Category Archives: AAD

Running a B2C AAD integration (with implicit code flow)

  sample code https://github.com/AzureADQuickStarts/B2C-WebApp-OpenIdConnect-DotNet   code signup claims having created local sesssion   if we add google as an IDP, we see during signUP Advertisements

Posted in AAD

B2C Azure AD

  lets play with B2c of Azure AD https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/ The App B2C_1_pwsignup: { “issuer”: “https://login.microsoftonline.com/8acee302-9d63-4634-800f-73f31f5ef745/v2.0/”, “authorization_endpoint”: “https://login.microsoftonline.com/b2ctrialpw.onmicrosoft.com/oauth2/v2.0/authorize?p=b2c_1_pwsignup”, “token_endpoint”: “https://login.microsoftonline.com/b2ctrialpw.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_pwsignup”, “end_session_endpoint”: “https://login.microsoftonline.com/b2ctrialpw.onmicrosoft.com/oauth2/v2.0/logout?p=b2c_1_pwsignup”, “jwks_uri”: “https://login.microsoftonline.com/b2ctrialpw.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_pwsignup”, “response_modes_supported”: [ “query”, “fragment”, “form_post” ], “response_types_supported”: [ “code”, “id_token”, “code id_token” ], “scopes_supported”: [ “openid” ], … Continue reading

Posted in AAD

owin.security.providers for AAD

here are the changes I made to the github provider … to make it talk instead to Azure’s AAD (in non-managed IDP mode).   yes .. it uses the code from /auth twice, once to get a non-standard access token … Continue reading

Posted in AAD

AWS to SAML-P IDP hosted by Azure AD

First, we configure the IDP Connection (in which AWS logically points at the IDP endpoints, learned from IDP metadata) – recalling the AWS gotchas. Provider ARN arn:aws:iam::385727861301:saml-provider/PPE Provider Type SAML Creation Time 2015-07-20 15:13 PDT Then we configure the SP/SP … Continue reading

Posted in AAD, Azure AD

authorization code support in microsoft api manager oauth2–still not working with AAD

Well, unlike a few months ago when I tried it, its now working. What’s working? the oauth2 interaction between Microsoft API manager and AAD (and the backend IDP)   We set it up by configuring oauth AS in the management … Continue reading

Posted in AAD

OWIN pipeline account linking

SecurityTokenValidated = (context) => { ClaimsIdentity t = context.AuthenticationTicket.Identity; t.AddClaims(new[] { new Claim(“authnContext”, “UserAuthenticated”), new Claim(“RapAuthnContext”, “UserAuthenticated”) }); if (t.Name.EndsWith(“ae4iZRA_KmNnp3W_X8QVk2AUZB1EPARsrYQiX3SwSz4”)) { var identity = new ClaimsIdentity(t.AuthenticationType, ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType); identity.AddClaim(new Claim(ClaimsIdentity.DefaultNameClaimType, “rapstaff”)); identity.AddClaims(t.Claims); AuthenticationTicket ticket = new AuthenticationTicket(identity, context.AuthenticationTicket.Properties); context.AuthenticationTicket = … Continue reading

Posted in AAD

Mint forms auth cookie using owin

The old forms authn module has a method that enabled one to mint a ticket and cookie. In the case of the new Cookie middleware – that plays the same role as forms authn module – we have to do … Continue reading

Posted in AAD

acs as IDP for AAD

$msolcred = Get-Credential -UserName admin@netmagic.onmicrosoft.com Connect-MsolService -Credential $msolcred -ErrorAction Stop $aActiveLogOnUri = “https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex” $aFederationBrandName = “ACS based IDP” $aIssuerUri = “https://bariazuressoowin.accesscontrol.windows.net/” $aLogOffUri = “https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation” $aMetadataExchangeUri = “https://bariazuressoowin.accesscontrol.windows.net/v2/wstrust/mex” $aPassiveLogOnUri = “https://bariazuressoowin.accesscontrol.windows.net:443/v2/wsfederation” $cert = “MIIDIjCCAgqgAwIBAgIQG8Y1pitN0I9Hg7Gwl63a0DANBgkqhkiG9w0BAQUFADA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMTUwNjI5MTgyNzM3WhcNMTYwNjI5MDAyNzM3WjA1MTMwMQYDVQQDEypiYXJpYXp1cmVzc29vd2luLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPzV7RD10okSKHFHzyMNwuBUt4bbvmxjLAKg/M3QVYe4GhX7o9qSY3ogMyUaxnvhN4z400cOaS0iQ+yZUWV3HwQLqU3an6YMfVYMDnftwICjBUD1HoxWXMUYFU88YwC1KLGO+BpPJSeHcnu7Ok2KtO1DyBU+uZbi/TzpFWTzD/izg+XLQDx7dkFWQ9A0UIauRWx+WRClPbvgpZVIcOQw5A2hQW20PlStWxwKMhJpWrL8cD61c8q2LBZgga7bJIL5Kst4WHpNrKVsjJglSOdSp+R/8bWGY6kyxuKJbRyKjH7/iXkpNayTISIIl95ROj5F3jOgS50/PZk4E9u424PoofAgMBAAGjLjAsMAsGA1UdDwQEAwIE8DAdBgNVHQ4EFgQUdAPniEsbJ+dJjR7QkvaUx+NgoLswDQYJKoZIhvcNAQEFBQADggEBALG5yhJ3+D7mzj8UApPKp6lMbepaDYcFcYLZuejogtYZo/I9gmIPfaeKoXUkSIqHsfxNIsR8EnyzL3pkRkrpuHmQJ4FmttnLAm2fvZYTeDyg/U4J9ncBcSzR6thZLROjOZte+jIFNfihqi5oRVI5c+XETcfoECjKWM6xvwzTfY/A51yjRWkoEW5YB9pCuvLYmV2Y2QELzZuGjqlc2DCw1yzXz8tmmf3WszZgfEyuzAgIPAL1vVt8UPREsr8TSP4VAtvHC7s5s+3kE+dTzEygAbgMC2ee0uBZUX4hyMUOkIsvPrP6BnmRgsGKk0Z/aVVTh1lndVROEepiOtGFGHuEsDU=” Set-MsolDomainAuthentication -Authentication federated -DomainName metrolistmlsqa.com -FederationBrandName $aFederationBrandName … Continue reading

Posted in AAD

owin pipeline to ACS and thence to google openid connect

We create an ACS gateway: Wtrealm = “https://ssoportal.rapmlsqa.com/spssohandler.aspx/bari”,MetadataAddress = “https://bariazuressoowin.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml”,Wreply = “https://localhost:44320/”,   And tie it to an new RP (an azure AD sample)   To ACS, we wish to add google as the IDP. So, in the google developer … Continue reading

Posted in AAD

graph console Azure AD sample–for federated user

To make a federated usera; change the code, adding a subroutine, called when making a user:

Posted in AAD

Playing with windows tokens bound to AzureAD

We see that a “windows authentication” allows one to access sql server and databases with windows identity requirements – where the windows token was created in association with azure AAD. if one our windows 10 box, bound to azure AD’s … Continue reading

Posted in AAD

azureAD users and sql install

 

Posted in AAD

runbook

  since the operations manager suite can monitor the running of runbooks, let’s create one! Next. let’s import the runbook script: we now edit/author the script (and test it) ‘ running the published script (as a job) Back at the … Continue reading

Posted in AAD

operations management suite

We install it on our finally hyper-v enabled enterprise version of windows 10, latest tech preview. Note how it now features organizational login! we link   so what do we do with this “dashboard” type solution? adding… see https://rapmls.portal.mms.microsoft.com/#Workspace/overview/settings/details/index   … Continue reading

Posted in AAD

cordova html/js app, and rapmlsqa.com IDP

we have tried to build cordova apps with AAD Login before, without a clean build. lets try again, now we are using RC versions of everything.   on windows, after installing tools and certs, we get     We use … Continue reading

Posted in AAD

implicit grant and bearer authentication

  we see how the id token received by the javascript app is used for bearer authentication, when talking then to the service endpoints of the same webapp (that projected the SPA .js code to the browser).

Posted in AAD

openid sample with group limits

The RC version of visual studio 2015 includes a set of samples, including those for openid connect and use of the AAD graph API, if one installs the azure quickstarts extension:   Building the project requires little expertise: we see … Continue reading

Posted in AAD

lync/skype discovery with AAD credentials

The office 16 preview gives us a glimpse of how the openid connect middleware in AAD has bveen grafted onto the webticket infrastructure (of old). The basic discovery of endpoints, given a tenant-bound user name. next, we see a block … Continue reading

Posted in AAD

AAD-powered access to visual studio (and online source repositories)

Posted in AAD

Leveraging the Azure Service Management REST API with Azure Active Directory and PowerShell / List Azure Administrators – KeithMayer.com – Site Home – TechNet Blogs

http://blogs.technet.com/b/keithmayer/archive/2014/12/30/authenticating-to-the-azure-service-management-rest-api-using-azure-active-directory-via-powershell-list-azure-administrators.aspx

Posted in AAD

extending AAD schema

We explore, once again, the directory extensions project at https://github.com/AzureADSamples/WebApp-GraphAPI-DirectoryExtensions-DotNet   Per the instructions, we configure the software to leverage an application, using that from the last post (which explore group claims and graph objects). We use graphexplorer to learn … Continue reading

Posted in AAD

rapmlsqa cloud membership system

  our cloud membership system (based on netmagic and mls) can be viewed at http://graphexplorer.cloudapp.net/. It’s a very technical view; not a customer view. its login is rather raw, in UI terms, but functional. To login, click signin and identify … Continue reading

Posted in AAD

Cert based token granting, for azure hosted webapi

https://msdn.microsoft.com/en-us/magazine/dn948107.aspx

Posted in AAD

metrolistmlsqa server-side app authentication flow

Azure mobile provides a nice easy way to create an andoid app, using android studio. It also host a backend (javascript) website that supports that app, particularly when doing “server-side login”.   This flow is one in which the code … Continue reading

Posted in AAD, azuremobile

metrolist custom domain of netmagic.onmicrosoft.com with app

We added a second custom domain to our AAD tenant and bug rfixed our IDP for the metrolist (IDP) tenant’s particular UX. We then build a oauth-based application using the metrolist oauth configuration. The screen shots show the app’s login … Continue reading

Posted in AAD

using AAD graph API to create federated user (or provision one, more formally)

Sample code for openid connect protocol and the graph API can be found, today, at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. Having configured this webapplication per the instructions, for our rapmlsqa.com tenant, on one screen we see the UI by using which one creates a … Continue reading

Posted in AAD

Realty ws-trust IDP interworking with AAD token issuer, in saml bearer grant

  Using fiddler proxy, we were able to craft delivery of custom metadata from our IDP whose endpoint addresses now meets the expectations of the Micosoft ADAL libraries saml-bearer grant flow.   The only code change we made to this … Continue reading

Posted in AAD

Microsoft Azure blog and AAD

  you cannot comment on the microsoft azure blog using a live id OR an organizationalID.   you have to wonder what goes on in mind of some folks. Or perhaps comments are just a throwaway that noone really wants … Continue reading

Posted in AAD

a ws-trust IDP emulating ADFS for use with AAD oauth bearer grant

    https://onedrive.live.com/redir?resid=5061D4609325B60!10733&authkey=!AD_ZOBRkh010sdo&ithint=file%2c.zip

Posted in AAD

align AAD with ADFS rapmls.info

$msolcred = Get-Credential -UserName admin@netmagic.onmicrosoft.com  -Message “password for netmagic is FRED!”Connect-MsolService -Credential $msolcred -ErrorAction Stop $cert = “MIIC5jCCAc6gAwIBAgIQELcx5ZetWLxLu947oG+anjANBgkqhkiG9w0BAQsFADAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBwZXRlcnZtMzIucmFwbWxzLmluZm8wHhcNMTQwNzAyMTg0NTIwWhcNMTUwNzAyMTg0NTIwWjAvMS0wKwYDVQQDEyRBREZTIFNpZ25pbmcgLSBwZXRlcnZtMzIucmFwbWxzLmluZm8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlrHS0Y6LIak6OFJulzl0EWAm/1CZbBTnGuh+geRt/Wllegtwfl7b+v8irjyDYeB59q0SlLb58H0Q4j5iYzDiuyXUwwNioTv4DKmDPsUQV3nbmV7HUqG0Ddc68Y46VRiLTN914QqKxgtaxLXx1qtxhOrrjlEGgyfpk4hDJv7njsCkI3YxBhBpNYdOQI23EX/LUP0Y2UiUdPlxueAqcoN0syR6WArBaVHARa35zJABevjm5jM9Qh8LiD+E3IhXjfMisi7xYYHiq3IogLZDg+y6hx4Nu/xpHuWHYqa+yNeB9GLjKrFpkK9xcWjMZkxeZ14Rd7GbhG7dGquRQIFomvdf1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI/tJE+eFaFA7GsMYRzMWP2BiNY2MyaJfErSovq9IuvrQ7iqitJUkbCHcEjxhd2VmSo/EC+56feoyaoowwgq5q2qBA8oWg7LOg0UIP1EWCbeWbM6u3asU0rnyD6QD1RWjSkDI6G0G3NffbTPPjnOqAl99ZO1SYA50nwbM85dubHvMU2R1beFw1VXXVYjtyFft7c0Ksrg15jpYhQqKSjKkez/tGv9YIkt1mOHcJSO2QKuv/vyQjrqMM/bwxIet+hJ095RjoxaVnboWNZN2DHB/DVP0hBZlKkBOYRabJm6tWQMuxSzc4wqog1YYN5judGiORmaNJq5danHw98Sia7DLP4=”; Set-MsolDomainFederationSettings -DomainName rapmls.info -SigningCertificate $cert Get-MsolDomainFederationSettings -DomainName rapmls.info $localhostcert = “MIIB0TCCATqgAwIBAgIQMB03MGH0sZRBtyF2QpuRSzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwNzExMTgyNTIwWhcNMTkwNzExMDAwMDAwWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANxvf+N7ApYPEIZKB4yGbZTdN9vPz112Y19/rnZKrPbswvaS+4fJLrFEDTowbHCULo9QfCZLtKxGlnBxw+huZV6NWYlqfmauX9h2nW+j5yA8bqXgi3bmuwOgUgzceqx7Hpn/TnX2p2NNu/aRodb8pCyCl42hoA5ZYll9zscVQLeBAgMBAAGjJDAiMAsGA1UdDwQEAwIEsDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOBgQAQhBKsWjhrjGMO563Alqh7UJo8M57Qjgej0P43LdeEUDiNa+HBo1tRr6BIxoWpAlxOXOCAF7G7yvrSb5MTZ5Oxn846cKGeZUP7aexpP//TOi3buiGR5dUsxaAn0BBPHDPsb2x3RoQHyW96eyhdAq4aI/Y01SqCTakZnztXjKI2IQ==”; Set-MsolDomainFederationSettings -DomainName rapmls.info -SigningCertificate $localhostcert Get-MsolDomainFederationSettings -DomainName rapmls.info

Posted in AAD