Difference between revisions of "Microsoft Identity Platform"
From MgmtWiki
(→Context) |
(→Context) |
||
| Line 28: | Line 28: | ||
|User Agent || a software application that interfaces between a human user and the internet. Typically a browser. | |User Agent || a software application that interfaces between a human user and the internet. Typically a browser. | ||
|- | |- | ||
| − | | OIDC || [[OpenID Connect]] | + | | OIDC || [[OpenID Connect]] (as well as SAML) is a protocol to access AAD. |
|- | |- | ||
|OAuth client || Used synonymously with Relying Party (see RP) | |OAuth client || Used synonymously with Relying Party (see RP) | ||
Revision as of 10:53, 13 April 2021
Contents
Full Title
Microsoft Identity Platform allows sign in with a Microsoft personal or work account.
AKA Microsoft Graph in early 2021 as a replacement for Azure AD Graph.
Context
- Aspnet Core Web API Quickstart
Microsoft has their own terminology, the following applies to Azure Active Directory application management
| Term | Description |
| Active Directory | Microsoft's Identity and Access Management (IAM) system |
| On Premise | not in Azure |
| Portal | A GUI to control an Azure Tenant(s). |
| Tenant | A named administrative entity on Azure |
| Enterprise App | Named software application that needs to know the identifier for users |
| SSO | single sign-on is the use of Azure AD for user access to more than one app. |
| User | A Principal on a computing device, typically a smartphone or laptop. It MIGHT identify a human. |
| Conditional Access | Additional annoyance place in the path of user access to an app. |
| User Agent | a software application that interfaces between a human user and the internet. Typically a browser. |
| OIDC | OpenID Connect (as well as SAML) is a protocol to access AAD. |
| OAuth client | Used synonymously with Relying Party (see RP) |
| IdP | Identifier Provideer (may also include attributes or claim of the subject) |
| OP | OpenID Provider (one form of IdP) as per [OIDC.Core] |
| SIOP | Self-Issued OpenID Provider as per [OIDC.Core] section 7. |
| RP | Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP. |
| CP | Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc. |
| Identifier Wallet | An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc. |
| Trust Authority | A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets |
| Trusted Wallet | code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence. |
Problems
- The package Microsoft.Identity.Web requires that a new trusted signer key is added to nuget.config (2020-10-06). The following command fixed this.
nuget.exe trusted-signers Add -Name Microsoft2021 -CertificateFingerprint AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 -FingerprintAlgorithm SHA256
Install and Run
Run the following command in PowerShell to open port 5000 of board:
netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000
Troubleshooting
We're unable to complete your request
unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
User Application Development
- Since this platform is based on OpenID Connect (OIDC) user applications are considered to be clients ins the sense described in OAuth 2.0.
- Apps first call PublicClientApp = PublicClientApplicationsBUilder.Create(ClientID).{other options}.Build().
- call PublicClientApp,GetAccountsAsync() and pick one of the proffered accounts.
Registration
- The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security.
- Configure how end-users consent to applications The guidance "reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, by allowing user consent only for applications that have been published by a verified publisher." was not followed during development and needs to be enabled.
- Admin consent workflow allows the user to ask an admin to approve an app.
References
- Microsoft Identity Web authentication library 2020-10-09
- Widows Hardware Developer for windows hello. Shows how to add biometric device drivers.
- microsoft.idenity.web on Github
- Widows Hello aka Passport. Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10.
- Create a Windows Hello login app using UWP & XAML
