Protractor-net and Azure AD - azure-active-directory

I'm new to Protractor and am wanting to write C# tests that run against an Angular 8 application. The problem is, the application uses Azure AD for authentication and I don't know the correct approach to authenticate automatically when running the test. If I navigate to the application URL it redirects to the Microsoft login page for authentication but I can't seem to access this.

You can use the libraries given by Microsoft to implement applications for authenticating to Azure.MSAL is one of the libreary whiich is best to use. If you want to use MSAL to acquire a token, you need to:
Register an application in Azure AD.
Add target API, and grant consent to select permissions.
Generate a secret key.
Then you can get a token as Acquire a token and call Microsoft Graph API.
However, I think what you really want is to integrate AAD. You can easily enable AAD authentication for your .NET web application. It uses OWIN middleware.

Related

Permissions for SAAS in Azure AD

I am looking to develop a SAAS product where tenant from different organizations can log into my application and there are specific set of custom Permissions that I want to create for my application which will allow users to access different endpoints in my application.
Application is hosted in a inhouse server.
Can someone please help me to understand what would be my approach to do so?
I am doing App Registration in Azure AD. And in the redirect uri I am passing my application url.
I am stuck after that.
I tried to reproduce the same in my environment and got the results like below:
To integrate the SaaS Application in Azure AD, Register an Application in Azure AD.
As you need tenant from different organizations log into the application, make sure to configure the Application as Multi-Tenant like below:
Based on your requirement you can select the API permission which you want the users to access like below:
For sample, I selected Microsoft Graph and added the required API permissions:
You can choose Delegated or Application API permissions based the Grant Flows.
For Client-Credentials, need to grant Application API permissions and for Authorization Code Flow need to grant Delegated API permissions.
For sample, I am using OAuth 2.0 authorization code flow to generate the token for authentication.
I generated Auth-Code using below authorize endpoint:
This will authorize the request and redirect it to the application.
I generated the token using below parameters:
Using the above generated Access token, you can call Microsoft Graph API.
If you want B2B collaboration, refer to the document provided by bahrep in the comments.
References:
Register a SaaS application - Azure Marketplace | Microsoft Learn
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra

How does client credential flow work in Workload identity federation?

For my current ASP.NET Core MVC application I authenticate directly with a web app registered in Azure AD Portal. This provides me with an access token so on the backend of my web application I can use MS Graph with my users specific account (ie add files to their onedrive , email, etc). However, my organization also has Okta which a lot of applications authenticate against. So I was trying to determine to authenticate through Okta (which has a much cleaner sign in process IMO) as well as authenticate against Azure AD and get an access token. Through my research I found something in my web application registration in Azure AD called Workload Identity Federation. This led me to this useful video
https://www.youtube.com/watch?v=wZ0gCJYMUKI
and also microsofts info site:
https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation
This seems to answer what I want which is to use Okta but allow me to still use MS Graph for my users since it will authenticate against Azure AD (correct me if I am wrong and this is for something else). My issue is none of these resources really go into depth regarding how the access token is passed to my application so I can use MS Graph. My research this is called client credential flow since my application only has delegated permissions so it requires the users to log in and it basically allows my web app to act on their behalf when using MS Graph. So I am trying to understand and fill this void of information regarding how client credential flow fits into Workload Identity Federation and is this the solution to my problem.

Multi tenant SAML SSO app installed with OAuth flow?

I have a multi tenant enterprise app. It authorises a few graph API permissions when installed and has SAML SSO configured. The whole idea is that my customers can install this and in one process grant my application access to their tenant, and setup SSO for that customers users.
The graph API permissions work totally as expected, I get the needed access to the tenants who installed the app.
Then there is the SAML SSO part. That's just totally not working. In my test tenant where I installed my app, it says that the app has SAML SSO and that it is only application owner who can configure - all fine.
I then try to log in (to the web app using this SSO configuration) with a user from my test tenant - no luck!
First I thought that it had to do with the user not being assigned the app, but it complains the the application in tenant A is not available for user in my test tenant and the user should be added to tenant A. That of course is not a solution since I want to use this for customers.
So right now I am stuck with 2 app's. One gallery app for SAML SSO and my app granting API permissions. It works, but it just seems SO stupid. Isn't there a better way?
Azure AD SAML applications are not intended to be multi-tenant, this is why you need to invite external users as guests.
It's worth to mention it's possible for an Azure AD app to support both OIDC/OAuth2 and SAML and thus rely on the same session cookie to obtain an access token for MS Graph.
If you need multi-tenancy, you should use modern protocols such as OpenID Connect for authentication and OAuth2 for authorization. MS Graph relies on JWT access token anyways.

AzureAD custom multi factor auth

I've got a single page application that currently uses Azure AD B2C authentication to allow users to sign in, and then use the auth cookies to talk directly to internal services. There is now a requirement that we use two factor auth on top of the existing AD auth. We've already rolled our own 'second factor' auth, and we need to be able to integrate with that (I'd much rather use the built in MFA that Azure provides, but for this question assume that isn't an option).
Our issue is that we don't want to call our MFA service until the user has authenticated succesfully with AD - but of course, once they have, they are already authenticated, and it's too late.
When Azure AD hands back to us via the call back (we are using CookieAuthenticationEvents), is there any way to defer the access token being available until our own second factor auth step succeeds?
Just as juunas suggested, try to use custom polices which are designed primarily to address complex scenarios.
Reference:
Custom policies in Azure Active Directory B2C

What's the best way to authenticate a user in a .net core 2 API programatically using Azure Active Directory

I'm working on an application that has an angular 6 front end and a .net core 2.0 back-end and am trying to set it up so that my application authenticates users via Azure active directory. The issue is that I want the .net core back-end to do all the authentication programmatically when I have the front end pass an email and password. Everything that I've seen so far online suggests to have the front end redirect to the Microsoft login page but we are using our application as a boiler plate project and want to be able to change the type of authentication easily in the back-end without having to change the angular front-end. Does anyone know how I could go about this?
You can use Resource Owner Password Credentials Grant .The process will like that you collect the user credentials in Angular app and post to .net core back end , then finish the authentication in back-end app with user's credential. But that is not recommended because The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
Also :
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.
Personal accounts that are invited to an Azure AD tenant can't use ROPC.
Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead.
If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

Resources