We required to configure our application SSO with azure AD. Developer asking below information for configure SSO, could your please tell me where i find these information in Azure AD.
What we will need from the SSO Provider are the following details:
Issuer URL
Sign in URL
X.509 Certificate
Thanks in advance,
Rocky
Related
We have a public consumer application for which we use Auth0 as identity platform and through Auth0 we have enabled a couple of social logins to which we now want to add "Login with Microsoft" as an option so that anyone with any type of Microsoft account can login.
Obviously we will need to enable the Microsoft social connection in our Auth0 instance and connect it to a Active Directory Application and Tenant created in Azure.
What I can't seem to find the answer for is which type of tenant we should setup for this, whether we should use a Azure Active Directory tenant with a multi-tenant application or if we should use a Azure Active Directory (B2C) tenant for this?
Thanks for posting your query. As per https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azure-active-directory/v2#register-your-app-with-azure-ad Azure AD would support for multitenant apps but not with social account (until you plan to send invitation to each user's personal account for Azure AD B2B).
For Microsoft Social accounts Azure B2C would suit your requirement.
On Auth0 Admin Console:
Create a web application in Auth0
Copy the client ID and secret
Add a callback URL from your B2C tenant in given format: https://.b2clogin.com/.onmicrosoft.com/oauth2/authresp
Copy the “OpenID Configuration” URI from advance setting.
On Azure B2C tenant:
Add an Identity provider to B2C, Azure AD B2C > Identity providers > New OpenID Connect Provider
Input “OpenID Configuration” URI you copied in above step to Metadata URL.
Similarly add client ID and Client secret you copied from Auth0.
Complete the claims mapping ref: https://learn.microsoft.com/en-in/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow#claims-mapping
Hit Save and Auth0 will be saved as IDP in your Azure B2C tenant.
Thanks
I've gathered the following insights since posting my question
Summary
Auth0 Social connection -> Azure Active Directory tenant with an app configured to support "Personal Microsoft accounts"
Auth0 Enterprise connection -> Azure Active Directory tenant with an app configured to support "Accounts in any organisational directory and personal Microsoft accounts"
See guide of different app types here
Details
Since we wanted to support login with any microsoft account (multi tenant + personal) my initial attempt of using an Auth0 Social connection for this was incorrect, since the Social connection will only allow successful logins with personal accounts regardless of how you have setup the App registration in Azure
Auth0 Enterprise connection is the way to go for our case, with an Azure app registation supporting multi tenant + personal accounts. Also when setting the connection up in Auth0, make sure to enable the "Use common endpoint" setting as described here
The Azure Active Directory B2C tenant type is not useful with any of the Auth0 connections as you likely won't be able to get a satisfying consent screen with verified publisher. I'm guessing its just the wrong way of using the B2C tenant, where its supposed to be used the other way around with the Azure tenant being the identity platform optionally integrating applications from Auth0 like in the answer from Mavric20
has anyone successfully configured OKTA as Identity provider (IDP) in Azure Active Directory so that token recieved from OKTA can be leveraged by apps in Azure.
I have gone thru several stackoverflow queries but none has any step by step guidance on how to add it in Azure AD as an external IDP.
any help?
thank you
• Yes, you can configure Okta as an IDP in Azure as a federated identity provider but please ensure that it supports SAML 2.0 or WS-Fed protocol for direct federation to work. Therefore, to proceed further, ensure that organization using Okta as an IDP has its DNS records correctly configured and updated for the domain to be matched with the target domain or a host within the target domain in case of a passive authentication URL.
Once, the DNS records are setup correctly for an IDP’s domain name, then configure the partner IDP with the required claims and relying party trusts such that their SAML metadata file or URL is retrieved and uploaded for adding the Okta using IDP as an external identity as shown below in the snapshot: -
• Once, you have configured the SAML/WS-Fed supporting Okta IDP as a partner/external identity provider in the Azure AD tenant, ensure to configure specific attributes and claims to be configured at the third-party IDP such that these attributes are received in the SAML 2.0 response from the IDP itself when any user tries to login to the Azure AD using Okta identity.
Ensure that the below attributes and claims are received as information in the SAML token from the configured Okta IDP: -
AssertionConsumerService, Audience, Issuer, NameID and http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
From the above snapshot, ensure to fill the following details for configuring the Okta IDP as an external identity provider: -
a) Issuer URI - The issuer URI of the partner's IdP.
b) Passive authentication endpoint - The partner IdP's passive requestor endpoint.
c) Certificate - The signing certificate ID.
d) Metadata URL - The location of the IdP's metadata for automatic renewal of the signing certificate.
Thus, in this way, you can add an Okta based IDP in Azure through federated external identity. For more details regarding this, I would suggest you to please refer to the below links for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/external-identities/direct-federation#step-1-determine-if-the-partner-needs-to-update-their-dns-text-records
Okta as IDP in Azure AD
Can someone please point me to any package that can be used in fast-api to integrate sso with azure ad using saml ?
I have seen some packages but they do it with oauth.
https://intility.github.io/fastapi-azure-auth/
Is there any that exists with SAML? Thanks
The toolkit says: Azure AD SAML Toolkit supports SP initiated SSO
I have searched for IDP initiated examples, but the examples I find no longer are relevant. I was hoping to use the toolkit, but it doesn't appear to allow this. Can anyone please advise? The Single Sign On option that is in some examples no longer exists in Azure. Thanks!
There aren't any.
IDP Initiated is started by the IDP and so is "built-in".
As the doc. states:
"Sign-on URL Required Don't specify
When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on to the user. Azure AD uses the URL to start the application from Microsoft 365 or Azure AD My Apps.
When blank, Azure AD does an IdP-initiated sign-on when a user launches the application from Microsoft 365, Azure AD My Apps, or the Azure AD SSO URL".
I have a client/server application where I am successfully able to create users with the Microsoft Graph API. I'm also able to authenticate and authorize these users with the 'Resource Owner Password Credentials Grant Flow' by following these docs here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc.
But I am also needing to give users the option to login with their Facebook or Google accounts, which doesn't seem to be possible while using this type of grant flow. I'm aware that identity providers can be used with Azure AD B2C, however, I need a way of doing this with my own application and not through a redirect or popup window.
Any suggestions are appreciated!
No. Resource Owner Password Credentials Grant Flow doesn't support for social identity provider.
In Azure AD, the Microsoft identity platform endpoint only supports ROPC for Azure AD tenants. ROPC is not supported in hybrid identity federation scenarios. See details here(the Important tip).
In Azure AD B2C, ROPC supports local accounts only. Users can’t sign in with federated identity providers like Microsoft, Google+, Twitter, AD-FS, or Facebook. Please refer to ROPC flow notes.