login.microsoftonline.com and I have set ADD App ID to the one used in the SAML2 setup of Aha!.
When I load the app I get the page requesting my email, this is from Aha!, and when I submit it should use SSO from Teams to log me in. I am logged in to Teams using my company Microsoft Account. At a minimum, it should redirect to the login.microsoftonline.com and request my username and password. Instead, I get nothing but a blank page.
Anyone have any ideas as to why it's not working, or what I might have done wrong?
'SSO' in the truest sense with Teams -definitely- won't work - it requires changes to the app itself, which you don't control, but even aside from that, depending on how the app ends up doing it's authentication, this still might not work, as you're seeing. Is there maybe a chance Aha! is working on Teams integration?
What we'd like to do is to automatically Sign In\Login the user after they successfully Sign Up.
Let's say the user got an invitation for the application. They go to the Sign Up page, fills out the form and clicks the Create button. If all is OK, the user is added to Azure B2C directory and then we'd somehow have the Sign In policy run automatically OR some other way of logging in automatically.
So I just want to know if this is viable or not when using Azure B2C.
EDIT
After further debugging I see what is the problem...
We have an old AngularJS (1.6) SPA application.
An #id_token is sent back from Azure B2C after the user completes the Sign Up process... however after the URL in the browser has the #id_token, control is not passed to the application, that is, OWIN middleware is not being called. For the Sign In it works as expected since it starts from within the SPA itself. The user clicks the Login button and is redirected by msalService.loginRedirect.
The Sign Up policy execution is different because it starts by an e-mail invitation link only. So it's not from within the SPA itself.
The hash portion of #id_token is being messed up by AngularJS once Azure B2C redirects back to the app.
I already played with AngularJS $locationProvider.html5(true) mode but it did not work.
What I'm trying to do now is to redirect to a custom signup.html reply URL and then return to the AngularJS app but I'm not sure how to wire up this.
By default, at the end of a flow (i.e. all built-in flows except the password reset flow and all custom flows except the password reset flow), an SSO session is generated for the user so, in effect, they are signed in after sign-up.
Therefore, the default experience in the same session is that, if a user signs up for App A and then is redirected to sign in for App B, then they won't be prompted to re-authenticate.
You can configure the sign-up and sign-in flows so that they issue the same claims so applications can handle the sign-up and sign-in callbacks with the same behavior.
With Azure AD application I need to be able to login multi users in the same browser on the same computer and switch between them without having to login/logout all the time.
Now, every time I try to login another use, I need to logout the current!
You can set prompt=select_account on the login requests from your app. This will force account selection each time, instead of just signing in with active account.
You can see documentation for this at: https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Then it's a matter of handling those multiple sessions on your app's side.
I am using IdentityServer3 for authentication. The indetityserver has 3 applications configured.
https://www.app1.com
https://www.app2.com
https://www.app3.com
A user is registered for all 3 applications. Currently user has to goto respective application url (for eaxample https://www.app1.com), which redirects user to identityserver for authentication and upon authentication user get redirected back to app web site.
Is there way to configure IdentityServer where user directly goes to identyserver, get authenticated and then identityserver list all the applications that user has access to? Here user would choose application he wants to login into.
Give your users a link to the IdentityServer login page. After login, display a form (with tiles or links or something) where the user can choose the application.
Make sure that the link to the application sends the user to a secured page (or a method where you challenge the user). This would cause the application to redirect the user to IdentityServer, which notices that the user is already identified (cookie), returns to the application where the user is automatically logged in.
In case the user wants to quit the application, redirect back to the tiles page to choose another application.
Please note that a user is not specifically bound to one application. Once logged in, the user can access all applications. If you want to allow specific access, you may want to solve this with claims.
P.S. I didn't notice you are using IdentityServer3 as you also tagged this as IdentityServer4. But I would expect this would work the same for both versions.
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.