I have successfully installed a “Security Service Token”.
I have a Wcf-Rest service that is running under the STS created as security.
I am calling the Wcf-Rest service from a Web page using ajax. I would like get the Claims that I have received in the web page once successfully log-in in the STS.
I am able to pass the encrypted cookie, but the wcf-rest service cannot read any claim.
Does Wcf-rest (webHttpBinding) support this possibility?
With a bit of plumbing - yes.
Securing WCF Data Services using WIF
Also see Claims Based Identity & Access Control Guide which has some chapters on REST.
Related
I want to build a feature where I want to sync users outlook calendar with my app. Any event which users create/reschedule/delete from my app should reflect in users outlook calendars. First step for this however would be getting access token and refresh token for the users by authenticating them. How can I build APIs to authenticate users and get the token for further use.
I have checked there is MS-Graph API, which can be used in my use-case. But I'm unable to find resources regarding how to use this APIs from my spring boot application. Also, this is not regarding the login/signup flow. I have another login flow. I don't want users to login to my app via their outlook email.
To Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform:
Overview:
This sample demonstrates a Java Spring Boot web app that signs in users and obtains an access token for calling Microsoft Graph. It uses the Azure AD Spring Boot Starter client library for Java for authentication, authorization, and token acquisition. It leverages Microsoft Graph SDK for Java to obtain data from Graph.
For more information: https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4.%20Spring%20Framework%20Web%20App%20Tutorial/2-Authorization-I/call-graph#enable-your-java-spring-boot-web-app-to-sign-in-users-and-call-microsoft-graph-with-the-microsoft-identity-platform
Hope this helps.
I am working in a project where we are authenticating any REST API requests from UI or anywhere else using ADFS STS tokens. There are some direct calls from UI with ADFS STS token in header for authentication/authorization and there are some external 3rd party calls not from UI, but also using ADFS STS tokens in header. Now we are planning to migrate partially to Azure AD token, post which there may still be some applications that will keep using ADFS STS tokens, so there can be situation where an external application that is unaware of migration to Azure may still call an internal application using ADFS STS Token and we are supposed to be compatible with it. Similarly there can be a situation that an internal application that is migrated to Azure AD token is internally calling one of the legacy applications which is still not migrated to Azure AD and won't in future too.
I have two challenges now:
How to support the above design so that even if an Azure token is used the API is still able to call an external service (working on ADFS) by creating an ADFS token from within the code and setting it in headers ?
Header in a HTTP request seems to be an unmodifiable data and when i tried to modify it within a requesttemplate in an request interceptor code, it failed saying unmodifiable map.
How do I handle this ? Please someone help.
Unfortunately I cannot share code due to internal restrictions.
Please check if below references provide some idea in your case.
According to Mix ADFS and Azure AD for authentication - Microsoft Q&A.
If you have O365 federated with ADFS and you federate an application
with Azure AD, the authentication flow would be:
User accesses the application which is federated to Azure AD.
Application will redirect to Azure AD authentication endpoint (https://login.microsoftonline.com) for authentication.
User will be prompted for credentials.
Based on the UPN suffix (If the domain is federated with ADFS), user will be redirected to ADFS.
ADFS will authenticate the user and issue a WS-Fed token to Azure AD.
Azure AD will receive the token and issue a SAML token to the application.
User will finally get access to application.
References:
Configure AD FS 2016 and Azure MFA | Microsoft Docs
Azure AD Connect - Manage AD FS trust with Azure AD using Azure AD
Connect | Microsoft Docs
federating ADFS with Azure Active Directory (techdirectarchive.com) & reference- Solution Zone
I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.
I have created an application that calling Oracle RESTful Webservice. But I want to add OAuth 2.0 when calling this webservice in order to maintain the security of the data. I have follow the tutorial 'Accessing the RESTful Services from a Third Party Application'
But when I try to get the access token, I got the error below
https://server:port/i/oauthdemo/gallery.html#error=access_denied&state=STATE
In this document got mention, this error happen if user denies the request.
Can anyone help me how to approve the request?Is there any extra configuration that I need make?
I have asp.net mvc3 application with forms authentication. But the our client request AD authentication as well. But the mvc3 app is hosted outside the clients network. What are the possible solutions for this.
Get permission to access the clients network from remote server.
Get an API to access the active directory data from webserver.
If we choose opt one how could we access active directory for authentication from outside the client network. I anybody have any idea or better options please let me know. Thanks in advance.
My guess is that the Microsoft security products can support this out of the box but I'm not sure how so I suggest that you direct your question to whoever supplies your client with their Microsoft product support.
If you'd rather build a solution so that you've got more control over how it works a quick search found an interesting approach at https://support.freshservice.com/support/solutions/articles/169196-setting-up-active-directory-single-sign-on-sso-for-remote-authentication where they created a simple ASP.Net web site that used AD authentication for sign-on. MVC 5 can build a WebApi site that does that just by creating a new project in Visual Studio with the right options.
That site wouldn't have to do anything except confirm that the credentials supplied were valid or not. Your application would ask the user to enter login / password details, then send a (properly secured) web request to the authentication site to determine whether they're valid. As long as you keep the communication between your server and the client web service tightly secured this should do what you need without much fuss. That approach removes the need for your server to communicate directly with the client's AD server.