I have multiple Azure AD with one application in a different azure server; my application is in spring.
My problem is that my application must work with different companies and I don't find how to add on each company, but with one page of login for all companies...
Azure Active Directory applications can support multiple tenants. You need to make sure your application has the setting: availableToOtherTenants: true.
From there, you can use the common endpoint to dynamically discover which tenant the user is trying to sign into when they type in their user credentials.
This information, and more is in a very apt article titled: How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern.
I hope this helps.
Related
I have a Teams application (Tab). I am an ISV provider, and provide a multi-tenant application that is installed by customers via Teams App Store in their organizations.
How do I save settings for my application organization-wide for the customers? For example, CustomerA has installed the app and then CustomerB. I want some storage that would be unique for CustomerA and CustomerB and the app, and located in customer's environment. The settings I want to save are not per-user, but per-organization (tenant).
Somewhat similar to "App Data" folder you have in Windows Desktop for example.
Does such a storage exist? Does API for this storage exist?
A tab app is a simply a web application that you render inside of Teams. As a result, what the app does, and where and how it does it, is totally up to you. This includes any data storage you choose to have behind the scenes. For example, your tab could be built in PHP and use MySQL, or built in ASP.Net and use SQL Azure or CosmosDB. It's totally up to you, but you need to implement it yourself, as an ISV.
The important piece to differentiate clients, however, is being aware of the TenantId for each user, so you can look up which client's settings you need from the database. The most simple way to do this is simply the tid property on the Teams tab context. You can read more about that here. Unfortunately, because it's just accessed via Javascript, it's not entirely secure - for a more secure mechanism, you should be creating an Azure Application, and generating jwt tokens that you can authenticate against in your backend. It's a much more complex topic, but hopefully this answer at least gives the background you need. For more info on the security aspects (validating the token etc.), please see this question: How to restrict access to Azure Function to only allow requests from a custom Microsoft Teams App?.
I'm using a Google Service Account to push MySQL backups from our webserver to Google Drive using a Google API PHP client script setup as a cron job.
I now want to run the same script across multiple webservers, I'm not sure how to correctly configure the service account for this, should I?
Use the same service account and service account key/credentials across all servers?
OR Use the same service account, but add a service account key/credentials for each server?
OR Setup a separate service account for each server?
Your requirements/needs/whatever may vary, but this generally it won't wont matter how you do it.
Single project
Create a project on Google developer console, and create a single service account key file and share it across the servers.
Is the same as.
Creating a project on google developer console and creating three separate service account credentials with different key files.
You will be bound by the same quota limits because all are under the same project.
Three separate projects.
Now if you created three different projects and create a single service account credential for each of the different servers. Then you would see a difference as they are different projects so should be bound by different quota limits.
quota
The Google drive default quota is so high anyway i'm not sure that it really matters what you do.
Security
Even security wise if you have a different file and you were hacked on one server you would't gain or loose anything by the other servers not having the same or different key files.
I have a single web application that's used by multiple customers that have their respective URLs.
We're in the process of integrating google accounts via Google API with OAuth2.
Right now we have a single project/application registered that's used by all systems.
The problem is if same account is connected on multiple systems, token is overwritten since there is a single project. Same thing if account is disconnected from system A and it's also connected on system B, system B stops working because Google API project/application is the same.
I'm wondering if there is a workaround to have multiple tokens/connections per account with a single application, or the only way to accomplish that is having one project per system and I'll need to programmatically create a project and setup everything accordingly when a new system is built.
We are trying to migrate a legacy intranet ASP .NET web app from "Forms" based authentication into a "Windows" based one so that the user doesn't have to enter the credentials again after logging into the PC, we just want to read the current logged-in identity and use that for authenticating and authorizing the user in the application.
Doing windows authentication in ASP .NET is pretty straight forward, what i wanted to check though was how the user's and their groups should be managed within AD or ADAM.
The same user can have rights on multiple environments of the same application like Dev, UAT, LT, Prod etc. so the same domain account needs to be authenticated in multiple environments (different URL). Also, once authenticated into an environment the user might belong to multiple roles which decide what actions are available for the user to perform.
I was looking for some recommendations here in terms of how we set this structure up in AD, we are thinking of creating groups in AD for the different environments like App_Dev, App_UAT, App_Prod etc. and have nested groups within each of them for the different roles in the application like App_Dev\Role1, App_Dev\Role2, App_UAT\Role1 etc. for each of the environments and add the users inside it.
What do you guys think?
You have to rememeber that Authentication and Authorization are two different things. You have combined them in your logic.
For example, your authentication mechanism is AD. So yes, use AD for authentication of credentials and group membership to ensure they can authenticate with a specific instance.
However, you can still use the classic RolesProvider and use a SQL backend to store roles and user to roles assignments per instance within the database. This is easy and uses the built-in feature of ASP.NET without having to go overboard with creating groups in AD. You can do various searches on the web about ASP.NET AD Authentication and SQL Roles Provider. I think ScottGu even has an old article about how to do it.
Lastly, what you have described here is not SSO or Single Sign-On, I'll update your question to reflect this. SSO refers to creating a token that is trusted and shared amongst many applications. It doesn't seem like you need that with the example provided, but if you do, you would be investigating ADFS and the Windows Identity Foundation (WIF). Just because you use AD does NOT mean you have SSO, it simply means you have a single Authentication Provider, but you still don't have a token based system that actually only requires an initial Authentication and Authorization request to a central authentication service, usually ADFS.
I'm researching some Windows Azure stuff, in order to make a decision whether to move to Azure or not.
Basic information
To answer the question, you'll need some basic understanding of my app so here goes.
The app is an ASP.NET MVC 3 application that connects to a SQL Server database.
It is a single instance application, meaning that every customer eventually has their own instance of the app running on our server, deployed to IIS 7 as a website.
I have one SQL Server, where each instance has its own database.
I also have a set of Windows Services to do some background processing. That should be straight forward, as I'll just rewrite those to use a Worker Role in Windows Azure - most of the logic in the services is located in their own class (library) anyway, so the service it self just calls one or more methods in a class.
Now to the question
Whenever someone signs up for a free trial, I add a record to an Admin database I have.
I then have a Windows Service that deploys a new instance of the ASP.NET MVC 3 app to IIS, grants permission to a few folders, runs the database deployment script and updates the record to reflect that it has now been deployed, and finally sends an e-mail to the prospect that their free trial has been created - here's how you access it.
So, how can I deploy a new instance in Windows Azure from a Worker Role? Preferably, I'd just add a new website to an existing Azure instance and create a new SQL Azure database for that particular site to use.
Does this require a lot of work to set up? Is it even possible?
Based on two quotes, I would like to suggest calling this a multi-tenant application:
It is a single instance application, meaning that every customer eventually has their own instance of the app running on our server,
And...
a Windows Service that deploys a new instance of the ASP.NET MVC 3 app to IIS, grants permission to a few folders
If I understand correctly, there is "one" IIS server (well, in Windows Azure, it's one Web Role, scalable to multiple instances), and with each new "tenant", you set up some new stuff to support that tenant.
If that's indeed the case, you can definitely do this from a worker role - just look at Nate Totten's multi-tenant web role blog post and related code. Look at the webdeploy code that actually manipulates IIS.
Further: take a look at Cloud Ninja, a project a few of my teammates published along with Fullscale180. This is a multi-tenant app that demonstrates how to manage multiple customers in a single deployment, as well as monitoring and scaling.
Finally: should you need to actually create brand new service hosts and storage accounts, the latest updates to the Windows Azure Management API support this.
I hope that helps a bit...
I think most of the things you want to achieve are possible.
It will definitely require some work to setup!
For some ideas on how to achieve what you are looking for, take a look at the MS SaaS example - http://www.fabrikamshipping.com/ - especially designed for porting existing apps to SaaS on Azure. Inside this app they have an "onboarding process" - and that process includes setting up new SQL connections and new portals.
There's lots of good blogging (watch the video) about this on http://blogs.msdn.com/b/vbertocci/archive/2010/10/07/new-online-demo-introducing-fabrikamshipping-saas.aspx