We are in process of integrating CAS with multiple openID providers, For example with Azure and Google.
Can anyone help me with the configurations?
Suppose we have User1 and User2.
1)Whenever user1 acesses the application URL, he has to be redirected to google login page,
2) Whenever user2 acesses the application URL, he has to be redirected to microsoft Azure login page.
Related
Have couple of questions with respect to how Azure AD session works
If have couple of web applications registered in my AAD tenant. The users of these application can be MSA, organization account with AAD or Federation account. All these accounts will be Guested in the AAD tenant where the applications are registered
if i logout from Azure Portal, can i prevent logout from my Application? Assume that the account is same for Azure Portal and AAD application
If i logout from my application 1, can i prevent logout from Azure Portal asking for password from application 1 if i try to access it again?
I read that application and Azure AD cookies are stored in browser. Can i see them? What are the name of these?
Is it possible to force the user to enter the password for particular application, if the user is inactive in that application
We use custom idp (identity server 3) to authenticate users on the system. Now I have a requirement to implement Azure AD authentication. I tried adding Azure AD as an external provider it is working fine on the browser, but on MS teams app, it is not working because the Microsoft teams app opens in an Iframe, on which azure Ad doesn't work.
I implemented Microsoft msal.js library to authenticate using Azure AD. I am able to authenticate and get the token on the frontend. But how can I pass that token to identity server 3 and authenticate user using my own identity server.
Did you have a look at these resources which seem to explain how to implement your setup:
https://learn.microsoft.com/en-us/microsoftteams/sign-in-teams
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/authentication
https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-tab-aad
https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/authentication/configure-identity-provider
if I understand your requirement correctly then you can try out the below solution:
User is authenticated using Azure Ad when he logs in to Teams App. Now you can send the logged in user's AD information (User Principal Name preferably) to your IS3 and authenticate from your end.
I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
Am using Azure Active directory with OpenId provider in MVC 5.0 application and deployed into the Azure portal, In my case user session get expired after 20 minutes but not automatically redirecting to login page, application considered authentication is valid.
Is there any option available in OpenId provider to signout and redirect to login page again.
We are developing a SaaS web application with an Angular UI front end and my login works just fine with the users I have added in my Azure Active directory as well as users from any other Azure AD using it's consent framework and everything is sweet.
What I now need is to allow users to login using ADFS of other organization which does not have any Azure Active directory. Which is the best solution for this?
For a test, I created a local active directory in a VM and federated it using ADFS. Let's say otherorganizationdomain.com is the doman. Even though I can access the login page directly using the URL I got during my ADFS set up, but when I typed that domain name(xxx#otherorganizationdomain.com) in my multi tenant app's login page it is not getting redirected to the login page of my ADFS where as other login continues to work fine.
I have a multitenant web app in the Azure AD. What I would ideally like to happen is when I type xxx#otherorganizationdomain.com I should be redirected to their ADFS login page and comes back with the claim just like how it works with Azure Active Directory. Am I trying to do some thing which can't be achieved?
You could federate ADFS as per ADFS : Using Azure AD but Azure AD is always the IDP which isn't what you want.
You could use AD Connect and sync. the users up but that is normally designed for users in the same forest. This is the way O365 works. Federated domains redirect to ADFS.
Or you could use AzureAD Pass-Through Authentication and Seamless Single Sign-on.
This uses your local DC but not ADFS.