I have the react application that uses JWT token and when user wants to access server he will be asked to put his name and password and will get token as a response. I have my custom loging page.
Now we have the requirement to authenticate users against Active directory of IIS. So users that are already authenticated on their computers should not be asked again for credentials.
I see window with login (not mine but from browser)
this window keep asking me for the credentials. I do not see any outgoing requests from this window.
Question: How I can control behavior of this window from my react application? Maybe there is some libraries for this purposes. I need to set up react application or IIS and hide this window and allow user to login silently if he already authenticated.
Related
My company is using this service Aha! Ideas for internal idea-sharing. Everything is set up correctly with Aha! and the page site loads and requests the email for the user. Once they put it in the Microsoft credentials from the host machine so an SSO and they are redirected to the secure page. On machines where the user has not authenticated against our domain on the workstation, they are redirected to the Microsoft login and after they login, the user is redirected to the site.
So Great!! that is all working perfectly.
Now, I go into App Studio in Microsoft Teams and set up the site to load as an App in the Sidebar. I have added the main URL as a tab, I have set up the Valid Domains and included login.microsoftonline.com and I have set ADD App ID to the one used in the SAML2 setup of Aha!.
When I load the app I get the page requesting my email, this is from Aha!, and when I submit it should use SSO from Teams to log me in. I am logged in to Teams using my company Microsoft Account. At a minimum, it should redirect to the login.microsoftonline.com and request my username and password. Instead, I get nothing but a blank page.
Anyone have any ideas as to why it's not working, or what I might have done wrong?
'SSO' in the truest sense with Teams -definitely- won't work - it requires changes to the app itself, which you don't control, but even aside from that, depending on how the app ends up doing it's authentication, this still might not work, as you're seeing. Is there maybe a chance Aha! is working on Teams integration?
I have a server-side Blazor app running on Azure AppService protected by AAD auth. Authorized AD users (admins) are able to access and use the app.
What I'm want to achieve is to allow other users to access only a specific page of the Blazor app. Users would access the app from WPF app, themselves not necessarily being AD users, but AD application user (daemon app). WPF app gets the token (v2.0) and opens the page in a browser with the Authorization header (bearer token), however Blazor doesn't not interpret the auth header in request and threats the user as unauthenticated.
App registrations should have been setup properly as I'm able to access API when using this approach.
It this scenario possible? If so, any ideas what I could be doing wrong?
This scenario sounds like it is going quite a lot against general recommendations.
You really should not be doing "daemon app" authentication from a WPF app as it is not a confidential client application (and neither a daemon app). It runs on a user device, exposing the application's credential to any user.
Authentication flows that use secrets should never be used from a user device.
Secondly, a Blazor application is not generally one that can accept requests from an application.
Your WPF application should be calling an API, not a UI application.
What you should instead have is:
WPF app authenticates the user and acquires a token on their behalf to your API
WPF app calls the API with the access token
API validates the access token, authorizes access for the user and app, returns data
The Blazor app could be using this same API in its front-end code in a similar manner.
But I don't think you are going to be able to put it in the middle of your client app and the API.
I am using IdentityServer3 for authentication. The indetityserver has 3 applications configured.
https://www.app1.com
https://www.app2.com
https://www.app3.com
A user is registered for all 3 applications. Currently user has to goto respective application url (for eaxample https://www.app1.com), which redirects user to identityserver for authentication and upon authentication user get redirected back to app web site.
Is there way to configure IdentityServer where user directly goes to identyserver, get authenticated and then identityserver list all the applications that user has access to? Here user would choose application he wants to login into.
Give your users a link to the IdentityServer login page. After login, display a form (with tiles or links or something) where the user can choose the application.
Make sure that the link to the application sends the user to a secured page (or a method where you challenge the user). This would cause the application to redirect the user to IdentityServer, which notices that the user is already identified (cookie), returns to the application where the user is automatically logged in.
In case the user wants to quit the application, redirect back to the tiles page to choose another application.
Please note that a user is not specifically bound to one application. Once logged in, the user can access all applications. If you want to allow specific access, you may want to solve this with claims.
P.S. I didn't notice you are using IdentityServer3 as you also tagged this as IdentityServer4. But I would expect this would work the same for both versions.
I have a Dynamics CRM 2015 on premise instance, IFD configured with claims authentication, as recommended from Microsoft, and working OK.
There is also a separate angular application, wrapped in, in ASP.NET MVC web application. The angular part i assume is not related much, but nevertheless, let it be here for complete picture.
I also have it configured to work with ADFS claims authentication, with the point being, the user to be logged in, and using the application, in the same user context in both CRM and web app. So when a user is using the application, he is using it with the user he logged in, in CRM with.
So, when i try to access the app URL, i get redirected to the adfs login, from which after logging in, i get redirected to my app index page. This is working fine as well.
In CRM i have a ribbon button which transfers selected records, to the web app, directly to the web app url, so as https://webapp.domain.com:port. Selected records is mentioned here only as info, and it is not related to the problem.
Now, my problem is, when i access CRM, i login to ADFS, and then try to click the button to open web app URL, i get the ADFS login screen again. If i try to login with the same user, i am stuck in a loop without any requests being sent, and the fields are constantly clearing, without the possibility of logging in.
So the users cannot access it anymore. It is not browser related.
Correction:
Requests are getting sent, and the login request appears in the audit log in event viewer, as successful, but the redirection doesn't seem to happen. Also, it seems to be browser related, not sure how I've missed it before:
IE: I get a windows login instead of ADFS login, and after inputting password, i get redirected, and then logged in OK. This login should not show though.
Chrome: Constant loop, and a console issue logged: The specified value "DOMAIN\USERNAME" is not a valid email address.
Firefox: Fields, are constantly cleared in a loop.
End Correction
If i clear the cache, or firstly login to the web app directly, then there is no problem, and opening the URL from CRM after that works normally.
This issue is turning out to be quite of a drag, as i do not know how to address it. Has anyone had similar issue, with external apps logging in with claims, to let me know what i am missing?
Claims rules for the web app are below:
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.