Hi I have PHP CRM running in Azure server,my requirement is that user should be able to add there own custom domains(they will do the DNS configurations seperately) to app by themselves through CRM site,is there any REST API call to achieve that,i searched a lot but couldn't find any documents from Azure,
i did find these from stack
Programatically add domain name to azure website
Add a domain to an Azure web site via code
i tried above expample using Chrome Postman app
App(instanceName) name name is "example"
"https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{myResourceGroup}/providers/Microsoft.Web/sites/{instanceName}/config/web?api-version=2015-08-01"
used both POST and PUT method
{ "properties": { "HostNames":"example.com, crm.example.com" } }
i tried these methods but all i am getting a error "Authentication failed. The 'Authorization' header is not present or provided in an invalid format",i believe something wrong with json values,
example.com.au is my existing website and crm.example.com is my domain name i want to add,is it correct, am i missing anything,please help me
As all of the tasks that you do on resources using the Azure Resource Manager must be authenticated with Azure Active Directory. So To implement Azure Resource Manager Rest APIs, we need to follow the steps in authenticate Azure Recourse Manager requests first to set up authentication.
Generally:
Add an application to the Azure Active Directory tenant.
Set permissions for the application that you added.
Get the token for authenticating requests to Azure Resource Manager.
--Update--
To get the access token for Azure Resource Manager, we should follow the steps shows in Authorization Code Grant Flow:
1,Request an authorization code
The build-up URL will redirect to the sso page, after login we can get the code value which will be used in next step.
2,Use the Authorization Code to Request an Access Token:
3,We can leverage the access token for authorizing the resource REST API:
--update1--
To create an app-only without user ui application, you need to follow client_credentials flow, shown in https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx.
And to your authorization issue, you need to assign a Owner role for a written permission. you can leverage azure-cli to do this.
Install the
Azure-CLI.
Connect to the
Azure-CLI.
Authenticate to your Service Principal using the Azure-CLI.
And in the 4th step in this section, you need to change Reader to Owner,
like
azure role assignment create --objectId 47193a0a-63e4-46bd-9bee-6a9f6f9c03cb -o Owner -c /subscriptions/{subscriptionId}/ to assign a written permission.
Related
We have PHP web application which is hosted in Azure Centos and we want to enable SAML based SSO Azure AD. Here, I have created enterprise application but not able to understand how to configure "Basic SAML Configuration", specially the attributes -
Identifier (Entity ID)?
Reply URL (Assertion Consumer Service URL)
Sign on URL
Logout Url
How to populate these values, is there any configuration required in PHP application side? I have spent good amount of time but not able to find anything related to PHP.
My PHP application looks like this (Self Signed SSL enabled):
https://127.x.x.x/samplesso/login.php (login page),
https://127.x.x.x/samplesso/products.php (After successful login)
Edit#1
As I have mentioned we have hosted php application in Azure Centos and below is the folder structure-
My application folder: /var/www/html/sample_web_app
SimpleSAMLPhp folder: /var/www/html/simplesamlphp
My PHP application Login Page:
http://ipaddress/sample_web_app/login.php
When User clicks on "Go" button, my custom php code reads email and based on domain name we have to re-direct to different Azure SSO URL (B2B/B2C). How to do this?
After successful authentication in azure, it has to re-direct to my application home page URL :
https://ipaddress/sample_web_app/home.php
Logout URL of my application: http://ipaddress/sample_web_app/logout.php
I tried with below details configuring in azure and when I access http://ipaddress/sample_web_app/, it's not even taking to Azure SSO page (php custom re-direction later)
Entity ID: http://ipaddress/sample_web_app/
Reply URL: https://ipaddress/sample_web_app/home.php
Sign On URL: http://ipaddress/sample_web_app/login.php
Logout URL: http://ipaddress/sample_web_app/logout.php
Anything missing here?
You can setup SAML Azure AD SSO for your PHP web application using SimpleSAMLphp
In the app registrations in Azure AD, select your app and click on endpoints. Copy the Federation metadata document. The federation metadata should be imported to your application.
The Identifier, Reply URL and Sign on URL should be configured in the Azure AD.
Identifier (Entity ID) : Enter a URL that uses the following pattern: 'https://.contoso.com' You can find this value as the Issuer element in the AuthnRequest (SAML request) sent by the application.
The Identifier ( Entity ID) can be similar to
https://ip-address/
Reply URL : Specifies where the application expects to receive the SAML token. The reply URL is also referred to as the Assertion Consumer Service (ACS) URL. You can use the additional reply URL fields to specify multiple reply URLs. For example, you might need additional reply URLs for multiple subdomains. Or, for testing purposes you can specify multiple reply URLs (local host and public URLs) at one time.
If you are using SimpleSAMLphp, the reply URL should be similar to
https://ip-address/sample_web_app/module.php/saml/sp/metadata.php/default-sp
Reference : https://www.lewisroberts.com/2015/09/05/single-sign-on-to-azure-ad-using-simplesamlphp/
First of all, i am very new to Laravel and Azure and i am not very sure what i am doing.
I want to add Authentication to my Laravel Web Application.
I followed the instructions in this Link to do that:
When i press my Login Button, which leeds me to "/login/azure" i get directed to
https://login.microsoftonline.com/ef7e48cb-7676-47e9-9a28-c69910d92560/oauth2/authorize?response_type=code&client_id=3a0621c0-2848-47f5-83ee-bebeede8aaa6&resource=
I can add my credentials here and then i get redirected to my welcome page and there is a very long code in my uri and after that a short session code. What does this mean? Am i logged in now? How can i test that and how can i create different roles for my Application now?
Could it be that i have to enable the default laravel Authentication with the "php artisan make:auth" command? Is it bad that i have no resource in the uri u see above? What do i have to put there?
First, understand OAuth on Azure.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
You do not need a resource if you are using the "converged" endpoint (v2). The endpoint you show is v1, so yes, you need to specify what resource you're authenticating against and what granted permissions are for it. Check out What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification
Have you created an app registration (see the Azure Active Directory blade)?
Welcome to OAuth.
We have an App Service (a PHP website) running in our Microsoft Azure platform. The website is only accessible after the user has already been logged in. The authentication is based on the Azure AD. Everything works fine.
Now, from the PHP code of the website, I would like to get the Azure AD group memberships of the already logged in user.
I read a lot of Web resources explaining how to log in a user to Azure AD from a website and thus get an authorization/access token in order to perform additional actions, like retrieving group memberships and a lot of other stuff. But this is not what I'm looking for. The user already is logged in and can successfully use the website. (Microsoft would redirect the user to the single sign-on login page otherwise.)
Using PHP, I can retrieve, for example, the username of the logged in user from the request header of any access to the website. And there is also some "access token" stored in the request header, and other things, like "client principal ID". But I don't know whether this is such authorization/access token I could use for additional actions. Or maybe/probably I'm doing something wrong. Requesting, for example, https://graph.microsoft.com/v1.0/me/memberOf using cURL, I get an InvalidAuthenticationToken error with "CompactToken parsing failed". I put "Authorization:Bearer {access token}" and "Accept:application/json" into the request header for this as explained here. (I don't have explicit information about the token type so I just assume "Bearer" to be correct like in the examples. Maybe this is already wrong.)
I don't know how to proceed in order to get to a solution. Maybe the point I am missing is not in my cURL request at all but in the Azure settings for the AD and/or App Service. I'm hoping for help from your side.
You are on the right track.
Access token
When you have successfully authenticated yourself against Azure AD, using OAuth2 or OIDC, you will get an access token. The access token is a base 64 encoded JSON Web Token (JWT) and can be used to access other protected resources.
An access token might look like this:
EwAoA8l6BAAU ... 7PqHGsykYj7A0XqHCjbKKgWSkcAg==
You can use https://jwt.io to explore further its contents.
Note: the above token is shortened. In its complete form, it is quite long.
In other works, you need the access token for doing future requests against any API secured with the same identity provider (in this case Azure AD).
Accessing protected APIs
However, before you can use your token to access any API you must first grant your Azure AD application necessary permissions. See this link.
Note: that link applies to the v1.0 Azure AD endpoints.
Once you got the needed permissions sorted, you can start doing requests. The requests you make look like, e.g.
GET https://graph.microsoft.com/v1.0/me
Authorization: Bearer eyJ0eXAiO ... 0X2tnSQLEANnSPHY0gKcgw
Host: graph.microsoft.com
Here, the token is what comes after Authorization: Bearer.
Further reading
See this link for further reading. The link contains intructions on how to use the v2.0 Azure AD endpoints but the general idea is the same:
Register an app
Grant permissions to app to access resources
Get an access token
Use the token for doing requests
I have php application build in Laravel and hosted it in a server.
I have also created a (G-suit) google admin account(https://admin.google.com) with my domainname(http://www.example.com) as a admin i have created few users (abc#myhost.com, xyz#myhost.com) from the google admin console.
Now Instead of creating a full authentication system in my application, What i want is that my users can login to my php application with the email address that i have created for them as admin.
How can i do this ?
You could integrate 'simpleSAMLphp' (https://simplesamlphp.org/docs/stable/simplesamlphp-sp) into your app. Then your app will act as a SAMLv2 ServiceProvider and will consume SAMLv2 assertions issued by Google SAMLv2 IdP (https://support.google.com/a/answer/6087519?hl=en). There are also other PHP-based SP-implementations available, or you could use SAML SP Apache http server module if you are using Apache http server.
You may check this documentation about user accounts. It says that to create a user account using one of your domains, use the following POST request and include the authorization described in Authorize requests.
POST https://www.googleapis.com/admin/directory/v1/users
You may check on this example.
Current Working Flow
I have a web app (developed in wordpress)
I am using google-drive-sdk to upload dynamically generated pdf file to a GMail account.
The GMail account has been configured in the web app giving the
secret key ....
The web app first makes the authentication ===>i.e The GDrive Account is authenticated for the first time by the GMail owner (In Google Permission window the button Allow Access is clicked)
It works fine thereafter when called from the web app - the pdf file dynamically generated gets into the configured GDrive
The Problem
PDF files gets uploaded to the GDrive only for some time.
After sometime it doesn't upload the files to GDrive.
I then tried creating a new token - It again starts uploading files but stops after some time.
This happens only in Staging server.
In my local development system it keeps working fine - uploading the file to GDrive whenever the app is executed.
The difference between both the environment is the GMail Account is different.
If you have any idea on the cause of issue or any pointers would really be helpful for me.
Your application must use OAuth 2.0 to authorize requests. All requests to the Drive API must be authorized by an authenticated user.
The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a client secret.
Activate the Drive API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
When your application needs access to user data, it asks Google for a particular scope of access.
Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
If the user approves, then Google gives your application a short-lived access token.
Your application requests user data, attaching the access token to the request.
If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.