I have been able to set up the single tenant SSO but don't really know what steps to follow on (Canvas or Azure side) to enable multi-tenant.
Canvas LMS is hosted on my own website.
You can follow the steps below to convert your application into a multi-tenant app.
In Azure Portal, update your application registration to be multi-tenant. You can make your registration multi-tenant by finding the “Multi-Tenanted” switch on the properties page of your application registration in the Azure portal and setting it to “Yes”.
Update your code to send requests to the /common endpoint: https://login.microsoftonline.com/common
Update your code to handle multiple issuer values
Understand user and admin consent and make appropriate code changes
More details about multi-tenant application, please refer to the following article.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview
Related
I am looking to develop a SAAS product where tenant from different organizations can log into my application and there are specific set of custom Permissions that I want to create for my application which will allow users to access different endpoints in my application.
Application is hosted in a inhouse server.
Can someone please help me to understand what would be my approach to do so?
I am doing App Registration in Azure AD. And in the redirect uri I am passing my application url.
I am stuck after that.
I tried to reproduce the same in my environment and got the results like below:
To integrate the SaaS Application in Azure AD, Register an Application in Azure AD.
As you need tenant from different organizations log into the application, make sure to configure the Application as Multi-Tenant like below:
Based on your requirement you can select the API permission which you want the users to access like below:
For sample, I selected Microsoft Graph and added the required API permissions:
You can choose Delegated or Application API permissions based the Grant Flows.
For Client-Credentials, need to grant Application API permissions and for Authorization Code Flow need to grant Delegated API permissions.
For sample, I am using OAuth 2.0 authorization code flow to generate the token for authentication.
I generated Auth-Code using below authorize endpoint:
This will authorize the request and redirect it to the application.
I generated the token using below parameters:
Using the above generated Access token, you can call Microsoft Graph API.
If you want B2B collaboration, refer to the document provided by bahrep in the comments.
References:
Register a SaaS application - Azure Marketplace | Microsoft Learn
Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I created an Application Registration on our Azure AD.
I then use the application registration id to create "Enterprise Application" in our customers' AD's.
It goes like this
Their admin sign into our system and clicks connect AD
We send a challenge (OpenId Connect) that allows them to sign into their microsoft account.
This creates our application under "Enterprise Applications" in their AD and it then workes fine with SSO
So far so good. But now we want to add the next logical step with Provisioning with Scim v2 however if I on a customer/test AD browse to our app under Enterprise Application and then click Provisioning I see the following
There is no way to hook up provisioning no matter if I support Scim2 as required.
Why is this? Does our app need to be in the gallery for this to work?
I noticed I can go to Enterprise Applications > New application > Non-gallery application and create a new application. This will then work with provisioning.
But then our customers would need two apps, one from our app registration that does SSO and one more for provisioning. I would like one app to do both.
Your app needs to be in the gallery to have provisioning enabled. Barring that, the only other option is what you've already described - a custom non-gallery app.
To get your app in the gallery, https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing
I'm working on an application that has an angular 6 front end and a .net core 2.0 back-end and am trying to set it up so that my application authenticates users via Azure active directory. The issue is that I want the .net core back-end to do all the authentication programmatically when I have the front end pass an email and password. Everything that I've seen so far online suggests to have the front end redirect to the Microsoft login page but we are using our application as a boiler plate project and want to be able to change the type of authentication easily in the back-end without having to change the angular front-end. Does anyone know how I could go about this?
You can use Resource Owner Password Credentials Grant .The process will like that you collect the user credentials in Angular app and post to .net core back end , then finish the authentication in back-end app with user's credential. But that is not recommended because The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
Also :
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.
Personal accounts that are invited to an Azure AD tenant can't use ROPC.
Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead.
If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Scenario:
(Azure-hosted) Web App. Users should be able to sign in to my app using a Microsoft Account (i.e. #live.com, #hotmail.com, etc accounts) that has one or more Azure subscriptions. The application would then allow them to view and manage their Azure resources in specific ways through my app.
Points of confusion/frustration:
ADAL vs MSAL for authentication
Azure AD vs Azure AD B2C for the tenant hosting the application
Where do you register the tenant app? In the AD B2C under "App Registrations"? In a regular AD under "App Registrations (Preview)"? On the App Registration Portal (i.e. apps.dev.microsoft.com)?
Which of the above client ID & secret do you use in the web app (in the .config file)?
The documentation for none of these seem to cover the scenario end-to-end and most of it is completely out of sync with other developments.
I am hoping here to get some point of guidance from other developers that have actually gone through this journey themselves (rather than folks that just read the documentation). In specific, I am hoping to get answers from the Azure CXP team that monitors these questions and provides official & supported answers.
Your scenario requires access to Azure APIs, thus you have to make the logins against "regular" AAD, not B2C.
You can't make your logins against MSA accounts directly as they must be members of an AAD to have access to subscriptions.
You can use either ADAL or MSAL to handle the authentication.
Note you must use v2.0 endpoint for MSAL and the "v1" endpoint for ADAL.
See limitations of the v2 endpoint here: https://learn.microsoft.com/en-us/azure/active-directory/develop/azure-ad-endpoint-comparison.
You register it under Azure portal -> Azure Active Directory -> App registrations.
You can also use the preview version if you want.
You will need the application id (= client id) + a key (secret) from the app registration.