I'm using Google Cloud connector application to use our Azure AD account as a Single Sign-On with SAML SSO to access our GSuite Accounts. If I try to log in more than one user from our gsuite account, the page gets automatically gets redirected to the previously logged in account instead of asking me the password for the new account.
Consider two accounts A and B belonging to same domain XYZ. I'm not able to log in B as an additional account in Google service like Gmail if A is already logged in. After I enter the email B, if click on continue in the Google Sign-in page instead of taking me to the Microsoft SSO page, I directly get redirected to the mailbox of A. If I log out of account A and then try to login to account B, it's working fine. The behaviour gets replicated across browsers.
https://www.awesomescreenshot.com/video/2388498?key=4e3527ba1445fdd0c28fefebeca8ef6a
Please refer to the above video to watch the behaviour. Thank you.
You can attach &prompt=login in redirect url or Start URLin google.
Request an authorization code
Related
I am able to read other users email using microft.graph api. Need guidance as how to restrict mailbox access so that users can view its email alone.
I created an azure admin and added 3 users. I registered an app and granted Mail.ReadWrite api permission. I generated a token and was able to read others users email. Need guidance as how mailbox access can be restricted to specific user and particular user can access their own email
Need guidance as how to restrict the users from accessing other users email
Client credential allows the app to read all the information that it have access to without a user. It means that anyone who opens the app can see the information. See Get access without a user.
What you need is Get access on behalf of a user.
To get an access token, the user is redirected to the Microsoft identity platform /authorize endpoint. In the authorization code grant flow, after consent is obtained, Azure AD will return an authorization_code to your app that it can redeem at the Microsoft identity platform /token endpoint for an access token.
At last, use this access token to access the emails of the logged in user. You won't see other users' emails.
I was able to restrict my app to access specific user email by creating an application policy. This link helped me to achieve this https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access Now I am using client credential to generate app level token and access specific users email.
We have created a converged application for a public community(AD & live users can login) using Microsoft Graph and the scopes openid, email, profile and user.readBasic.all.
Every thing works fine for live users but some of AD users are not able to login. When they try to login they get the message as
"App needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to
this app before you can use it."
as per Microsoft document we have prepared admin consent url as
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent
After admin consent also users are not able to login to the app. Please help us what we are missing here.
Your URL is for the v1 Endpoint, not the v2 Endpoint (aka converged endpoint).
It should look like this (line break for readability):
https://login.microsoftonline.com/common/adminconsent?
client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]
Note that is it /adminconsent rather than /authorize and there isn't a prompt query parameter. Also keep in mind that you'll need to ensure your registration includes the scopes you want the consent for.
I've written an article that walks you through the entire process that should prove helpful here: v2 Endpoint and Admin Consent
I am writing a SPA web app that is registered as an app in Azure AD. Everything was working fine most of the week; however, when I went to work on it today, I wasn't getting the expected results.
I deleted and recreated the app registration, hoping it would fix the issue, but it made things worse. When I navigate to the URL, I'm redirected to log in to Azure AD. That part works fine. Since I just created the app registration, I would expect to be taken to a page to consent to the application, but instead I'm redirected back to my application.
I check the app registration in Azure, and it does not have me listed as a user of the application.
Because of all of this, I can't acquire tokens to call external APIs (which I have registered in my app registration).
I'm not sure why I am running into this all of the sudden. Any thoughts on why the OAuth consent is being by-passed? I'm starting to wonder if MSFT is having services issues or not, but more than likely, the problem is on my end.
Suggestions on how to troubleshoot are also welcomed!
There's two things you can do to give consent that will likely fix your app. From what it sounds like your app isn't consenting before ADAL.js you use acquireToken (which is a silent call and can't consent).
Go into the Azure Portal > Azure AD > the app you registered, then at the top hit Grant Permissions. This is the equivalent of admin consent and will consent for all users in your tenant.
Run your app and hit login. When you get redirected to the Azure AD sign in page, add to the url &prompt=consent, hit enter and reload the page w/ that parameter and sign in. This will force the consent screen and consent for the current user. You can also append on the prompt=admin_consent if you're signing in w/ an admin account.
I am trying to get the user who is logged in via. SAML Single Sign On.
I have already implemented SAML Single Sign On and it works.
The code I use for programmatic login is :
apps = gdata.apps.service.AppsService(email=username, domain=domain, password=password)
apps.ProgrammaticLogin()
logging.info("current user %s", users.get_current_user())
//Redirect to a Google mail page.
But users.get_current_user() returns None always even though correct username and password is provided. I have crosschecked it by redirecting the page to Google Mail page and it successfully redirects.
I have googled this issue for hours now nothing goes the right way.
Can anyone please guide me what I am doing wrong ?
There are three different things going on here, I just want to make sure are clear for my suggested answer to make sense:
Google App Engine users service: You, as the developer, delegate authentication and authorization responsibility to Google Accounts (or the selected OpenID provider). Google will act as the Identity Provider and you'll act as the Service Provider.
SAML single sign on: Google delegates to you the authentication and authorization responsibility, you'll act as the Identity Provider and Google will act as the Service Provider. You'll be using SAML SSO every time you try to login any Google service using you Google Apps account, that includes Google App Engine applications using the users service.
ClientLogin: It is one of the methods for authenticating to use a Google API by giving username and password. It's deprecated, it's hard to maintain and insecure since you are hard coding the credentials and the app could have access to everything. I'd recommend switching to OAuth instead. In the first two lines of code You are initializing the Google Apps provisioning API with gdata.apps.service.AppsService, if you are not going to retrieve or create users/groups/alias is useless to do that. If you are I'd also recommend switching to the Directory API part of the new AdminSDK
For your particular case I'd suggest checking if there is a current user logged in, if not redirect to the login URL using the GAE users service.
user = users.get_current_user()
if user:
logging.info("current user %s", user.email())
else:
return redirect(users.create_login_url(request.url))
In case you always require that the user is logged in you better set the handler as login: required
The user will be redirected to the SAML SSO page to log in to his Google Account in order to access the GAE app.
I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.
Put this toghether with custom domain and https and you get my problem.
Sorry for the lengthiness. I searched everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).
My configuration:
developed myapp.appspot.com
configured custom domain myapp.mydomain.com to point to myapp
myapp is making use of GAE login service
need for https posts from custom domain (!), solved as follows:
page is loaded in HTTP from http://myapp.mydomain.com
some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
same domain policy resolved server side by means of http headers
GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler
The workflow is:
user not yet authenticated
user browse http://myapp.mydomain.com (not ssl)
user is redirected to google account login page
user logins
user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
user grants his permission
user is in - OK
Now comes the problem:
user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
login is ok, user is not again redirected to the login page,
I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem
The user is prompted TWICE to grant permission to myapp to access his account:
once when he browse to http://myapp.mydomain.com
and another one when he submits data to https://myapp.appspot.com/someservice
My user doesn't like it and me too !!!
I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app
and not with respect to some other unique id of the app.
But I have no idea how to solve it or at least work it around.
Thank you for your patience in reading up to here.
Any help would be appreciated.
The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.
The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).