Compatibility of ADAL with Azure SQL DB - azure-active-directory

Customer is triyng establish the connectivity to the DWH using SSO login from databricks cluster. If we go to this document: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-spark-connector, it talks about SLQ DB github repository but this link: https://github.com/AzureAD/azure-activedirectory-library-for-java mentions that MSAL4J is the new authentication library to be used with the Microsoft identity platform, so we need confirmation if ADAL will work or we need to upgrade to MSAL4J?

You can acquire tokens for Azure SQL DB with ADAL by using the resource:
https://database.windows.net/
If you used MSAL, you'd use this scope:
https://database.windows.net/.default
The main difference between MSAL and ADAL is that ADAL uses the older "v1" endpoint of Azure AD.
You can acquire tokens for any API using either ADAL or MSAL, v2 and MSAL do not allow calling more APIs etc.
While it is generally recommended to use MSAL now, ADAL should also work fine for you.

Related

Azure bus integration with GO based application

We are trying to connect to Azure service bus entity from "GO" language application & the integration with Azure service bus entity is possible by supplying either SAS token or Azure AD OAuth2.0 token which will be obtained via security principals. Technically I prefer security principals option rather than SAS token as it has security vulnerabilities.
How to acquire OAuth2.0 token from Azure AD using language like "GO" for which Azure AD SDK is not available?
Is it possible to make direct call to Azure AD REST APIs to access OAuth2.0 token? if yes some code sample would be helpful otherwise please suggest suitable options.
Here are available authentication methods for Go.
Also, you can make a direct call to get the access token.
https://login.microsoftonline.com/{tenant}/oauth2/token
Reference:
OAuth 2.0 client credentials grant
Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities

How to implement single sign-on using kerberos authentication in azure active directory

Using Azure Active Directory When i am applying single sign on for my web application i am able to do the Password-based single sign-on successfully.
But when i am doing with Integrated Windows Authentication(for kerberos authentication mainly), i am not able to configure it. i am very confused.
Can anybody guide me how to enable kerberos authentication for web application.
or please send me any example links how to set kerberos authentication for web applications.
Thanks!
If you are trying to use Azure AD with Kerberos for Windows Integrated Authentication there was a comment about AADConnect, which has some offerings, especially if you use ADFS for Federated sign-ins. There is also the Azure App Proxy with KCD support

Explanation of IdentityServer4 logout spec

We are using IdentityServer4. We have a Windows 2016 server running ADFS (Active Directory Federation Services) version 4.0. This version of ADFS has OpenID Connect endpoints to do active directory authentication. We set this up as an external oidc provider in IdentityServer4. The authentication works fine. What I'm having an issue with is the logout. The current logout correctly disposes of the identity server and client cookies, but doesn't log the user out of the external provider (ADFS). I upgraded the ADFS server so the metadata endpoint exposes end_session_endpoint, frontchannel_logout_supported, and frontchannel_logout_session_supported properties.
What is the proper way to have our identityserver4 implementation also ask the external provider to perform a logout when it does? I'm a little confused by the spec.
http://docs.identityserver.io/en/release/topics/signout_external_providers.html
http://docs.identityserver.io/en/release/topics/signout.html#refsignout
I'm not sure if the front-channel or back-channel is what I should be looking at in this scenario or if this is even related. The spec also mentions a idp value at authentication time that would indicate to the identity server that a external provider needs a logout as well. Is this what I should be looking at? Little lost. Looking for guidance. Thanks!

Azure AD (creating custom multi factor authentication instead of using the one provided by Azure)

I am developing an application which uses Azure AD as authentication provider.
Need to implement a two factor authentication for the application.
Is it possible to create our own provider and plugin into azure without using the one available with Azure AD.
As far as I know, the Azure AD doesn't support to use the third-party MFA authentication provider.
However we are also could build multi-factor authentication into custom apps with Azure AD. More detail about this you can refer this document.

Active Directory as OpenID provider?

Can an Active Directory be used as an OpenID provider? WIF is an option, but it's quite complicated and not very widespread.
Yes, you can. Just host an ASP.NET web site that itself uses Active Directory authentication, and exposes an OpenID Provider using DotNetOpenAuth.
ADFS 4.0, available from Windows Server 2016 onwards, allows authentication using OpenID.
There is also OpenID-LDAP server which claims to work with AD LDAP.
Or you can use RedHat Keycloak, which leverages any LDAP or Kerberos Server as a repository to be used with OIDC or even with poor man's auth SAML.

Resources