Friday, February 21, 2025

Azure AD SAML SSO for Web Application

Requirement:

External vendor having SAML based app registered in their Azure AD and wanted to do SSO from web application.


Prerequisites:

- Create a SAML app in Azure AD and then provide us the Metadata, EntityId details. (This usually would be done by external vendor side, we can mock ourside to test internally)

- Will use SustainSys library for SAML setup in C#. Refer: https://saml2.sustainsys.com/en/v2/

- Web application with .Net Core, C#, Razor

Implementation Steps:

- Create SAML App in Azure AD (For mock test). Go to Entra Id -> Enterprise applications -> Add New Application -> Create Your Own Application -> Provide Some App Name + Choose "Integrate any other application you don't find in the gallery (Non-gallery)"

- Go to your web project, add Sustainsys.Saml2.AspNetCore2 from Nuget. 

- Update the startup to include SAML2 steps, something like below

using Microsoft.AspNetCore.Authentication.Cookies;

using Sustainsys.Saml2;

using Sustainsys.Saml2.AspNetCore2;

using Sustainsys.Saml2.Metadata;

          .....

builder.Services.AddAuthentication(opt =>

{

    // Default scheme that maintains session is cookies.

    opt.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;

 

    // If there's a challenge to sign in, use the Saml2 scheme.

    opt.DefaultChallengeScheme = Saml2Defaults.Scheme;

})

.AddCookie()

.AddSaml2(opt =>

{

    // Set up our EntityId, this is our application.

    opt.SPOptions.EntityId = new EntityId("YourAppName"); //This would be the External AD SAML App's Identifier (Entity ID)

 

    opt.IdentityProviders.Add(

        new IdentityProvider(

            new EntityId("SamlAppIdentiferURL"), //Saml App's Microsoft Entra Identifier

            opt.SPOptions)

        {

            MetadataLocation = "SamlAppMetadataUrl", //Saml App's Meatadata Url

            LoadMetadata = true

        });

});

 

- Now we can initiate the Challenge in code 

var props = new AuthenticationProperties

 {

     RedirectUri = "/"

 };

 return Challenge(props, Saml2Defaults.Scheme); 

//You can set some different default scheme in startup and change in runtime here too



- Read the claims as below

  var authResult = await HttpContext.AuthenticateAsync();

  Properties = authResult.Properties!.Items;

  Claims = authResult.Principal!.Claims;


Posted by at No comments:
Labels: , , , , , ,

Tuesday, February 11, 2025

Read B2C Token from Razor MVC Application

 To Retrieve B2C logged in users token for delegate permissions, follow below steps,


Add below lines in startup,


// Configuration to sign-in users with Azure AD B2C

   services.AddMicrosoftIdentityWebAppAuthentication(Configuration, Constants.AzureAdB2C).

        EnableTokenAcquisitionToCallDownstreamApi(new string[] { "https://graph.microsoft.com/.default" })

       .AddInMemoryTokenCaches();

services.Configure<OpenIdConnectOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>

{

    options.TokenValidationParameters = new TokenValidationParameters

    {

        ValidAudience = "https://graph.microsoft.com"

    };

    options.SaveTokens = true;

});

 

services.Configure<ConfidentialClientApplicationOptions>(options =>

{

    options.ClientSecret = Configuration["AzureAdB2C:ClientSecret"];

});

 

services.ConfigureApplicationCookie(options =>

{

    options.Cookie.SameSite = SameSiteMode.None;

    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

});

 

Now retrieve token from Controller with below syntax,

    HttpContext.GetTokenAsync("access_token").Result

    or

    HttpContext.GetTokenAsync("id_token").Result


   



Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)