I've configured a SPA application with a Azure B2C user flow to sign in on my SSO (based on Keycloak) using OpenId. Then I've configured another application with a Azure B2C custom policy to sign in on the same SSO, but using SAML.
I have another application on AWS directly connected to KeyCloak with another client.
The user can authenticate on both my Azure B2C, then navigate to the KK app, where the user is already authenticated.
This is not happening in the other way. If the user authenticate on the KK app the session isn't shared with the AzureB2C apps and he has to do the login again. Likewise the session is not maintained between the two AzureB2C applications.
My custom policy is based on SocialAccounts of MS Starter Pack. And this is my UserFlow session configuration.
Any suggestion on what I'm doing wrong?
Related
I have an SPA web app using openidconnect for authentication and authorization with local keycloak.
This app is now moving to an windows onprem infrastructure using AD, kerberos tickets and a central SSO.
users log in in their windows session, and then we shall be able to transparently login in our SPA web app. (ie with out entering credentials)
How can I convert kerberos ticket/authentication into Openidconnect world? Where is the magic?
Shall we add some kerberos in our app?
how can we retrieve our access token containing the user role?
thanks
Your SPA should continue to talk to Keycloak using OIDC, and no code in the SPA should need to change. Your APIs will also continue to receive the same access tokens.
You should only need to configure Keycloak to use AD for authentication as an LDAP data source. Here is an article on how to do that. It is an infrastructure job rather than just a coding one, so I would recommend collaboration with AD administrators on the environment setup.
AD is only one possible authentication method, and by doing things this way you keep your options open. You are likely to need to perform account linking, eg to identify users the same before and after the migration. There may be some data setup involved here, eg ensure AD has the same emails as the existing system.
I have enabled Enterprise SSO on zendesk so that users in my external Identity server can login to Zendesk. Setup is successfully made and users in my system can do SSO with Zendesk.
But As a admin I can't do SSO with zendesk from my external application, other end users and agents can do. What could be the root cause of this?
Azure AD B2C has the concept of Custom Policies, which in theory can be used to connect a B2C tenant to any IdP using SAML (see https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom).
Google's GSuite (org-owned) system can apparently be connected to as an IdP using SAML (only SAML) (see https://support.google.com/a/answer/6087519?hl=en).
Has anyone successfully connected these so that end users could use their GSuite accounts to authenticate to enterprise application with Azure AD B2C in the middle?
thanks!
Martin
B2C supports SAML and through custom policies you can connect to other services and return identities although I have only done this with OIDC as the SAML meta data may be an issue.
A good article here on connecting to SalesForce with SAML is here , so you should be able to change SalesForce for G Suite
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-sf-app-custom
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
I am using Thinktecture identity server v3 for authentication and authorization. It works good with local database. I added external identity provider as ADFS. It also works good but it asks credentials for intranet users. My requirement is automatically login the intranet users without asking credentials. If the user is internet user, it asks for credentials. Is it possible?
This is unrelated to IdentityServer3. Your browser and ADFS need to be configured correctly to use Windows integrated authentication.