Retrieving data from AD with SAML - active-directory

We have been assigned a task, where we should integrate data from client's Active Directory on weekly basis. Currently we have working Single Sign On implemented with SAML with them. What would be the best approach to handle this situation? I'm still fairly new with SAML, so is it possible to access client's AD with SAML or should it be done with e.g LDAP instead?
All answers are much appreciated
- Andy

SAML is just an XML vocabulary. It has no functionality such as being able to connect to AD and search for users. That's what the Identity Provider (IdP) does. The IdP connects to AD, usually via LDAP, queries the attributes for a user and converts them to SAML format. It then sends the SAML, containing the attributes to the Service Provider (SP).
The point of SAML is the SP doesn't need integration, it just accepts SAML using SSO. So when a user logs in to the SP, the SP redirects them to the IdP, which authenticates them and redirects them back to the SP with their SAML attrobutes.
If you need to export all users from AD on a weekly basis you can just use LDAP and you don't need SSO.

Related

SAML purpose and authentication in azure AD

I have to use Azure Active Directory for authentication to my web application.
In my company it was suggested to use SAML instead of oauth and I am very new to SAML.
Question:
Is the purpose of SAML is only to authenticate or there is any more functionality?
There are documents to use SAML in enterprise application. So,How to implement saml from app registration?
SAML SSO is a form of delegated authentication. The user is authenticated at the identity provider site (eg Azure AD) which sends a SAML assertion containing user identity information to the service provider site. The service provider trusts this information and establishes a local authentication session for the user using the information contained in the SAML assertion. SAML assertions often contain the user's email address but any user identity information may be included. This is the primary use case for SAML and in many instances the only one supported.
Most platforms have SAML libraries etc available. It's strongly recommended you use one of these rather than trying to implement SAML yourself.

Combining custom registration and Azure AD?

I'm in a pickle, lacking the experiences that would provide me with guidance in my project and am seeking pointers from those for whom have Azure AD, SSO and Federation experience.
I am building an employee self service system and using Azure AD for identity management. I would like the user to be able to sign in using their employee ID # and password, not their email address; there should also be an option for the user to register for online access using their employee ID # and other personal information - their Azure Identity already having been established by humane resources.
The sign in flow would take the user to the Microsoft login page which would in turn detect that the user needs to sign in via a custom login page and redirect them there. Once they are signed in, my server would transmit their identity to Azure AD and grant them access based on the Azure Application permissions.
I'm simply really confused about how to start setting this up, if it's even possible. I'm aware of XSS but isn't Federation and SSO with SAML2 secure?
Do I need to use a federation application as a middle-man such as Ping Identity?
Thanks for any help!
Using e.g. Ping as an IDP generally won't help because Azure AD is already an IDP.
Microsoft Azure AD login pages can't be accessed by API and can't be customised to the extent you want.
And you can only sign-in with an email address because it's designed for domain-joined corporate customers.
You can do a lot of what you require with Azure AD B2C and custom policies. That will allow you to sign-in with a user name (= employee id) and you can create workflows.
You could then federate Azure AD and Azure AD B2C.
Your other option is to use an IDP that does allow authentication via an API e.g. Auth0.
Then you could have a custom login page that authenticates as appropriate.
Using Ping ID and other similar products is the fastest way to utilize SSO.

Salesforce SSO setup with ADFS for specific User groups in AD

So here is my dilemma or my somewhat up in the air question .
I have set my self with with a scenario in such that I've enabled SSO on Salesforce using ADFS certs, but currently all users have access to go through salesforce using SSO. I'd like to limit SSO to only three groups "user groups defined in AD" to be the only ones to be able to use SSO in salesforce.
I know i need to delegate access but not sure if i need to do this on the ADFS side or the salesforce end.... on ADFS the only thing i've done is create the certificate and brought them in salesforce and then taken the XML generated and bring that into ADFS.
Any help would be greatly appreciated it .
After Searching the web and this form i came to realise that there is a Delegated Authentication and i might need to install a Delegated Authentication WSDL not sure if this step is necessary for ADFS 3.0 .
Many people seem to point to using Delegated Authentication , but i'm wondering if there is any way to get the same functionality using claim tickets on the adfs server.
Thank You Again :)
You seem to describe something doable via AD FS authorization rules. Read https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/when-to-use-an-authorization-claim-rule
Essentially what you do is on the relying party for Salesforce in AD FS, you create authorization rules to permit/deny based on AD group membership. Therefore, if user is in group, AD FS issues token. if not, they get a deny which means no token that would allow access to Salesforce.
Also see https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/access-control-policies-in-ad-fs because based on your AD FS version you may be able to do this via an access control policy instead of issuance authorization rules.

B2C as IdP for SalesForce

Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109

Will be possible to call directly IDP in SAML?

Because of xyz reasons, we don't have Service Provider (SP) to place SAML login request. So, here my question is will it be possible to login into SAML through IDP directly? If it is possible, could you please explain steps? We are using Webservices, please remind this.
The IdP can read SAML tokens but only when they are grouped using a profile. A common profile is the browser based WBSSO. So in order to talk to the IdP you need an SP. The SP just groups the SAML tokens into a profile the IdP can understand. Most SAML profiles are browser based but have a look at the ECP profile for non browser access https://wiki.shibboleth.net/confluence/display/CONCEPT/ECP

Resources