How do I single sign on to Dynamics 365 portal using Salesforce credentials ?
Ok, this is how I achieved SSO to dynamics 365 using salesforce credential:
First, we need to create a connected app in Salesforce. We can easily find resources online on how to create a connected app on Salesforce. Key things to consider is that both Salesforce and Dynamics uses SAML based authentication so we need to enable SAML while creating connected app.
EntityId would be url of the Dynamics Portal
https://yourportal.microsoftcrmportals.com
ACS URL would be https://yourportal.microsoftcrmportals.com/signin-saml2
Let start URL as: https://yourportal.microsoftcrmportals.com
Let Subject Type as: Username
Put Name ID Format: ....emailAddress
Leave other values as default and Save it. You might need to set up My Domain if you have not done so.
You have to now provide permission to users to access this app through manage profile.
Now we need to do some config setup at the Dynamics Side.
Go to your Dynamics CRM backend and on the Portals >> Site Settings. You need to create few settings.
Name: Authentication/SAML2/YourAppName/AssertionConsumerServiceUrl
Website: your Dynamics Portal
Value: https://yourportal.microsoftcrmportals.com/signin-saml2
YourAppName can be anything you want. Similary, create settings for following names:
Authentication/SAML2/YourAppName/AuthenticationType
Value would be IdP-Initiated Login URL from Salesforce
Authentication/SAML2/YourAppName/MetadataAddress
Value would be Metadata Discovery Endpoint from Salesforce connected app, we created earlier
Authentication/SAML2/YourAppName/ServiceProviderRealm
Value:https://yourportal.microsoftcrmportals.com
Thats it. Now click on IDP Initiated login url that is provided in the Salesforce. That should work.
Related
I am looking to develop a SAAS product where tenant from different organizations can log into my application and there are specific set of custom Permissions that I want to create for my application which will allow users to access different endpoints in my application.
Application is hosted in a inhouse server.
Can someone please help me to understand what would be my approach to do so?
I am doing App Registration in Azure AD. And in the redirect uri I am passing my application url.
I am stuck after that.
I tried to reproduce the same in my environment and got the results like below:
To integrate the SaaS Application in Azure AD, Register an Application in Azure AD.
As you need tenant from different organizations log into the application, make sure to configure the Application as Multi-Tenant like below:
Based on your requirement you can select the API permission which you want the users to access like below:
For sample, I selected Microsoft Graph and added the required API permissions:
You can choose Delegated or Application API permissions based the Grant Flows.
For Client-Credentials, need to grant Application API permissions and for Authorization Code Flow need to grant Delegated API permissions.
For sample, I am using OAuth 2.0 authorization code flow to generate the token for authentication.
I generated Auth-Code using below authorize endpoint:
This will authorize the request and redirect it to the application.
I generated the token using below parameters:
Using the above generated Access token, you can call Microsoft Graph API.
If you want B2B collaboration, refer to the document provided by bahrep in the comments.
References:
Register a SaaS application - Azure Marketplace | Microsoft Learn
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra
I have a WPF desktop using the WebView2 control, and it works quite nicely. The problem I am trying to solve is handling the authentication for users who find the repeated prompts when accessing our SharePoint Online (SPO) site within the WebView2 control annoying. I am not looking to access Graph API or the SPO API, just allow the user to navigate to our SPO site without login prompts. Our on-prem AD synchronizes with Azure AD.
A couple of applications I've developed:
An Office add-in using SSO with delegated permission and signed off by our admin so that users do not log in
A console app that has application permission to update all calendars in our organization via the EWS API, protected with Azure AD certificate authorization, although it initially used a secret
That said, how can I set up the app authorization so that my desktop WPF app can allow the users to access SPO without prompts?
According to your scenario, you can try the following things in your web view control such that you will no longer receive authentication prompts for Sharepoint online login.
• You trying to access SPO site within web view control, so you need to allow authentication for both the http clients, i.e., Windows store clients(classic)[System.Net.Http.HttpClient] and HTTP clients[Windows.Web.Http.HttpClient] connected to web view controls. You can do so by adding the new one in your code as below: -
var filter = new HttpBaseProtocolFilter();
filter.ServerCredential = new Windows.Security.Credentials.PasswordCredential("http://website","login","password");
Windows.Web.Http.HttpClient client2 = new
Windows.Web.Http.HttpClient(filter);
var response = await client2.GetAsync(new Uri("http://website"));
WebView.Source = new Uri("http://website");
• In this code, change the “login” and “password” to the credentials you want to use to login in the SPO site. Also, change the “http://website” to the SPO website and set the ‘enterpriseAuthentication’ parameter to off.
• Also, you can use the ‘’TodoListService” Service app for maintaining an in-memory collection of to-do-items for each authenticated user for login purposes.
Please refer the below links for more reference: -
providing domain/user credentials to webview control
https://learn.microsoft.com/en-us/previous-versions/windows/hh465283(v=win.10)?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-native-aspnetcore-v2/1-desktop-app-calls-web-api/
This way, hopefully the SPO site can be accessed through desktop WPF app without authentication prompts.
Thanking you,
I am trying to configure Azure AD B2C as auth provider to Salesforce. I followed the instructions in http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg (instead of google used Azure AD B2C).
When I click on the test-only initialization URL I get the following error
My B2C set up is very basic. I just have an email provider and an out-of-the-box sign-in sign-up policy.
Any help will be greatly appreciated.
I'm late to the party but I wanted to post here in case anyone else can use this information. We followed the below steps with an ordinary Custom Policy returning a JWT token. Notice steps 4-5 under Create an Azure AD B2C Application and step 8 under Configure Salesforce Auth. Provider, these will pull back an Access Token from Azure AD B2C.
Create an Azure AD B2C Application
Log into the Azure AD B2C instance you wish to connect to.
Go to Applications. Click + Add.
Add https://www.salesforce.com as a Reply URL. Click Create.
Select the new app you just created. Save the Application ID.
Click Published Scope. Add read as a scope. Click Save.
Save the Full Scope Value.
Click API access. Click + Add. Under Select API, select the name of the application. Under Select Scopes, ensure read and user_impersonation are selected.
Click OK. Select Keys from the left nav. Click + Generate key. Click Save.
Check the value of the generated App key. If it contains “/”, “?”, “&”, or “%” (there may be more invalid characters), delete the generated key and repeat steps 8 and 9 until a valid key is generated. Save the valid key.
Configure Salesforce Auth. Provider
Log into Salesforce. Go to Setup. In the Quick Find box, type Auth. Select Auth. Providers.
Click New.
Under Provider Type, select Open ID Connect.
Add an informative Name. This will be displayed to users as an option when signing in. Salesforce will generate a URL Suffix.
Place the Application ID, from Step 4 of “Create an Azure AD B2C Application”, in Consumer Key. Place the App key, from Step 9 of “Create an Azure AD B2C Application”, in Consumer Secret.
Retrieve the OpenID Connect discovery endpoint of the Azure AD B2C Custom Policy you wish to integrate with. This discovery endpoint can be found at https://{tenant-id}.b2clogin.com/{tenant-id}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-id}.
Use the authorization_endpoint field in the discovery endpoint as the Authorize Endpoint URL in Salesforce. Use the token_endpoint field in the discovery endpoint as the Token Endpoint URL in Salesforce. Use the issuer field in the discovery endpoint as the Token Issuer in Salesforce.
Place the Full Scope Value, from Step 6 of “Create an Azure AD B2C Application”, in Default Scopes. Add “ read” to the end. (The final value should look something like this: https://{tenant-id}.onmicrosoft.com/{application-name}/read openid)
For Registration Handler, follow Step 11 from these directions: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5
a. Note, in case that link changes. You can create a new Registration Handler using the code in this GitHub repository: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls. You may need to add u.CompanyName = 'CompanyName'; in the prepareUserData method.
Pause here, we’ll come back from Token Issuer.
Setup a Dummy User Info Endpoint
Salesforce requires a User Info endpoint. Azure AD B2C does not provide one. You can use the code in this GitHub repository to create a version of a user info endpoint: https://github.com/azure-ad-b2c/samples/tree/master/policies/user-info-endpoint
This code will only return the claims present on the user’s token. We settled on modifying the code to run in an Azure Function.
Whatever your solution, you should end up with a REST endpoint. Place that REST endpoint in the User Info field of the Auth. Provider in Salesforce.
Click Save.
Authorize the Callback URL in Azure AD B2C Application
Click on the Auth Provider configured in the above steps.
Under Salesforce Configuration, save the Single Logout URL.
Expand Communities and save the Callback URL of the Community in which you want to enable SSO.
Return to Azure AD B2C. Navigate to App registrations (Preview). Click All applications.
Select the application created in “Create an Azure AD B2C Application”. Click Authentication.
Click Add URI. Add the Callback URL from Step 3. Update the Logout URL with the Single Logout URL from Step 2. Click Save.
Are you able to test this login endpoint in your terminal using curl, to ensure it is returning the token?
curl -v https://<Azure login endpoint> -d "grant_type=password" -d "username=user#login.demo" -d "password=password"
You may need to add additional parameters to the curl command for Azure (perhaps add a client id & client secret?
I have an node.js application with a working server2server GMail API communication via an service_account.
Everything works fine.
To be able to communicate with a users account, the G Suite Admin has to grant API Acess to the Client ID of my service_account manually.
As described here:
Impersonating list of users with Google Service Account
with a Marketplace App it would be possible, to grant access only to specific organizationals units (OUs) and it would be more fancy to use (enabling a marketing place app is more user friendly than configuring API Access for ClientID and Scope manually like here:
)
Now my question: Is it possible to provide a Marketplace App only for the purpose to grant API access for my application automatically? Will it get through the review when it has no other purpose? Any other hints on this?
Yes it is a working way to create a marketplace application to grant the API access automatically when the G Suite Admin installs this application.
The only restriction is, that your actual application has to support Google SSO to make it through the review process. So the user must be able to log into your Web Application by clicking on the icon in his G Suite account. If the user has no account in your web app, an account has to be created automatically (trial-account is sufficient)
When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:
Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.
Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.