We have users who login as Keycloak users and also users who login as AD users (we have created a saml Indentity Provider in Keycloak).
When logging in as a Keycloak user, the user can check ‘remember me’. This enables the user to entirely close the browser and when they open the browser (and open the login page) the user is still logged in. I imagine a persistent cookie is used.
When logging in as an AD user, the user has to reenter their credentials after entirely closing the browser.
Is there a way that Keycloak can persist sessions for AD users who have logged in through AD through a saml Identity Provider which has been configured in Keycloak? I know that AD has a ‘Stay Signed In’ option in their authentication flow. What I’m asking is whether it is possible for Keycloak to persist a session so that the AD authentication flow doesn’t even have to be entered for users who have previously logged in.
Related
A scenario is, user SSO logs into my system via Azure OIDC. They are now logged into the IdP and my system. While logged into my system, they open another tab and log out of the IdP. They are now logged out of the IdP, but still logged into my system.
Does Azure support a way to let my system know that the user has logged out, that way I can log them out of my system?
It's recommended to clear your app's cookies or storage besides calling the Azure AD end_session_endpoint. This can be done using upon redirecting to the passed post_logout_redirect_uri.
I have integrated header based application with Azure AD application proxy.
Which preauthenticate user with Azure AD credential and created cookie based session.
How to implement logout so that when clicking logout link on application it totally clears the session.
For OAuth/OIDC, provided the guidance:
"When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out."
"When you redirect the user to the end_session_endpoint, the Microsoft identity platform clears the user's session from the browser.
However, the user may still be signed in to other applications that use Microsoft accounts for authentication."
Implement logout in Azure AD application proxy:
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request
I develop an authentication by extrenal idps in the my application. For while I support two idps using OpenId Connect protocol: Azure AD and Okta. My login page has widget for entering user's credentials (for built-in users and for domain users imported from Active Directory) and two buttons: "Login with Microsoft" and "Login with Okta".
First time user is redirected to login page and he attempts to sign in by Okta (or Azure AD). If he has already signed in Okta (or Azure AD) before attempt he will be signed in my app autmatically without entring his credentials (SSO in action). But if he signed out from my app, the next time he will try to sign in by Okta he will be redirected to Okta consent page and required to enter his credentials.
Why do second and next attempts require user's credentials but not lead to automatic sign in?
Is this SSO concept?
I develop on Asp.net MVC and use OWIN (Katana).
Thanks!
A likely reason the user is signed out of the identity provider is that your code is intentionally doing that when you call SignOut.
For example, if you are calling:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Okta, AuthTypes.Cookies);
You are explicitly saying that you want to trigger sign-out for AuthTypes.Cookies (which probably clears your app's own session cookies) and AuthTypes.Okta (which probably includes redirecting to Okta to end the session and clear cookies over there as well).
If you only want to end the session with your app (but not necessarily end the user's session with the identity provider), when you call SignOut, you should only indicate your app's authentication types:
HttpContext.GetOwinContext().Authentication.SignOut(AuthTypes.Cookies);
After this, when the user accesses the app again, the app will not consider the user signed in (because when the user's browser accesses the app, it will not be presenting any session cookies). However, if the user were to be sent off to Okta or Azure AD again, the identity provider's own session cookies for that user will still be there, and they will be able to SSO with no extra prompts.
Note: I'm making a few assumptions about how AuthTypes.Okta and AuthTypes.Cookies are configured, since that wasn't included in the question.
I have a nodejs webapp with login, signup pages (text fields to enter username, passwd and "Login" button). Other pages in the UI and Backend APIs should be accessible only to authenticated users.
What options do i have if i want to authenticate users using Azure AD (Clicking the "Login" button on the UI should authenticate against Azure AD)? Would the flow be different If i want to authenticate both internal (associates with AD credentials) and external users (end customers not in our AD)
TIA.
What options do i have if i want to authenticate users using Azure AD
(Clicking the "Login" button on the UI should authenticate against
Azure AD)?
In the B2C, you could use the direct sign-in by the username or the identity provider.
Would the flow be different If i want to authenticate both internal
(associates with AD credentials) and external users (end customers not
in our AD)
There is no difference. If you don't set up direct sign-in, all the user will see the first page for the user to choose the provider, and then will redirect to the related provider login page.
You have to create a B2C directory and create a web app there, then you can create Signin or Sign Up Policy. Once you are able to create that, open it and select the web app you have created and a redirect url to which you want your user to redirect to afetr successful login. Now hit the Run Now button at the bottom of the policy page. You should see a login page. If you are using it for the 1st time, you have to sign up otherwise you can signin directly. That will do for you.
There is no diff if you are signing in a user who has the ad credentials or not. They still have to signup in the b2c directory for the 1st time as the user profile they have is for the Azure AD directory and not for Azure AD B2C.
There is one thing to consider in min, what type of Authentication you want to follow, OpenId or EasyAuth.
You can test these things out and that should solve your problem. If you still face any challenge, you can let me know here.
We have several Azure AD B2C applications for user login. We are thinking of implementing hardware login to avoid user to login in credentials (username and password). They can just get logged in with NFC cards or faceId
An example of an app, which has been integrated using AppAuth for iOS with Azure AD B2C and uses Touch ID to protect access to the refresh tokens that are issued by Azure AD B2C, can be found at https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/AppSamples-iOS-TouchID-master.
You should be able to extend this to Face ID.