Our clients uses Azure AD for their operations and wanted to integrate the Azure AD MFA to our web app (PHP) for additional security. Is this possible without using the Microsoft Identity Platform (SSO)? I also cant seem to find a REST API for the Azure AD MFA. Any alternate options that I could use for implementing MFA? Some recommendations would be highly appreciated. Thank you.
If you have not already registered the php app in azure ad like below:
Quickstart: app registration-general- Microsoft identity platform | Microsoft Docs
Go for app registration in azuread .
Set Redirect URI like https://your.domain.name/oauth.php
Copy the client ID and tenant ID, to paste in _OAUTH_TENANTID and _OAUTH_CLIENTID in config.inc.
In Certificates & secrets page copy the secret value by adding a new secret,which cannot be accessed later.So copy when created.
Paste this into _OAUTH_SECRET within config.inc. Make sure _OAUTH_METHOD contains 'secret'.
You can see detailed info in here in Katy's Tech Blog .
See PHP Azure AD login with demo site (using oAuth)-GitHub reference for code configuration details.
For including multifaction authentication**(MFA)** :
You may Go to azure ad > enterprise apps and check for the app you
have just registered and create a policy to include MFA Requirement
which asks users for additional authentication with the methods you
enables like sms, phone call etc
next
Or you can directly go for conditional access and select app required while creating access policy.
After all set up in conditional access, make sure to Enable policy and save ,to start authenticating with azure ad which requires MFA.
Also check references:
Azure AD authentication with PHP using Microsoft Graph. a single PHP page
Deployment considerations for Azure AD Multi-Factor Authentication | Microsoft Docs
Integrate Azure Multi-Factor-Authentication in website to authenticate its users - Stack Overflow
Related
Basically, the title says it all.
More & more students at our school are asking for a way to authenticate through our Microsoft environment for their own school projects/web applications.
So, we are willing to listen to that and build an universal login system. We need a system (preferably with an App registration in the Azure portal) that allows logins to Microsoft on our organization. Then, after logging in, we want it to redirect to any students site (on the same domain) and authenticate to that.
Important to note, most of the students use PHP for their web applications. The use of the Graph API is not required, but would be cool.
So, is there any possibility for that? If so, how would we do that?
To achieve the above requirement You will need to modify your PHP web application code to redirect to your any students site post authentication with Azure AD.
Thus to authenticate with Azure AD you will need to include the Azure AD Authentication assembly in your pHp website code . For example you can refer this GitHub sample
Once the above has been done then you will need to register an application in AzureAD for your php webapplication and configure the web application redirect url and call back url accordingly .
Further you will need to add redirection uri for the student websites in the php webapplication code itself and ensure that the student websites are hosted as subdomain website for the php web application itself.
For more information please refer this MICROSOFT DOCUMENTATION:- Integrating with the Microsoft identity platform
I work as an intern in my college and we want to build an app. Of course, our university has an active directory and we use Azure and Azure also has our AD. I am building the front-end and need to implement login using Azure AD SSO. How could I do that? Any help would be highly appreciated.
Thanks.
• You can refer the below code to add the identity provider’s authentication connection settings in the php application configuration files. The following code will help you to add a section to your existing php web app code in authentication sources file to configure and provision SSO through azure AD.
• Once the above code has been placed and configured in the PHP application, now add the PHP application in app registrations in Azure AD and provide the web redirect URI for your PHP application and provide the SSO configuration details in the SSO pane like federation metadata URL, SAML or WS-Fed Sign in or sign out URLs. Once done, check the below code for confirmation of SAML endpoint URL for the Azure AD configured in the PHP authentication config file.
• The below snapshot shows the how the SAML token authentication is redirected to Azure AD and its configuration in PHP app. Also, how its attributes and claims are passed from the Azure AD to the PHP app for service granting and authentication purposes.
Thus, in this way, you can configure a PHP application to authenticate with Azure AD through SSO. Please find the below links for more information: -
https://channel9.msdn.com/Blogs/Open/Using-SimpleSAML-to-authenticate-PHP-applications-with-Azure-AD
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization#web-application-to-web-api
Currently my web application ties into Amazon Cognito and validates against users directly stored in Amazon IAM.
I need to extend it to support validating against a third party's Azure AD (and hopefully not having to import all the users into Cognito since that may not be feasible). Currently, I've been exploring and found that I can add the Azure AD as a federated IdP, though it seems like it requires that users be setup both in AWS and AD and mapped per the tutorial, but a comment from Jaffadog notes:
"Nice tutorial. However, it incorrectly suggests that you need to
create or provision accounts in AWS in order for federated login to
work - which is false. When login into AWS using SAML federated login,
the user merely assumes the AWS role present in the SAML assertion. No
AWS IAM user account is required before login, and none shall be
created as a consequence of login either."
Will this solution work if I want to keep my Azure AD users just in Azure, and keep my AWS users in AWS? There's conflicting information on how user provisioning works between AWS and AD.
Otherwise, if not is my only other solution to host my own SAML service (using something like SimpleSAML)?
Yes, using ADFS for single signon with Active Directory and the Amazon Management Console is the recommended solution. You specifically mention Azure AD which I have not personally tested.
[EDIT after new question]
AWS uses group names that start with "AWS-" to assign privileges. This means that you do have to do some work on the Active Directory side creating groups and adding users to groups. Then you need to create an IAM Role for each AD group. IAM does not import users from AD, just maps AD groups to IAM roles.
This article will walk you thru setting up everything using Active Directory.
Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0
Here are a couple of articles that specifically cover Azure AD and AWS:
AWS Best Practice: Azure AD SAML Authentication Configuration for AWS Console
Situation background:
We have company Azure with dozens of existing users with existing credentials for Azure access.
Beside that, we have CMS (in PHP) on separate webhosting (no relationship with Azure, not hosted under Azure).
What we need:
All existing Azure users will be able to access in our web CMS and we have dilema if CMS (php script) will be possible to check credentials remotely by requesting Azure API.
Or even better if user is already logged in Azure account and have active cookie (like in Facebook), CMS would only request some users details and check users tenant and domain and allow access automatically without any login form.
The best would be to combine both mentioned.
The goal is:
PHP script checking "Azure login cookie" (such as Facebook?) and ensuring communication with Azure API giving params like email and password and recieving true/false if some Azure user is exists for given credentials.
Appreciate any help and tips, regards, Jan.
The is no such Azure AD API that provide the service to check the credential. And the flow describe above that require users enter their Azure AD credentials in you apps which is more like Phishing which is easy to leakage the users credential.
If you want to authenticate your apps via Azure AD, you can using the OpenId connect stand protocol. Here is the authentication flow using the OpenId connect for your reference:
More detail about authorizing access to web applications using OpenID Connect and Azure Active Directory, you can refer here.
Seeking for guidance on the subject as I'm really stuck on this, I have a internal URL for an App made on PHP and I want to connect to Azure Active Directory.
So far I've reviewed an example from Microsoft using SimpleSAML but it's really outdated and I'm having troubles adapting it for the newer SimpleSAMl code.
Is there a better way to integrate a web application with Azure AD? I read somewhere that I may use Get started with Mobile Services but I would like to hear from previous experiences on what is the best/current method for using Azure AD for login on PHP?.
-- EDIT --
By integrate I mean to allow people authenticate and retrieve the email address or EmployeeID from the Azure AD to provide SSO support.
There are several scenarios Azure AD supports, depend on what you use Azure AD for. Basically, to access the resources via Azure AD from PHP web application, you can refer to Web Application to Web API section to understand this scenario and get started.
To integrate Azure AD in PHP web applications, we need to follow authorization code grant flow steps to build several custom HTTP requests. E.G. To get access token via OAuth 2.0 protocol, we should refer to the steps on Authorization Code Grant Flow, generally, we will build 2 HTTP requests to get access token:
1,Request an authorization code
The build-up URL will redirect to the sso page, after login we can get the code value which will be used in next step.
2,Use the Authorization Code to Request an Access Token:
Then we can use the access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the resource web API.
Here is a PHP test project provided by Azure for your reference.
we are migrating our AD to Azure AD and we would like to have SSO support for the internal web apps, so that when they log in into their PCs the use the azure app proxy and they're signed automatically on the PHP web apps. Is this possible?
#Vladimir, Base on my experience, it is possible. There are some scenarios you can refer to. You may need use Azure AD Connect to sync your local AD to Azure AD, and enable Azure AD SSO to integrate with you php application in your scenario.
Firstly, If you wants to integrate your On-premise AD on Azure AD, you should use the tool -- Azure AD Connect, which is used to sync up your AD into Azure AD. Please see this tutorials and video. For this action, you need have the IT administrator permission.
Secondly, you need use Federated Single Sign-On and other methods for your application on Azure Portal. You may need to configure your PHP application like this video:https://channel9.msdn.com/Blogs/Open/Using-SimpleSAML-to-authenticate-PHP-applications-with-Azure-AD.
And if you wants to get the users information, you may need use Azure Graph API as Gary's post.