Connect to Azure Active Directory from PHP web application - php

Seeking for guidance on the subject as I'm really stuck on this, I have a internal URL for an App made on PHP and I want to connect to Azure Active Directory.
So far I've reviewed an example from Microsoft using SimpleSAML but it's really outdated and I'm having troubles adapting it for the newer SimpleSAMl code.
Is there a better way to integrate a web application with Azure AD? I read somewhere that I may use Get started with Mobile Services but I would like to hear from previous experiences on what is the best/current method for using Azure AD for login on PHP?.
-- EDIT --
By integrate I mean to allow people authenticate and retrieve the email address or EmployeeID from the Azure AD to provide SSO support.

There are several scenarios Azure AD supports, depend on what you use Azure AD for. Basically, to access the resources via Azure AD from PHP web application, you can refer to Web Application to Web API section to understand this scenario and get started.
To integrate Azure AD in PHP web applications, we need to follow authorization code grant flow steps to build several custom HTTP requests. E.G. To get access token via OAuth 2.0 protocol, we should refer to the steps on Authorization Code Grant Flow, generally, we will build 2 HTTP requests to get access token:
1,Request an authorization code
The build-up URL will redirect to the sso page, after login we can get the code value which will be used in next step.
2,Use the Authorization Code to Request an Access Token:
Then we can use the access token to add the JWT string with a “Bearer” designation in the Authorization header of the request to the resource web API.
Here is a PHP test project provided by Azure for your reference.

we are migrating our AD to Azure AD and we would like to have SSO support for the internal web apps, so that when they log in into their PCs the use the azure app proxy and they're signed automatically on the PHP web apps. Is this possible?
#Vladimir, Base on my experience, it is possible. There are some scenarios you can refer to. You may need use Azure AD Connect to sync your local AD to Azure AD, and enable Azure AD SSO to integrate with you php application in your scenario.
Firstly, If you wants to integrate your On-premise AD on Azure AD, you should use the tool -- Azure AD Connect, which is used to sync up your AD into Azure AD. Please see this tutorials and video. For this action, you need have the IT administrator permission.
Secondly, you need use Federated Single Sign-On and other methods for your application on Azure Portal. You may need to configure your PHP application like this video:https://channel9.msdn.com/Blogs/Open/Using-SimpleSAML-to-authenticate-PHP-applications-with-Azure-AD.
And if you wants to get the users information, you may need use Azure Graph API as Gary's post.

Related

Azure Active Directory MFA

Our clients uses Azure AD for their operations and wanted to integrate the Azure AD MFA to our web app (PHP) for additional security. Is this possible without using the Microsoft Identity Platform (SSO)? I also cant seem to find a REST API for the Azure AD MFA. Any alternate options that I could use for implementing MFA? Some recommendations would be highly appreciated. Thank you.
If you have not already registered the php app in azure ad like below:
Quickstart: app registration-general- Microsoft identity platform | Microsoft Docs
Go for app registration in azuread .
Set Redirect URI like https://your.domain.name/oauth.php
Copy the client ID and tenant ID, to paste in _OAUTH_TENANTID and _OAUTH_CLIENTID in config.inc.
In Certificates & secrets page copy the secret value by adding a new secret,which cannot be accessed later.So copy when created.
Paste this into _OAUTH_SECRET within config.inc. Make sure _OAUTH_METHOD contains 'secret'.
You can see detailed info in here in Katy's Tech Blog .
See PHP Azure AD login with demo site (using oAuth)-GitHub reference for code configuration details.
For including multifaction authentication**(MFA)** :
You may Go to azure ad > enterprise apps and check for the app you
have just registered and create a policy to include MFA Requirement
which asks users for additional authentication with the methods you
enables like sms, phone call etc
next
Or you can directly go for conditional access and select app required while creating access policy.
After all set up in conditional access, make sure to Enable policy and save ,to start authenticating with azure ad which requires MFA.
Also check references:
Azure AD authentication with PHP using Microsoft Graph. a single PHP page
Deployment considerations for Azure AD Multi-Factor Authentication | Microsoft Docs
Integrate Azure Multi-Factor-Authentication in website to authenticate its users - Stack Overflow

Any possibilities of building an universal login system with Microsoft App registrations?

Basically, the title says it all.
More & more students at our school are asking for a way to authenticate through our Microsoft environment for their own school projects/web applications.
So, we are willing to listen to that and build an universal login system. We need a system (preferably with an App registration in the Azure portal) that allows logins to Microsoft on our organization. Then, after logging in, we want it to redirect to any students site (on the same domain) and authenticate to that.
Important to note, most of the students use PHP for their web applications. The use of the Graph API is not required, but would be cool.
So, is there any possibility for that? If so, how would we do that?
To achieve the above requirement You will need to modify your PHP web application code to redirect to your any students site post authentication with Azure AD.
Thus to authenticate with Azure AD you will need to include the Azure AD Authentication assembly in your pHp website code . For example you can refer this GitHub sample
Once the above has been done then you will need to register an application in AzureAD for your php webapplication and configure the web application redirect url and call back url accordingly .
Further you will need to add redirection uri for the student websites in the php webapplication code itself and ensure that the student websites are hosted as subdomain website for the php web application itself.
For more information please refer this MICROSOFT DOCUMENTATION:- Integrating with the Microsoft identity platform

Authenticate a PHP application using Azure Active Directory connection

I work as an intern in my college and we want to build an app. Of course, our university has an active directory and we use Azure and Azure also has our AD. I am building the front-end and need to implement login using Azure AD SSO. How could I do that? Any help would be highly appreciated.
Thanks.
• You can refer the below code to add the identity provider’s authentication connection settings in the php application configuration files. The following code will help you to add a section to your existing php web app code in authentication sources file to configure and provision SSO through azure AD.
• Once the above code has been placed and configured in the PHP application, now add the PHP application in app registrations in Azure AD and provide the web redirect URI for your PHP application and provide the SSO configuration details in the SSO pane like federation metadata URL, SAML or WS-Fed Sign in or sign out URLs. Once done, check the below code for confirmation of SAML endpoint URL for the Azure AD configured in the PHP authentication config file.
• The below snapshot shows the how the SAML token authentication is redirected to Azure AD and its configuration in PHP app. Also, how its attributes and claims are passed from the Azure AD to the PHP app for service granting and authentication purposes.
Thus, in this way, you can configure a PHP application to authenticate with Azure AD through SSO. Please find the below links for more information: -
https://channel9.msdn.com/Blogs/Open/Using-SimpleSAML-to-authenticate-PHP-applications-with-Azure-AD
https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization#web-application-to-web-api

Azure REST API - Is it possible to use existing Azure tenant users in php CMS and use and check their credentials remotely?

Situation background:
We have company Azure with dozens of existing users with existing credentials for Azure access.
Beside that, we have CMS (in PHP) on separate webhosting (no relationship with Azure, not hosted under Azure).
What we need:
All existing Azure users will be able to access in our web CMS and we have dilema if CMS (php script) will be possible to check credentials remotely by requesting Azure API.
Or even better if user is already logged in Azure account and have active cookie (like in Facebook), CMS would only request some users details and check users tenant and domain and allow access automatically without any login form.
The best would be to combine both mentioned.
The goal is:
PHP script checking "Azure login cookie" (such as Facebook?) and ensuring communication with Azure API giving params like email and password and recieving true/false if some Azure user is exists for given credentials.
Appreciate any help and tips, regards, Jan.
The is no such Azure AD API that provide the service to check the credential. And the flow describe above that require users enter their Azure AD credentials in you apps which is more like Phishing which is easy to leakage the users credential.
If you want to authenticate your apps via Azure AD, you can using the OpenId connect stand protocol. Here is the authentication flow using the OpenId connect for your reference:
More detail about authorizing access to web applications using OpenID Connect and Azure Active Directory, you can refer here.

Azure Authentication Mechanism

I have an App Service with a Mobile App in Azure cloud platform. The backend API is made using the Easy APIs in Node.js. In the same Resource Group there is also a SQL Server and a SQL Database. The client applications(Android,iOS and a Web app in Angular, PHP or Python) have to authenticate in order to call the API apps.
I am very confused regarding the authentication mechanisms. I want to make a login page for my users in the iOS, Android and Web application but I don't know how to design the authentication mechanism. Potential users will be all the clients who download the mobile applications and a few premium clients.
Should I pick the Azure Active Directory solution or should I make my implementation using the database as storage?
Actually, Azure Mobile Apps in Node.js backend are express.js applications running on Azure App Services. And the Mobile-Apps-SDK in a middleware of express.js. So it depends your requirement. The default authentication mechanism in mobile-apps-sdk is implemented via Azure gateway auth. Also you can implement your own custom auth.
If you have control over your mobile app and you want to just use the regular Facebook, Twitter, Google and Microsoft sign-in controls, then use the Azure gateway available in Azure Mobile Apps to get a mobile apps token. There are controls available for iOS, Android, Apache Cordova and Xamarin. You can also do a redirect to use the web. You can refer to Add authentication to your Android app
Otherwise, you can custom authentication and can provide your own token generator. You can use a third party authentication provider like Auth0.
You can refer to https://shellmonger.com/2015/10/06/azure-mobile-apps-nodejs-and-authentication/ for more information.

Categories