Salesforce integration with APIM - azure-active-directory

Instead of using the Azure developer portal we are using Salesforce Experience cloud to integrate with Azure APIM. We have set up Azure AD as the identity provider in Salesforce and SSO for Salesforce with Azure AD as identity provider works fine. However we are not able to have a seemless integration with APIM from Salesforce and need assistance on what configurations with respect to tokens etc need to be explicitly passed from Salesforce in order to talk to APIM. With the ID token derived from Salesforce after the successful Azure Active Directory authentication / authorization we are unable to make successful restful callouts to APIM identity from Salesforce. We have looked at https://lekkimworld.com/2019/11/18/using-an-auth-provider-and-named-credentials-in-salesforce-with-azure-oauth/ however would really appreciate pointers on how to do a seamless single sign on from Salesforce to APIM.
Thanks.

Related

Where to implement Azure AD B2C with React frontend and ASP.NET Core 6 backend

I am looking to implement Azure AD B2C into my web application for user authentication.
However, I am unsure of the desired practice when you have a separate frontend from backend.
Frontend: React JS web application running on Node.js
Backend: ASP.NET Core 6 API application
Server: Microsoft SQL Server
I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.
What is the best workflow with this?
Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
other
I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.
• I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.
Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -
https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio

Integration between Azure and Google - SSO and User Provisioning from Google to Azure

We have G Suite as an identity provider in our company. Some of users also use Azure and Office 365. We want to be able to login by using Google account to Azure Ad and later have this account in AD and assign roles and groups in AD and whole Azure. We want to change passwords in Google etc.
How to setup SSO from Google to Azure?
Azure AD supports the concept of Identity Providers for External Identities. You can read about it here on Microsoft Docs.
You could enable users from identity providers like :
Google
Facebook
Direct federation (to external identity providers that support SAML or WS-Fed protocols)
Since you specifically mention G suite as an identity provider in your company, Direct federation may be the most relevant one for you. I say this because using Google federation directly is designed for Gmail accounts as mentioned in the note here on Microsoft Docs
How to setup Direct Federation is explained in detail here on Microsoft Docs
Please note that
This feature is currently in Preview
There some important limitations in terms of domain requirements and authentication URL as stated here on Microsoft Docs

Will Azure AD SCIM integration delete pre-existing users created directly into Snowflake?

Hi I'm following the steps outline into:
https://docs.snowflake.com/en/user-guide/scim-azure.html
But I couldn't find any documentation explaining whether this user sync will affect my existing Snowflake users (the ones that have been created straight into Snowflake before the AD integration)
I believe the reference you are looking for is here:
See the note section of: https://docs.snowflake.com/en/user-guide/scim-azure.html#enabling-snowflake-initiated-sso
"By default, Azure AD users provisioned to Snowflake using SCIM are
not assigned a password in Snowflake. This means that if SAML SSO is
configured in Azure AD, users will authenticate to Snowflake using
SSO.
SAML SSO is not a requirement if using SCIM to provision users and
groups from Azure AD to Snowflake. For additional options, see
Configure Azure AD single sign-on."
To enable Snowflake Initiated SSO
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-snowflake.html#label-enable-snowflake-init-sso
Snowflake support confirmed that the existing users are NOT affected by any SCIM integration and I tested it with success, nothing happens to the existing users.

Azure bus integration with GO based application

We are trying to connect to Azure service bus entity from "GO" language application & the integration with Azure service bus entity is possible by supplying either SAS token or Azure AD OAuth2.0 token which will be obtained via security principals. Technically I prefer security principals option rather than SAS token as it has security vulnerabilities.
How to acquire OAuth2.0 token from Azure AD using language like "GO" for which Azure AD SDK is not available?
Is it possible to make direct call to Azure AD REST APIs to access OAuth2.0 token? if yes some code sample would be helpful otherwise please suggest suitable options.
Here are available authentication methods for Go.
Also, you can make a direct call to get the access token.
https://login.microsoftonline.com/{tenant}/oauth2/token
Reference:
OAuth 2.0 client credentials grant
Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities

Azure AD B2C - Client Credential flow not supported . Workarounds Available?

Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api

Resources