I have an application that I integrated SSO using Azure AD identify provider. There is an option in Azure AD to delete user. So, the requirement is to sign out from my website when user is deleted in Azure AD. We store SAML token when user is successfully authenticated. Is there any way to check if user is exists or not using SAML token?.
Unfortunately, this is not possible by using SAML Token as of now.
Microsoft recently introduced Continuous Access Evaluation (CAE) for this purpose but the initial implementation of it focuses on Exchange, Teams, and SharePoint Online.
Continuous access evaluation enable services to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. Some examples of these events are:
User Account is deleted or disabled
Password for a user is changed or reset
Multi-factor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Azure AD Identity Protection
Related
I also need to add the created/updated user into a users-table of an RDS-database, and the described workflow does not describe such a scenario at all.
Is it possible to react to the create/update of a cognito user within this SAML-workflow, by also updating an applications database-table with the new data?
--
In the docs of AWS Cognito in the Chapter "SAML user pool IdP authentication flow" there is following part written:
6. After verifying the SAML assertion and collecting the user attributes (claims) from the assertion,
Amazon Cognito internally creates or updates the user's profile in the user pool.
Amazon Cognito returns OIDC tokens to the app for the now signed-in user.
see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp-authentication.html
this part does not seem to recognize the scenario i described in my question, and there is no link/hint to such a solution given.
In order to perform additional actions to customize the Cognito user pool workflow, you can use Lambda triggers.
In your particular situation, there are triggers and triggerSource values you should look for regarding Sign Up and Sign In for federated users, as per documentation, namely:
For SignUp:
PreSignUp_ExternalProvider this is called before the user is created in Cognito, allowing to perform some additional actions, normally validations.
PostConfirmation_ConfirmSignUp is invoked after the user has been created and confirmed in Cognito. This would be where you'd create it at the RDS Database.
For SignIn:
PreAuthentication_Authentication similarly to PreSignUp, useful for additional validations, but for Sign In.
PostAuthentication_Authentication called after a successful authentication. This is where you would update the User at your Database.
Also keep in mind that the Updated date of the user will change at each new sign-in due to this (source) :
Amazon Cognito must be able to update your mapped user pool attributes when users sign in to your application. When a user signs in through an IdP, Amazon Cognito updates the mapped attributes with the latest information from the IdP. Amazon Cognito updates each mapped attribute, even if its current value already matches the latest information.
My project is a MVC Core 3.1 web application.
The autentication is based on the Microsoft.identity.web template to sign-in users in Azure AD B2C.
You can find the samples here: https://github.com/AzureAD/microsoft-identity-web/wiki#samples
Users can register/login as standard users on B2C or login with the corporate account (azure AD, so an openID Connect Identity Provider).
When Users signs in with the corporate account, I get a JWT token with a claim named "idp_access_token" which contains the access_token from Azure AD. It contains some claims I need for the application (for some reasons I can't even see the emailAddress/unique_name in the B2C token so I need to get it from here...).
But I'm not sure how (and where) I'm supposed to deal with this token and how to access the claims inside it. Can I map them in the claimPrincipal? Because I would like to use the email as the "User.identity.name".
Should I write a service (transient?) and Inject it where I need it?
Sounds like you are using a feature you don’t actually need. Usually the embedded IdP access token is used to call the services that the IdP hosts. For example, a user logs in with Facebook and your app wants to call the Facebook API to post to their Facebook wall.
You as the app developer should not inspect or use the token for your own self, as you cannot trust it. If you want data from that token, then perform the relevant claims mappings in your B2C policy/user flow, as B2C does validate the token and can trust it. You cannot. Services provided by the IdP will verify it, so also can trust it.
I have an Azure client application that uses Microsoft graph APIs.
I am using the workflow described at https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow to have admin authorize my azure client application for his tenant.
This flow ends up giving my client application an access token which my client can use to access various resources in the tenant.
Now, my client application needs to find out is 'who' provided the concent. The access token I get does not have this information (unlike in case of other authorization flows).
A tenant may have multiple admins and my application needs to know who among those admins authorized my client application.
What is the best way to find this out?
Thanks,
~ Urjit
my client application needs to find out is 'who' provided the concent.
You want to find the admin that authorize your client app, as I know, there is no way to find out this information about the admin. Because when you consenting permission for your app, you need the admin to do this for your account. After admin consent, there will be no record for this, no matter in token or portal.
I am working to build an application which would be able to create custom audiences for many of our clients for facebook ads. I came to know that the most suitable access token for this purpose is system user token (correct me if I am wrong). To get regular user access tokens, we can make a user go through the traditional oAuth flow, I am looking for something similar to get system user access token. How can I get it for any of my clients? Thanks
You must create your system users in the Business Manager of your company:
https://business.facebook.com/settings/system-users?business_id=<YOUR_BUSINESS_ID>
Once you create a system user, you can generate a token for him associated with a given app.
Meanwhile, on your business settings (as stated in the docs) you can request access to an ad_account.
Request Access to an Ad Account: If you request access to an ad
account in Business Manager, the admin of that Business Manager can
grant you permission to work on it.
Once your client gives your Business permission to work with one or more of their ad_accounts, those ad_accounts will appear in your Business Manager. (menu on the left).
At that point, when checking the profile of your system users, you can click on assign assets to give the system user access to pages and ad_accounts.
The token you generated for the pair [system_user,app_id] does not need to be reissued to reflect the addition of assets to which the system_user has access.
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.