Setting ADFS Login To Be Persistent Across Browser Sessions - active-directory

We’ve got a CRM 2011 implementation using IFD which in turn means is uses claims based identity and ADFS.
I’m struggling to determine how I can keep my user logged in across multiple browser sessions.
I’m not an ADFS expert; I know enough to watch the How-2 video for CRM IFD and click through the wizards. Usually I'd back myself to Google something like this in no time but I've had no luck to date.
Can anyone provide some guidance as to how I might configure some sort of persistence of login in this setup? i.e. for the user to remain logged in and able to return directly to CRM even when they close their browser.

You need to increase the TokenLifetime. Refer:
CRM 2011 ADFS and TokenLifetime

It is hardcoded to be a session cookie in Microsoft.Crm.Authentication.CrmSessionAuthenticationManager, Microsoft.Crm.Authentication
You would need to decompile the class, change the code and configure CRM to use your new module in the web.config

Related

Azure AD SCIM - How to Enable the Provisioning Section

I need Azure AD users to be synced into my application, so I've been researching how to implement SCIM and configure Azure AD to work with it. My end goal is to have my application listed as the ones here: https://learn.microsoft.com/en-gb/azure/active-directory/saas-apps/tutorial-list, and to do this, it should support SSO + User provisioning.
The implementation is kind of straightforward as SCIM is a standard and I just need to implement a bunch of APIs complying with a specific contract, so this should work.
The problem I'm having, though, is I cannot find how to enable the "Provisioning" feature for my application. I've been reading the articles and watching the videos Microsoft provided (https://learn.microsoft.com/en-gb/azure/active-directory/app-provisioning/configure-automatic-user-provisioning-portal for instance) and it seems that when I click the Provisioning section in my app, I should be able to configure it. Unfortunately, I don't see the UI shown in the tutorials, so I suppose I've been missing some step that is not explained in the docs. Also, I'd expect to have somewhere to configure the base URL that should contain all endpoints required for the SCIM standard. I don't see this either, which confirms my feeling I'm missing something essential.
Here are the steps I've been taking:
Open the Azure portal
Create an enterprise app - Click on Enterprise applications, Create your own application, and Integrate any other application you don't find in the gallery (Non-gallery)
Once the application gets created, I can't see anything in the "Provisioning" settings
I found a solution to the problem I've described above. Unfortunately, I somehow the big blue "Get Started" button in the middle of the screen. When you click this button, the configuration I've been looking for appears and it is all good.

Can I use a Sharepoint view in an iFrame on an external website/app that has users autheticated with Azure AD SSO

We have a new intranet site that uses our AzureAD credentials with SSO (via SAML2.0). There's a widget that can display personal or specific Sharepoint Document folders but I've found that this is lacking in detail - particularly some of the document metadata.
Is there a way to use a curated Sharepoint View in an iFrame on this cross-domain website?
At present when I try, it comes up with an error
Refused to display "sharepoint-site-page" in a frame because it is set
'X-Frame-Options' to 'sameorigin'
I'd be grateful for any assistance if possible. Thanks!
Not sure if this applies to your particular view,
however this is a pretty well known thing that microsoft locks down sp to not allow cross site iframing by default,
you could try this solution:
https://www.sharepointpals.com/post/how-to-bypass-cross-domain-issues-to-display-sharepoint-online-pages-within-iframe-from-an-external-domain/
it makes use of the allowframing tag, that microsoft allows to do exactly that.
as per : https://learn.microsoft.com/en-us/archive/blogs/officeapps/iframing-sharepoint-hosted-pages-in-apps
hope this helps you a bit.

Update O365 proxyAddresses via API

Using the Microsoft Graph API I need to be able to update the attribute proxyAddresses as part of our provisioning process to enable self-service password management for our end users.
I see that this attribute is read-only from the Graph API but as of 8 months ago MS was entertaining the possibility of making it RW. Does anyone have any color on this, has anyone found a workaround to this issue via API?
This isn't supported in either v1.0 or Beta at the moment but this is an open OverVoice request for this feature: Ability to update the user's email aliases (proxyAddresses attribute).
Also if you are working with bigger customers - usually you want to sync their identities from local Active Directory using AD Connect tool. In that case you should implement things and change proxyaddresses attribute in local AD, because it is the "identity authority" (means that you can't change it on cloud side and it must be done in on-prem AD).
So it could be workaround for problem you are trying to solve.
Also if it is cloud only (not synced) identity - you can use PowerShell to modify proxyaddresses attribute on users.
Here is documentation on how to do that - https://technet.microsoft.com/en-us/library/bb123794(v=exchg.160).aspx

Restricting URLs using Active Directory in Weblogic 10.3 - where to start?

We are looking to use an Active Directory server to restrict access to certain URLs in our Spring application on a Weblogic server and I have no idea where to start. The problem should be quite simple as I understand it, we have a simple app which has a number of URLs:
<root>/page1.do
<root>/page2.do
<root>/page3.do
etc.
And an Active Directory servers which lists the users in two groups, such as "Admin" and "User". We would like it so that based on the login information provided (no SSO required), anyone in "Admin" can access all pages, anyone in "User" can only access page2.do and page3.do.
I have absolutely no idea where to start and Google isn't being very forthcoming. I would have hoped that this is an easy task (add AD server to weblogic, set up a config file). Anyone have any experience with this and links to good places to get started or a summary of what we will need to do to get it working in this fashion?
Cheers
You should be able to easily use your AD as an Authentication Provider in your Weblogic server(s). Here is some documentation to get started on how to do the configuration:
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1198953
After that, you can configure security roles and security policies in order to control access to your server's resources. Again, some docs to get started: http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secintro/concepts.html#1083616
If you prefer a good book to start with, here goes my suggestion: http://onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html. Although somewhat old, this chapter covers pretty much everything you need to know.

Is it a good idea to use Active Directory user login to your application

I am developing a web based intranet for my company. I just want to know is it a good thing for users to login the application using the active directory login details or shall i create a login together with the application db.
If there is anything better that this please suggest. This is my first application development so need help from experienced people.
Generally it's a good idea to try and minimize the number of accounts people need to have.
So I'd definately try and use their active directory login.
Also if desireable, you can automatically log people into your application using various single sign on methods. (Either integrated into IIS, or other.).
This makes for a very usable application, as people always forget login details, and hate to login again to other systems.
Only use Active directory for your intranet, if you infrastructure supports it.
You question is phrased as if you think the user to type there password in again to login to the intranet site - they should not do this! have windows pass on the credentials automatically. This is pretty much built in to dotnet/iis/etc.
Also AD will add group management a privledges so you can restrict areas of you intranet to members of certain groups.
And you support team already have the tools to manage all this.
PS you can enable FireFox to auto log on via NTLM and it is one of the most requested features for Chrome too so don't let browser issues put you off
There are several pros using Active Directory authentication in the intranet.
Thoses are the main ones:
You want to to keep authentication stores number as low as possible
Using Active Directory, users who have their desktop in the domain (as they should) will be able to use Integrated Windows Authentication. They will be able to log in without having to type their password.
An Active Directory authentication mechanism probably exists for your language
More information:
http://msdn.microsoft.com/en-us/library/ms998358.aspx
If you create a separate login system, then your users have to remember 2 different logins. Why bother, when their "real" login is right at hand?
Less code for you to write and better integration into the wider system. And, who doesn't want FEWER passwords to remember.
Definitely go for the Active Directory option, or use Active Directory as an LDAP server if whatever language you're using doesn't directly support AD. Active Directory actually makes a pretty good LDAP server.
If there is anything better that this please suggest.
OpenID?...

Resources