I have users with Single-Sign-On against Microsoft AD using Kerberos tickets. I would need to have these tickets to be "converted" to either SAML or JWT. Do you know of such a service?
Use Azure Active Directory for this, AAD has a Security Token Service (STS) which does exactly this for you.
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-authentication-scenarios/
You do need to setup ADFS for single signon, but this is something very useful for other scenarios as well.
Related
We are trying to connect to Azure service bus entity from "GO" language application & the integration with Azure service bus entity is possible by supplying either SAS token or Azure AD OAuth2.0 token which will be obtained via security principals. Technically I prefer security principals option rather than SAS token as it has security vulnerabilities.
How to acquire OAuth2.0 token from Azure AD using language like "GO" for which Azure AD SDK is not available?
Is it possible to make direct call to Azure AD REST APIs to access OAuth2.0 token? if yes some code sample would be helpful otherwise please suggest suitable options.
Here are available authentication methods for Go.
Also, you can make a direct call to get the access token.
https://login.microsoftonline.com/{tenant}/oauth2/token
Reference:
OAuth 2.0 client credentials grant
Authenticate and authorize an application with Azure Active Directory to access Azure Service Bus entities
I am working on a mobile app that currently has the Intune SDK integrated app itself. This Intune SDK forces a user to log in using their company credentials and in response a subject ID and an Azure AD token is set in the app session.
I would like to integrate this app with an Identity Server instance using the client credentials grant, but in addition to the client id and password, I would like to pass along the Intune Azure AD token (and have it validated by the Identity Server) as a better level of security than the client secret (which is compromised by being in the app code).
What would be the best approach here?
Here are my thoughts on options:
Create a custom grant type that accepts client id, client password and the Azure AD token? What's the best way to approach this, if so?
Create an ISecretValidator implementation that checks if a password is an AAD token first, then validates the token if so. Does this introduce security concerns?
I would like to configure ADFS to authenticate users and return access-token för SSO from other user sources.
Is it possible to use ADFS for SSO but toward other user registeries than AD?
One minor correction to nzpcmad's answer. In ADFS 2016, ADFS can login users from any 3rd party LDAP repository including virtual directories that can wrap a SQL DB and expose as LDAP. https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories
No - it only works for AD and for ADAM (LDS).
What you can do is use products like identityserver and Auth0 to handle these user sources and then federate them with ADFS.
I've got a SPA application that uses MSAL to obtain an identity token for a user authenticating against our AAD. We have a one-way sync from our on-prem AD to our AAD and the on-prem SID is stored in the AAD.
When I was using ADAL to obtain a token, I actually received the on-prem SID as part of the identity token; however, that changed when switching to MSAL.
I'm curious if there is some way to add the on-prem SID claim to the token returned from the v2 endpoint?
AFAIK , Azure AD V2.0 doesn't support to issue the custom claim at present. You can send feature request to Azure AD Feedback Forum .
Is it possible to use SAML tokens in ADFS without needing a Windows Id (Active Directory account)?
Yes, it is possible. ADFS can either use Active Directory accounts as identities, or use federated accounts from an upstream identity provider. You can set up any identity provider that supports SAML2 or WS-FED and connect that to ADFS. Then ADFS will treat users logging in through the upstream identity provider as real identities.