I am using IdentityServer3 for authentication. The indetityserver has 3 applications configured.
https://www.app1.com
https://www.app2.com
https://www.app3.com
A user is registered for all 3 applications. Currently user has to goto respective application url (for eaxample https://www.app1.com), which redirects user to identityserver for authentication and upon authentication user get redirected back to app web site.
Is there way to configure IdentityServer where user directly goes to identyserver, get authenticated and then identityserver list all the applications that user has access to? Here user would choose application he wants to login into.
Give your users a link to the IdentityServer login page. After login, display a form (with tiles or links or something) where the user can choose the application.
Make sure that the link to the application sends the user to a secured page (or a method where you challenge the user). This would cause the application to redirect the user to IdentityServer, which notices that the user is already identified (cookie), returns to the application where the user is automatically logged in.
In case the user wants to quit the application, redirect back to the tiles page to choose another application.
Please note that a user is not specifically bound to one application. Once logged in, the user can access all applications. If you want to allow specific access, you may want to solve this with claims.
P.S. I didn't notice you are using IdentityServer3 as you also tagged this as IdentityServer4. But I would expect this would work the same for both versions.
Related
Problem
In our Teams app tab we want to show the profile image/photo of the current user.
Things we tried
The user is authenticated with Single Sign-on for tabs and we store some user information to track some progress in our app. It is not possible to fetch the profile image from the Microsoft Graph API with the token from the Single Sign-On process — the User.Read permission is missing.
The user profile image does not seem to be available in the Teams context from the Microsoft Teams Javascript SDK.
In SharePoint it is possible to show the profile image of the current user with a special URL: https://<tenant>.sharepoint.com/_layouts/15/userphoto.aspx?size=L&accountname=<upn>. This fails in Teams with an "no access" redirect if the user has not logged in into SharePoint.
Seemingly possible solutions
Extra authentication step to get the User.Read permission; not ideal, nobody is gonna press a extra button just so we can show a profile image.
Convince the Single Sign-on for tabs process to include User.Read; Adding the permission in all kinds of configuration did not change anything in the resulting token.
Use a custom OAuth2 flow, according to this blog post it is possible to setup in the Single Sign-On for bots process. The Teams SDK does not seem to have the same possiblility.
Somehow make sure a user is authenticated in SharePoint so we can use the magic profile image URL; does not seem very likely.
Is there a solution workaround and/or something that we did not try yet for this problem?
You won't be able to modify what the standard SSO does, unfortunately.
The easiest way to deal with this is to use the Microsoft Graph Toolkit, specifically the Person component. It's exactly built for this kind of scenario, and you have the user's AadObjectId from the Teams context.
It does require an Azure Application, but I think you can use the same app. It -will- prompt the user, by default, with a consent popup, but you can get around this, as always, with an admin consenting on behalf of the user.
TLDR: Which is the correct way to check for login states across multiple web pages, a SPA or a Web App.
I'm looking to develop an internal staff website for a company I'm working with. We currently have a SPA configured and developed and working properly but as we are adding more features I'm thinking that we are going to need more than one single page.
Correct me if I'm wrong, but this is my current understanding of MSAL.js with SPAs. Let's say a end-user is attempting to access our staff page at [company].com/home, if the user has not authenticated with their account that is stored in our Azure AD, the end-user can authenticate only for that page and their session state can be stored in the local storage, so when they access [company].com/home, their login can be acquired silently and the end-user will not have to log in again. If they do not have an account, they will not be able to access any page.
Also, by this logic, if the end-user accesses [company].com/staffresources, they will have to also login for this page as well, in addition to the cached login for [company].com/home, and the same will follow for each page throughout the website. At least, that is my understanding, correct?
I do see that there is an option for a Web App, would this solve the issue to where the end-user would have to authenticate each seperate page that they attempt to connect to? Or is there a way to check for a login state using a SPA, if the user has not been authenticated, they are can be redirected to a [company].com/login.
Any direct links to proper documentation for a solution would also be greatly appreciated.
localstorage is segmented by domain, not by each individual page. If a user signs in with msal.js on [company].com/login they will be signed on every page under the [company].com domain.
What we'd like to do is to automatically Sign In\Login the user after they successfully Sign Up.
Let's say the user got an invitation for the application. They go to the Sign Up page, fills out the form and clicks the Create button. If all is OK, the user is added to Azure B2C directory and then we'd somehow have the Sign In policy run automatically OR some other way of logging in automatically.
So I just want to know if this is viable or not when using Azure B2C.
EDIT
After further debugging I see what is the problem...
We have an old AngularJS (1.6) SPA application.
An #id_token is sent back from Azure B2C after the user completes the Sign Up process... however after the URL in the browser has the #id_token, control is not passed to the application, that is, OWIN middleware is not being called. For the Sign In it works as expected since it starts from within the SPA itself. The user clicks the Login button and is redirected by msalService.loginRedirect.
The Sign Up policy execution is different because it starts by an e-mail invitation link only. So it's not from within the SPA itself.
The hash portion of #id_token is being messed up by AngularJS once Azure B2C redirects back to the app.
I already played with AngularJS $locationProvider.html5(true) mode but it did not work.
What I'm trying to do now is to redirect to a custom signup.html reply URL and then return to the AngularJS app but I'm not sure how to wire up this.
By default, at the end of a flow (i.e. all built-in flows except the password reset flow and all custom flows except the password reset flow), an SSO session is generated for the user so, in effect, they are signed in after sign-up.
Therefore, the default experience in the same session is that, if a user signs up for App A and then is redirected to sign in for App B, then they won't be prompted to re-authenticate.
You can configure the sign-up and sign-in flows so that they issue the same claims so applications can handle the sign-up and sign-in callbacks with the same behavior.
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.
I have two separate applications (app1 and app2 based on MEAN stack) running on my server. I want to add a new application that manages the authentication for both applications. I mean if I try to log in from app1, it redirects me to a login form in auth application, and after login I come back to the previous url in app1. After that, if I go to app2, I'm still logged in.
I'm looking to implement something like similar to the google accounts/ServiceLogin: I can log in one time, and the session remains for almost all google products.
Something important is that I use subdomains for each app: app1.mydomain.com and app2.mydomain.com.
How can I do that using node and express?
Currently I use vhost to manage each subdomain.
You're looking for a single sign on solution.
I'm only familiar with one solution that Stormpath provides, which is called 'ID site'. It's basically a hosted authentication site that handles auth for you, then passes logged in users between your subdomains.
The way it works is like this:
User visits www.yousite.com.
User clicks 'login'.
User is re-directed to login.yoursite.com.
User then logs in.
User is then redirected to dashboard.yoursite.com and is fully authenticated (SSO).
You can implement this quite easily using express-stormpath, here's the relevant docs: https://docs.stormpath.com/nodejs/express/product.html#use-hosted-login