SSO with Keycloak and Azure Active Directory - azure-active-directory

We have integrated keycloak with Azure Active Directory and integrated it with a few applications.
We have a few applications that are directly integrated with Azure Active Directory. Is there an approach I can follow to make a person logged in to one application to be signed in all the other applications irrespective of the authentication provider used (keycloak or Azure AD)?
Normally I'll be logged into all applications integrated with keycloak if I signin into one application integrated with keycloak and vice-versa with Azure AD.

Your requirement can be fulfilled with the app service feature by leveraging the token store and authorization behavior of the configured authentication providers for the apps configured. But only tokens received from keycloak can be forwarded to Azure AD for authentication purposes and further sign in respectively to all apps registered with Azure AD. The reverse is not possible as keycloak doesn’t has the ability to forward the sign in token request received for the application configured back to Azure AD for authorization.
You will have to enter the REST API code for signing in and out of a session accordingly by incorporating the below likewise code in your environment.
Log in with the Microsoft Identity Platform
Log in with Facebook
Log in with Google
Log in with Twitter
Log in with Apple
Please find the below documentation for an approach on forwarding the authentication tokens from Keycloak to Azure AD for access authorization: -
https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-customize-sign-in-out
Thanking you,

Related

Multi tenant SAML SSO app installed with OAuth flow?

I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.
The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.
Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine.
I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck!
First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.
So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?
Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.
It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.
If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.

How to use Primary Refresh Token (PRT) to retrieve Access Token in AzureAD

Is it possible to use a Windows PRT in browser to receive Access Token to call an Azure protected web API from a web app?
Please check this concept of primary refresh token in Azure AD which says
A Primary Refresh Token (PRT) is a key artifact of Azure AD
authentication on Windows 10 or newer, Windows Server 2016 and later
versions, iOS, and Android devices. It is a JSON Web Token (JWT)
specially issued to Microsoft first party token brokers to enable
single sign-on (SSO) across the applications used on those devices.
Device registration is a prerequisite for device based authentication in Azure AD. A PRT is issued to users only on registered devices.
According to Key considerations
A PRT is only issued and renewed during native app authentication.A PRT is not renewed or issued during a browser session.
When an app requests token through WAM, Azure AD issues a refresh
token and an access token.
(we know Access tokens enable clients to securely call protected web APIs, and are used by web APIs to perform authentication and authorization according to scenario-web-app-call-api) but PRT is not issued during browser session.
Azure AD WAM plugin is an Azure AD specific plugin built on the WAM framework, that enables SSO to applications that rely on Azure AD for authentication.

Authentication with App Service using Azure B2C not working

I'm trying to integrate Azure AD B2C with my App Service using the Authentication / Authorization menu in the portal (also called EasyAuth).
This is what I did:
Registered the application in Azure B2C
Recorded the App ID
Defined user flows (just Sign In)
Set up identity provider (Azure AD)
Tested the user flow, with Redirect URI pointing to jwt.ms, to see the result - works fine
Enabled Authentication / Authorization in the App Service in the Portal
Configured Azure AD authentication with the App ID from above and the link to the endpoint metadata
But now, when I access the App Service, I'm redirected to a "Logging in..." page which immediately goes to the jwt.ms page, with no JWT data, no login page, and no opportunity to enter my credentials.
Just an empty jwt page.
I couldn't find anything in the docs that can explain this.
What am I missing?

Azure B2B direct federation with Auth0 as IDP

Azure B2B gives simple steps for direct federation with google and facebook.Though, i don't see any documentation to establish direct federation with Auth0 or Okta. I tried myself with Auth0 at the time or invitation my user succesfully login with auth0 account but after redirection to invitation.microsoft.com getting redemtion failure.
Can someone give me steps to setup Auth0 as IDP and then configure that with Azure AD direct federation.
https://auth0.com/docs/protocols/saml-configuration-options/configure-auth0-as-saml-identity-provider
i have already setup everything as mentioned in above document but still not able to redeem invitation after login.
Any help would be highly appreciated!!!
Azure AD B2B can be configured to federate with identity providers that use the WS-Fed or SAML. There is no specific Document for direct federation either from OKTA or Azure. From Azure end Direct federation is only allowed for policies where the authentication URL’s domain matches the target domain, or where the authentication URL is one of these allowed identity providers as per this document. I recommend you to open a support case with Auth0 since it involves multiple parties.

MSAL.Net connecting to Azure AD federated with ADFS

We are building applications in ASP.Net MVC and Web API that use a range of OAuth 2 features - AcquireTokenByAuthorizationCode (using microsoft.identity.web), AcquireTokenSilently, AcquireTokenOnBehalfOf, AcquireTokenForClient for different parts of the application landscape.
The applications use MSAL.Net to interact with Azure AD and users provisioned in it to provide access to resources and that works ok.
We are now looking at building a connect back to the organization's on-prem maintained user accounts so the end users are not duplicated in AAD and on prem, so ADFS maintained in the org is an option. Considering the ADFS instance to be 2016, the one option to have MSAL.Net work with ADFS appears to be having Azure AD federated with ADFS as explained in this article:
https://learn.microsoft.com/bs-latn-ba/azure/active-directory/develop/msal-net-adfs-support
The article only discusses AcquireTokenInteractive and I do not see explanation that other MSAL.Net operations are supported on having AAD federated with ADFS. I would assume that is true, and we have to run through our tests after we have it all configured, but meanwhile,
would anyone have any experience or documentation around having the range of operations with MSAL.Net (and even msal.js) and AAD work OK when AAD is federated with ADFS?
So I went ahead and tried this for myself, setting a VM up in Azure, installed Active Directory, AD FS and configured the federation between Azure AD and the VM AD FS as per the article https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation-adfs.
Then validated the different OAuth features used by our application, specifically (I would expect other oauth features to work as expected too based on the below observations):
AcquireTokenByAuthorizationCode
AcquireTokenSilently
AcquireTokenOnBehalfOf
AcquireTokenForClient
All these feature work as expected. The user is redirected to org login page and redirected back to the application.
A couple of observations along the way
The refresh token lifetime is 12 hours when working with On premise AD credentials integrated via ADFS instead of the few days when user is provisioned in AAD. This is apparently to mitigat the risk of user information changing e.g. password change. If the browser is idle for > 12 hours, re-login by the user is required.
Once authenticated, further OAuth operations do not involve On prem AD / ADFS. The operations are against Azure AD, any browser redirects are to Azure AD for re-auth.

Resources