Difference between revisions of "Microsoft Identity Platform"

From MgmtWiki
Jump to: navigation, search
(Context)
(Context)
Line 27: Line 27:
 
|-
 
|-
 
|User Agent || a software application that interfaces between a human user and the internet. Typically a browser.
 
|User Agent || a software application that interfaces between a human user and the internet. Typically a browser.
 +
|-
 +
|Application Proxy || Any code between your app and AAD.
 
|-
 
|-
 
|  OIDC || [[OpenID Connect]] (as well as SAML) is a protocol to access AAD.
 
|  OIDC || [[OpenID Connect]] (as well as SAML) is a protocol to access AAD.

Revision as of 10:33, 13 April 2021

Full Title

Microsoft Identity Platform allows sign in with a Microsoft personal or work account.

AKA Microsoft Graph in early 2021 as a replacement for Azure AD Graph.

Context

Microsoft has their own terminology, the following applies to Azure Active Directory application management

Term Description
Active Directory Microsoft's Identity and Access Management (IAM) system
On Premise not in Azure
Portal A GUI to control an Azure Tenant(s).
Tenant A named administrative entity on Azure
Enterprise App Named software application that needs to know the identifier for users
SSO single sign-on is the use of Azure AD for user access to more than one app.
User A Principal on a computing device, typically a smartphone or laptop. It MIGHT identify a human.
Conditional Access Additional annoyance place in the path of user access to an app.
User Agent a software application that interfaces between a human user and the internet. Typically a browser.
Application Proxy Any code between your app and AAD.
OIDC OpenID Connect (as well as SAML) is a protocol to access AAD.
OAuth client Used synonymously with Relying Party (see RP)
IdP Identifier Provideer (may also include attributes or claim of the subject)
OP OpenID Provider (one form of IdP) as per [OIDC.Core]
SIOP Self-Issued OpenID Provider as per [OIDC.Core] section 7.
RP Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP.
CP Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc.
Identifier Wallet An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc.
Trust Authority A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets
Trusted Wallet code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence.

Problems

  • The package Microsoft.Identity.Web requires that a new trusted signer key is added to nuget.config (2020-10-06). The following command fixed this.
nuget.exe trusted-signers Add -Name Microsoft2021 -CertificateFingerprint AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 -FingerprintAlgorithm SHA256

Install and Run

Run the following command in PowerShell to open port 5000 of board:

 netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000

Troubleshooting

We're unable to complete your request

unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

User Application Development

  • Since this platform is based on OpenID Connect (OIDC) user applications are considered to be clients ins the sense described in OAuth 2.0.
  • Apps first call PublicClientApp = PublicClientApplicationsBUilder.Create(ClientID).{other options}.Build().
  • call PublicClientApp,GetAccountsAsync() and pick one of the proffered accounts.

Registration

  • The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security.
  • Configure how end-users consent to applications The guidance "reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, by allowing user consent only for applications that have been published by a verified publisher." was not followed during development and needs to be enabled.
  • Admin consent workflow allows the user to ask an admin to approve an app.

References