I created an Azure mobile service and published the sample project that the website provides. When I try to visit the service from browser using my service URL (an example is https://test.azure-mobile.net/help), service is asking me for credentials. I tried using the Azure credentials but they don't work.
What credentials is it asking?\
You can use the application key or the master key from your mobile service. In the Azure portal, go to your mobile service and in the dashboard select the manage keys option on the bottom of the page. You should use this key as the password, and any value (even empty) for the user name.
Related
If I use a Personal Access Token, I can access all Azure DevOps REST APIS by including the PAT in the header. This works great from NodeJS, PowerShell and curl, but I want to do the same thing from JS running in a web-browser, without any server-side code. Just purely from the JS in the browser.
Now, I could prompt the user to enter their PAT and store it in local storage, but I'd rather not do that. Instead, I'd like to prompt the user to log in and get a token that way. Microsoft has the MSAL library to do that, and they have sample code on how to do this from JavaScript in the browser. Unfortunately, for some reason, they require that you also create an Azure AD Tenant along with a client ID. I don't want to use Azure cloud for anything. I just want my users to access an existing company Azure DevOps server. As I said I can already access these resources using a PAT that the user has to create from the portal themselves. I want to avoid that step and have them log in to get a token. Seems simple enough. Am I missing something?
Why is a tenant even needed for this?
From the doc: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki
Before using MSAL4J you will have to register your applications with
Azure AD.
In conclusion, to use MSAL to connect to Azure DevOps from vanilla JS in browser, you need to register your App with Azure AD first to acquire the client ID for authorization.
I use this tutorial to deploy a business network on a free bluemix cluster: https://ibm-blockchain.github.io/
I also deploy the REST Server and communicate via Web apps.
All went fine till yesterday. The REST Server was not accessible anymore.
I deleted everything on the cluster using the script delete_all available in the ibm-container-service repository.
I followed the install procedure using the create_all script. I could access the composer playground (port 31080) again but was not really able to deploy an online business network using the "profile" hlfv1. Now it asks at the bottom of the "deploy UI" for credentials.
I don't know what to fill in. I tried to use ID+Password. On this way I was able to deploy but I got access error by clicking on "connect now". I was able to start the REST server then but if i try to access it in the browser (port 31090), I get the feedback that I'm not authorized.
Any ideas?
And do you know which changes have been made in the last month, which could bring these troubles?
Thx
Phil
The tutorial pointed to only covers playground when used with a Web Browser connection not a real fabric. When you deploy to a real fabric you have to provide an initial identity that you want bound to an initial participant in the business network. The initial participant will be of type org.hyperledger.composer.system.NetworkAdmin and given a name of the initial identity name you provide.
This dialog looks like this
To get you started you should select the ID and Secret radio button. Then for Enrollment ID enter admin and for the Enrollment Secret enter adminpw.
This is the name and secret of the bootstrap identity that exists in the fabric-ca server that has been deployed as part of the scripts.
By providing this information that identity will be enrolled and it's public certificate will be bound to a NetworkAdmin participant which will be called admin. This identity admin will then have access to the business network as only identities that are bound to a participant in the business network can have any sort of access.
I've created a new cluster with AAD for client auth using ARM by following the document linked to below. The cluster deployed and my app works fine but my browser is still asking me to select an X.509 certificate when I attempt to use the SF Explorer at: https://mycluster.northcentralus.cloudapp.azure.com:19080/Explorer
I thought when I hooked up Azure AD that the client cert would no longer be needed. Note that I do see that the SF Explorer displays my name in the upper right (with a logout option), indicating to me it's using AAD.
So, what's up with this? Any ideas?
https://azure.microsoft.com/en-us/documentation/articles/service-fabric-cluster-creation-via-arm/
That happens if there's an issue with AAD authentication - the cluster will fallback to certificate authentication.
If SF Explorer isn't re-directing to an AAD login page at all, then double-check that the web application reply URL in the AAD cluster application matches the SF Explorer URL.
If the re-direction is happening and AAD login was successful, then double-check that the AAD cluster application has the expected user roles and that your user has been assigned a role.
After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.
I'm trying to figure out how to integrate the identity server with azure mobile services for use from mobile clients. I already have the id server up and working barebones with a test aspnet mvc website using it via the openidconnect middleware.
I haven't found much info on how to do this with mobile services and I'm not exactly sure what the overall flow is as far as what talks to what first. Is it that the mobile client should call the id server directly posting the username password and getting a token and then set that token on the mobile user then, when calls are made to azure mobile service the token is then validated on a back channel from the service to the id server? Or how should it work?
I have already read the custom authentication docs on azure and found some azure team blogs on the subject but it seems like they are already out dated. Is there a way to simply insert the same openidconnect middleware into the azure pipe?
I'm hoping to get this ironed out because I have a number of web+native mobile (Xamarin) projects on the horizon and this would be the identity foundation for all of them.