I have created AllowAnonymous HttpPost action method i.e UserUnassignedFromOktaAsnc and trying to configure in Okta event Hook endpoint
if a okta user get unassigned from okta portal , UserUnassignedFromOktaAsnc action method will be called to de-active user and prevent login.
our Enterprise application has been built on asp.net MVC 4.5 and deployed in Azure App service.
It seems we can't directly configure endpoint in Okta, Okta document suggest we have to construct event hook endpoint/URL through ngrok or hookdeck.
I would like to know
Is there any other way to construct okta valid end point/URL?
Do we also need to deploy ngrok or hookdeck along with Enterprise application in Azure App service , and must be up and running.
Step 1 : we have to configure Event hook properly , if you are using localhost follow below steps which is shared link by Matt. Install hookdeck and run command as given in screen shot. red color tick mark is correct URL copy it.
Step 2 : Configure Event hook with correct URL, generally we should create one event hook for one okta event. google it to see all event which is provided by Okta.
Step 3 : If you want to post locally , click on preview and select event type , Json will be loaded by Okta and click 'Deliver Request' .
Step 4: if you correctly configured , your ASP.Net MVC action method will called.
and also you can see post method log (refer first screenshot). you can notice [Error]. Because http although I have configured with https. may be require to create local https certificate and add it.
Related
As per the Microsoft documentation, it is expecting us to use implicit flow for Single Sign On between Bot and Single Page Application. At the same time, Microsoft recommends us to move to auth code flow. Our client's Azure AD team is not allowing Implicit flow anymore. Can auth code flow work for SSO between SPA and Azure Bot?
Bot framework using implicit flow
https://learn.microsoft.com/en-us/microsoftteams/platform/bots/how-to/authentication/auth-aad-sso-bots
Implicit flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
Create a bot application.
Go to ADD – App registration (https://go.microsoft.com/fwlink/?linkid=2083908)
Register one application
Go to Expose an API
Get the Application ID (Client ID)
Go to Expose an API
Paste the App ID and click on Save and Continue
Go to Client application and Click on Add a Client application
Go to Authentication and Click on Add a Platform
Click on Single page application.
Give the application redirection URI details.
Click on Configuration in Bot settings
Under configuration. Click on Add OAuth connection. Fill the required details.
I have followed the solution explained in the Azure SSO related question in the forum
After that i checked in the Portal Azure try testing from the portal itself but it keeps redirecting me to the login page only if doing it first time so its new to me though. am i missing something or i need to write login handler for my application to handle this as for now i have not created any handler for login because as per the description in the link it supposed to work .
I tried by having dd in the service provider that has been created but its not reflecting as i am confused and stuck here i am not getting where i need to write the logic where i need to handle users with type in this as for login now it is redirecting me to login route when i test it from azure portal.
Any guidance on this would be helpful !
• I would suggest you follow the Github documentation below for configuring the lavarel SAML SSO in Azure AD as it uses Lavarel package for SAML2 integration as a service provider itself. Also, as you have added the service provider in your case, it doesn’t need to if you are using v 5.5 and higher of Lavarel as it gets automatically registered. Its just for older versions that you need to add the service provider in ‘config/app.php’.
https://github.com/aacotroneo/laravel-saml2
• Thus, once you do the above and publish the config files accordingly by executing the php commands, then you will need to modify the IDP settings in PHP app’s configuration and in here, please ensure that you are entering the ACS(Reply) URL and Identifier (Entity ID) from the Azure AD created application correctly. Also, ensure that the required SAML URLs and certificate keys are correctly entered in the environment variables required in the aad_idp_settings.php
Also, please check the actual routes in the metadata, by navigating to ‘http(s)://{laravel_url}/{idpName}/metadata’ as they must be reachable for your application to pass the authentication claims to AAD for get the authentication token and since, you are configuring SSO, please check the IDP metadata for ‘http(s)://{laravel_url}/single_sign_on/mytestidp1/metadata’ and finally please ensure that ‘RedirectIfAuthenticated.php’ is configured to redirect to ‘/routesPrefix/myIdp1/login’ and the same in '/Exceptions/Handler.php'
By following the above steps, your issue should be resolved.
I have a well working Keycloak and a MailChimp account to link. Users should be added with their email to the MailChimp account, once they're added to the Keycloak. What should I do?
I'm using spring boot and token-exchange in the backend to create user accounts, and send back token responses. I wanted to do verification in the backend, but it won't work as expected, as the Keycloak would be joined to another app, which isn't using my backend.
Any Ideas?
Implement Event SPI (your own code - see example), listen to/acquire the event of interest to you and execute your custom "action".
I am creating an app which will integrate with Outlook. The app consists of a back-end which will periodically sync calendar data with another system. To do this I want to use the REST api.
Based on instructions found here I believe I should use the client authorization flow to authenticate.
Next I go to the registration portal here to register my app. As platform I add a 'Native Application'. Next I must enter a custom redirect URI. This is where things go wrong.
I try to enter http://localhost:8080/register for local testing. I get the following error:
Your URI must be in the format of {scheme}://{domain}/{path}, and be limited to 255 characters in length.
Basically any valid URI is denied. Interestingly if I try test://localhost:8080/register it is accepted.
Am I misunderstanding something? Is this a bug on Microsoft's page?
For client_credentials there isn't a callback URI. You're passing the client secret as your credentials and you don't need a Web or Native application defined.
I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.