Configure SAML Single Sign-on in Azure with ITfoxtec SAML 2.0 - itfoxtec-identity-saml2

I'm trying to implement SAML authentication in .Net Core 3.1. I'm using the sample project TestWebAppCore from this official repo.
I have the values below and I need to adapt the sample project considering Azure AD as an Identity Provider:
Login URL
Azure AD Identifier
Logout URL
I also have a .xml and a .cer file.
My questions are:
Login URL is the configuration SingleSignOnDestination?
Logout URL is the configuration SingleLogoutDestination?
Azure AD Identifier is the configuration IdPMetadata?
Can I remove the code that refers to SigningCertificatePassword (.pfx file) and add reference to my .cer file?
Do I need to use the xml file? Where?

If you integrate with an Azure AD Enterprise Application I think you should use the Enterprise Applications metadata to configure (config parameter IdPMetadata) ITfoxtec Identity SAML 2.0 in the .NET application.
SingleSignOnDestination is the Azure AD Enterprise Application login endpoint.
SingleLogoutDestination as I remember an Azure AD Enterprise Application do not support SAML 2.0 logout.
AllowedIssuer is the Azure AD Enterprise Application issuer.
SigningCertificate need to contain a certificate with both public and private key like a .pfx. A .cer only contain the public key.

Related

Where to implement Azure AD B2C with React frontend and ASP.NET Core 6 backend

I am looking to implement Azure AD B2C into my web application for user authentication.
However, I am unsure of the desired practice when you have a separate frontend from backend.
Frontend: React JS web application running on Node.js
Backend: ASP.NET Core 6 API application
Server: Microsoft SQL Server
I would like to also have users / user information stored in the database upon creation. This is because I need to reference these users in several different relational tables.
What is the best workflow with this?
Azure AD B2C is implemented in frontend. When a user is created, an API request is sent to the backend to create the user in the database. If it is successful, a user cookie is created on the frontend for authentication.
Azure AD B2C is implemented in the backend. When a user is submitted in the frontend, an API request is sent to the backend where the Azure AD B2C service creates a user, stores it in the database, and sends a callback to the frontend signifying the action was either successful / unsuccessful, along with a user cookie for authentication.
other
I am new to authentication cookies, and user sessions, so any documentation provided regarding that would be greatly appreciated.
• I would suggest you use ASP .NET MVC 2 or another version as the front-end client and integrate Azure AD B2C tenant and an app registered in it as described in the document below. Once you have the Azure AD B2C tenant registered and the required application for authentication configured, configure the custom policies and user flow accordingly. Once those are done, then secure that application with Azure AD B2C for login and authentication with guest authentication. Then, ensure that your backend application is integrated with Azure SQL or cosmos DB for storing the details of all the users signed in with the Azure AD B2C. For that purpose, you will have to give Azure AD B2C application registration, the required permissions for that concerned Azure resource for allowing to access the same and retrieve the user details from it. Thus, in this way, you can configure your application accordingly.
Kindly refer to the link below for more information and details on configuring the infrastructure for the same: -
https://www.codeproject.com/Articles/1121503/Integrate-Azure-AD-B-C-with-ASP-NET-MVC-Web-App-Pa
https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-authentication-sample-web-app?tabs=visual-studio

SAML - IDP Initiated Example (Azure AD SAML Toolkit)?

The toolkit says: Azure AD SAML Toolkit supports SP initiated SSO
I have searched for IDP initiated examples, but the examples I find no longer are relevant. I was hoping to use the toolkit, but it doesn't appear to allow this. Can anyone please advise? The Single Sign On option that is in some examples no longer exists in Azure. Thanks!
There aren't any.
IDP Initiated is started by the IDP and so is "built-in".
As the doc. states:
"Sign-on URL Required Don't specify
When a user opens this URL, the service provider redirects to Azure AD to authenticate and sign on to the user. Azure AD uses the URL to start the application from Microsoft 365 or Azure AD My Apps.
When blank, Azure AD does an IdP-initiated sign-on when a user launches the application from Microsoft 365, Azure AD My Apps, or the Azure AD SSO URL".

Using Azure AD as a authentication provider for Azure B2C

I have an angular-cli (v8) web application where I want users to be able to sign-in using their existing Azure AD account.
I came across the article explaining how to added authentication to an angular 8 application using Azure B2C and started to follow the step outlined in that article. https://about-azure.com/using-azure-ad-b2c-with-angular-8/
Azure AD is not on the list of authentication providers
Is is possible to add Azure AD as an authentication provider?
Technically my application is an Service Fabric application using .net core 3.1. I know that Visual Studio offers and "Add Connect Services" where one can choose Azure AD.
That does not work, because it configures authentication for a MVC application (options use.MVC) and I do not have an MVC application so it doesn't work (I have tried)
Is is possible to add Azure AD as an authentication provider?
Yes, you need to select New OpenID Connect provider and configure Azure AD as an identity provider.
Reference:
Set up sign-in for a specific Azure Active Directory organization in Azure Active Directory B2C

Azure AD B2C - Client Credential flow not supported . Workarounds Available?

Referred the following stack overflow post Azure B2C client credentials grant
We are presently using Azure B2C.
I understand that Azure B2C does not support the client credential flow for now.
We have a requirement where an external application (server Application outside our organization) needs to access our resource (api hosted within our organization)
Is there any way we can do this from Azure AD-B2C or would we need Azure AD-B2B for these type of requirements. ?
Currently, your specific scenario -- where you are needing an access token to be issued for access by a daemon or server app to your API app -- isn't supported, however you can register the API app through the “App Registrations” blade of the Azure AD directory for your Azure AD B2C tenant.
You can upvote support for the client credentials flow by Azure AD B2C at:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/18529918-aadb2c-support-oauth-2-0-client-credential-flow
If the API app is to receive tokens from both a web/native app as well as the daemon/server app, then you will have to configure the API app to validate tokens from two token issuers: one being Azure AD B2C and other being the Azure AD directory for your Azure AD B2C tenant.
You should not do this anyway.
Instead, provide a portal for your customers where they can manage api keys.
Implement api keys as a second auth schema in your Api

Azure AD (creating custom multi factor authentication instead of using the one provided by Azure)

I am developing an application which uses Azure AD as authentication provider.
Need to implement a two factor authentication for the application.
Is it possible to create our own provider and plugin into azure without using the one available with Azure AD.
As far as I know, the Azure AD doesn't support to use the third-party MFA authentication provider.
However we are also could build multi-factor authentication into custom apps with Azure AD. More detail about this you can refer this document.

Resources