I am trying to enable cross app SSO into our Xamarin apps so that if a user has installed and signed in to one of the apps, he is automatically logged in to other apps of my organization. The following document claims to achieve the requirement
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-sso-android. We are following the non broker assisted login flow.
I have carefully fulfilled the three conditions stated below-
The apps are using the same android:sharedUserId in the manifest file.
The native client used for them is the same. Only the redirect url is different for the apps.
All of them are signed using the same keystore.
But still the functionality is not yet achieved. When i installed and logged in to one app, the second app is still prompting for credentials when i try to acquire the access token using the below line
authResult = await authContext.AcquireTokenAsync(resource, clientId, new Uri(returnUri), new PlatformParameters((Activity)Forms.Context));
Kindly help me know if there is something that i can do to achieve that.
Due to restrictions in Xamarin.Forms, SSO without a broker (Microsoft Authenticator or Company portal) does not work with current version of ADAL.
We have a work item to update the documentation.
This is a Xamarin.Forms issue. In order for SSO to work across apps without broker, you need to enable the "Ignore Security" flag, which is not recommended. This requires the app name to be hardcoded and "ignore security".
For example: Application.Context.CreatePackageContext(“com.companyname.ReproApp1”, PackageContextFlags.IgnoreSecurity).GetSharedPreferences(..)…
For the time being, it's recommended to use broker for SSO. You can use Authenticator for both iOS and Android.
Related
I'm looking to build a CLI application (most likely in C#) for Linux, Windows and Mac. The App will all access some of my API's, arleady deployed in the cloud. These API's are protected using Firebase Auth. At the moment Auth is done via my website and I support Social Sign in such as GitHub, Google etc.
Now when it comes to adding auth into a CLI app I'm completely stumped. I've been Googling this and can't find anything that walks through what you need to use. Do I need to package the Admin SKD? How to do I protect my Firebase keys (do the need to be in the CLI app)?
Can anyone point me in the right direction here please?
Many thanks in advance
For email and password authentication, you can use Firebase Auth REST API to create/login a user with provided credentials. For OAuth providers such as Google and Github, you can follow OAuth 2.0 Device Authorization Flow described in RFC 8628 and then call Firebase's 'sign in with OAuth credential' to create the user in Firebase Authentication. Here's the general flow for Google Auth:
Request device and user code from the OAuth provider (e.g. Google)
Open the returned link in a browser and ask user to enter the code shown (user may have to open the browser in any other device if current one cannot open a browser e.g. in VMs)
Keep polling for access token till you get the token or any of the errors listed in RFC 8628 section 3.5.
Create/SignIn the user with Firebase using sign in with OAuth credentials REST API using the accessToken returned in previous step.
The last API will return Firebase Authentication's idToken and refreshToken that you can use to further authentication users in your backend.
Checkout OAuth 2.0 for limited input device apps for more information.
Do I need to package the Admin SDK?
No, the Admin SDK must be used only on server side as it has privileged access to your Firebase resources like bypassing security rules.
How to do I protect my Firebase keys (do the need to be in the CLI app)?
The keys are meant to be public (like an identifier for your project). See Is it safe to expose Firebase apiKey to the public? for more information.
I'm doing a POC of a an application for use on a touch screen device running windows 10.
The currently UWP (although open to nearly any app that can run full screen for a kiosk) app already has a webview control and I can control the url where I want to navigate to. In some situations, I'd like to navigate to a 3rd party webapp that is using Azure AD authentication.
Interactively, we can login but I'd like to have the login happen automatically using a known azure ad username and password or ideally a certificate we can install on the device. We don't own the web app (so we can't change any properties on it) but its connected to our Azure AD tenant so we own the azure ad app configuration. The web application does not have API's yet to consume the information. The device uses local accounts, per the guidance on https://learn.microsoft.com/en-us/windows/configuration/kiosk-prepare.
I've used the (Public/Confidential)ClientApplicationBuilder which works for getting tokens to talk to web apis but I'd like to do a form post to something (https://login.microsoftonline.com/{tenantid}) ? and then redirect to the web app when done. I've looked into OAuth 2.0 Resource Owner Password Credentials (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) and it seems the closest but I'm not sure how to take the access token I receive and somehow save it (in a cookie?) so the web app will log the user in when navigated to. I'm sure I could watch the various URLS and fill in the credentials programatically but that seems wrong. I've reviewed the various Azure AD samples but I've not seen one that fits my scenario (which might indicate a flaw in the plan...).
I am writing a web app in C# for .NET Core which also should have integrated two-factor authentication and external logins.
I succeeded at integrating multifactor authentication using TOTP (TimedBased One Time Password). This means that every time I log in, I should fill in a code from my smartphone. Because I'm developing, I log in 100 times a day. So, I am getting tired of unlocking my phone, opening the authenticator app and filling in the verification code.
In our company, we make use of Azure Active Directory with two-factor authentication, but in Azure AD, we use two-factor push auth. If we try to log in, you get a push notification at your phone and then you could deny or grant access. That doesn't need filling a code.
I found documentation for the app Authy from Twilio to use Authy for push notification, but in the company I work, we are Microsoft-minded and everyone in the office uses the Microsoft Authenticator app, so my software should use this app also.
I found documentation for Authy, however, I didn't find this for the Microsoft App, while we use this also in Azure.
To enable two-factor authentication, you should scan the qrcode from the PC. The code of my app is
otpauth://totp/[Appname]:admin#admin.nl?secret=[Secret key]&issuer=[AppName/Companyname]&digits=6
The QR code of Azure AD, to let login RDS with 2fa has the following URL:
phonefactor://activate_account?code=[code]&url=[url]
I found that PhoneFactor is an application to enable MFA, using push notifications, but I can't find how to implement this in my own web app.
Is this possible? And where should I look to?
I am using ADAL in order to log in to my app which is being made in Xamarin.Forms against Azure AD. That is all working fine, however I now want to be able to register a new user and to do this need an access token to pass to the constructor of one of my methods.
However, as the user hasn't yet been registered, I need to be able to get an access token from Azure AD without actually supplying any user credentials. I have been told that in a normal web app, I'd be able to send the client id and app key so that Azure AD would know who I was and then send me back an access token but I can't figure out how to implement this in a cross-platform Xamarin app.
If anyone has come across this before, your help would be greatly appreciated.
Thanks.
Use of an app key in a native application is not recommended, regardless sof the dev stack you use to implement it. The reason is that generally devices should not be trusted with secrets. Furthermore, secret distribution is complicated (you can't embed it in the app code).
As a result, ADAL for Xamarin (and all the other flavors of ADAL meant to be used in native apps) does not expose any method for acquiring tokens with an app key.
From a antive app you really need to bootstrap secure communication with a user identity. Once you have that, you can do all sorts of interesting things on the server side (e.g. you API can, given that is running on the server, obtain tokens as an app).
HTH
V.
I am looking for single sign on for my application which is built on javascript (no server side language).
Requirement:
Agent log in to Windows (user integrated to Active directory)
Open my web page
Based on who logged in to windows, my application goes to AD and pull some user
specify data (eg email, phone)
How shall I go about it?
As per my understanding I will require ADFS for this.
So:
User goes to my web page
My web page calls some Web services or web application (which is build on c#)
That will authenticate against AD FS and get claim
Either get phone number and email in claim or get username and query AD for phone and email
Return the data to my web page (build on javascript)
It seems there something wrong in my understanding!!
Please suggest more appropriate solution based on my requirement
Frankly, I can't think of a way to make it work without a server side processing. This is because the ws-federation protocol ADFS uses is not just about returning claims.
It is about returing a SAML token. The token contains claims but what is most important about it is that it is signed using the XMLDsig. How are you going to validate the token is a first big question. But there are surely external libraries that allow that.
But then, such authentication can easily be bypassed by modifying scripts in the browser. This is because the ws-federation stops where you get the token and then it is up to you to exchange the token for the actual identity. And this won't work when processed only at the client side.
ADFS 3 does not support the OAuth2 implicit profile, which would be an option, but still you would need to verify the token on the server to avoid session fixation.
You can setup something like AuthorizationServer that supports Oauth2/OpenID Connect implicit profile
http://leastprivilege.com/2013/09/19/adding-oauth2-to-adfs-and-thus-bridging-the-gap-between-modern-applications-and-enterprise-back-ends/
Another option is to use something like Auth0 (Disclaimer: I work for Auth0) which also supports OAuth2/OpenID Connect implciit profile. In that case you wouldn't need ADFS, there is a connector/agent that you install on your network that does not require opening firewalls or anything and it supports implicit profile that is suited to JavaScript apps. This is an example of a single page app tutorial (if you create an account it will tailor the doc with your credentials):
https://docs.auth0.com/singlepageapp-tutorial