SAML: Idp initiated sign out on Azure AD user deletion? - azure-active-directory

Not sure how to go about the following scenario:
User logs in with SAML using in an Azure enterprise configured application.
User authenticated succesfully.
If user now logs out from Azure -> I can catch this event using the logout url.
However if the user is deleted / removed from the organisation the user is still logged in in my application.
I've implemented similar logic with Oauth and refresh tokens, didn't find an equivalent using SAML.

As of now there is no support in SAML for the user provisioning events performed by the Idp.
In Azure enterprise configured application there is feature for Automate user provisioning and deprovisioning to applications which ensure that the identities in your app and systems are kept up to date based on changes in the directory or your human resources system.
For more information you can refer this link

Related

How to implement logout in Azure AD application proxy

I have integrated header based application with Azure AD application proxy.
Which preauthenticate user with Azure AD credential and created cookie based session.
How to implement logout so that when clicking logout link on application it totally clears the session.
For OAuth/OIDC, provided the guidance:
"When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out."
"When you redirect the user to the end_session_endpoint, the Microsoft identity platform clears the user's session from the browser.
However, the user may still be signed in to other applications that use Microsoft accounts for authentication."
Implement logout in Azure AD application proxy:
Reference:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#send-a-sign-out-request

Login via SSO (SAML) for ANY user from the Internet (not just a corporate one)

I have included SSO (SAML) authorization in my existing application. But for me it was an unpleasant surprise to find that only 2 types of users can use the login through the providers I added (Okta, Azure AD):
Users who are located in the corporate directory of the provider (for example, I made an application on my account, there are no more
users. This means that any other user will not be able to use the
login form, because he is not a member of my tenant)
Third-party users of companies, whose administrators have added a
template of my application from the general list and connected their
users to it.
I expected other results, I need ANY user to be able to log in through these providers (regardless of whether he is in the corporate directory or has his own separate account that is not integrated into my application)
I thought about changing the SAML protocol to OIDC (OpenID Connect), but it seems to me that everything will work in the same way (at least Azure AD, because it seems there are no other options for working with it, except for corporate distribution)
Who had a similar experience, could you tell me what I should use among technologies and protocols so that ABSOLUTELY ANY user can log into my application through Okta / Azure AD / Google? Thanks!
Azure AD login fail screen
Okta login fail screen
You can use Azure AD OAuth2 flows and multitenant apps with MSA (personal account) support to allow any user from any domains and personal accounts to login into your application. Or you can switch to Azure AD B2C (which also relies on OAuth2) to connect different identity providers (Local Azure B2C, Azure AD, Facebook, Google, Amazon, Github, Linked in, Twitter, generics, etc) and allow all their users to login into your application.

Improve SSO experience for companies internal staff while accessing consumer application protected by Azure AD B2C

I have a consumer facing application (call it consumer.com) whose user identities is managed via. Azure AD B2C. This consumer.com app has admin screens which is accessed by the internal staff whose identity is managed by Azure AD. To enable SSO experience for the internal staff the organizations Azure AD is registered as Custom Identity provider in B2C tenant. This allows the internal staff to use the corporate Azure AD credentials to login to the consumer.com application by clicking on the appropriate 'External identities' button. In this flow if the internal user has already authenticated to Office365 then clicking on the 'External identities' button will automatically authenticate user. I was wondering if the experience can be improved by cutting short the need for internal user to click on the button, perhaps the user session that exist in the browser can be used to bring in this experience. How to achieve this?
I am also looking for a solution where user will click on a link (Consumer app button) within one of Office365 apps which would then redirect to consumer.com application, of course the expectation here is to directly authenticate without needing to go through B2c login page. If this can be achieved, what information should the url link contain?
Use the domain hint parameter:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin#redirect-sign-in-to-a-social-provider

MSAL.Net connecting to Azure AD federated with ADFS

We are building applications in ASP.Net MVC and Web API that use a range of OAuth 2 features - AcquireTokenByAuthorizationCode (using microsoft.identity.web), AcquireTokenSilently, AcquireTokenOnBehalfOf, AcquireTokenForClient for different parts of the application landscape.
The applications use MSAL.Net to interact with Azure AD and users provisioned in it to provide access to resources and that works ok.
We are now looking at building a connect back to the organization's on-prem maintained user accounts so the end users are not duplicated in AAD and on prem, so ADFS maintained in the org is an option. Considering the ADFS instance to be 2016, the one option to have MSAL.Net work with ADFS appears to be having Azure AD federated with ADFS as explained in this article:
https://learn.microsoft.com/bs-latn-ba/azure/active-directory/develop/msal-net-adfs-support
The article only discusses AcquireTokenInteractive and I do not see explanation that other MSAL.Net operations are supported on having AAD federated with ADFS. I would assume that is true, and we have to run through our tests after we have it all configured, but meanwhile,
would anyone have any experience or documentation around having the range of operations with MSAL.Net (and even msal.js) and AAD work OK when AAD is federated with ADFS?
So I went ahead and tried this for myself, setting a VM up in Azure, installed Active Directory, AD FS and configured the federation between Azure AD and the VM AD FS as per the article https://learn.microsoft.com/en-us/azure/active-directory/b2b/direct-federation-adfs.
Then validated the different OAuth features used by our application, specifically (I would expect other oauth features to work as expected too based on the below observations):
AcquireTokenByAuthorizationCode
AcquireTokenSilently
AcquireTokenOnBehalfOf
AcquireTokenForClient
All these feature work as expected. The user is redirected to org login page and redirected back to the application.
A couple of observations along the way
The refresh token lifetime is 12 hours when working with On premise AD credentials integrated via ADFS instead of the few days when user is provisioned in AAD. This is apparently to mitigat the risk of user information changing e.g. password change. If the browser is idle for > 12 hours, re-login by the user is required.
Once authenticated, further OAuth operations do not involve On prem AD / ADFS. The operations are against Azure AD, any browser redirects are to Azure AD for re-auth.

Programmatic (API calls) User Authentication using Azure AD B2C instead of login.microsoftoneline.com form

New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.

Resources