Hot questions for Using Azure in single sign on

Top Java Programmings / Azure / single sign on

Question:

  1. I have a hosted non-gallery application on Microsoft Azure.
  2. I have completed the SAML configuration in Azure AD (using SAML 2.0 protocol)
  3. My application runs in Java (runtime 7)
  4. I am getting the userPrincipalName as encoded Value.

How do I decode that encoded value and retrieve the actual value?

I have tested the response using SAML Parser, and it is showing the correct value in the NameID tag.

I am expecting the value as it is showing in SAML response NameID tag, but I am getting an encoded value.

I have tried the following code, but the output is not as expected. I am expecting a string with email format.


Answer:

SAML tokens are Base64 encoded while transferring . If you are using java 6, just use code below to decode your SAML token:

import java.io.UnsupportedEncodingException;

import javax.xml.bind.DatatypeConverter;

public class Base64test {

    public static void main(String[] args) {
        String SAML_resp = "<SAML RESP>";
        byte[] decoded = DatatypeConverter.parseBase64Binary(SAML_token);
        try {
            System.out.println(new String(decoded, "UTF-8"));
        } catch (UnsupportedEncodingException e) {

            e.printStackTrace();
        }
    }
}

Question:

I am implementing SSO with Azure AD for three applications.I can able to make it work for the two applications which is developed in .Net but the third application is running on Java and need to enable SSO for that.In the configuring page of the Java application it requires an IDP Certificate and I am not sure where to get that from the portal.Could someone show me some pointer around this?

I have searched through web and most of the posts talk about we need to upload X.509 certificate.But I cant see the process to obtain one.


Answer:

I have found a way to obtain the X.509 certificate for the application.

In the azure portal under Active Directory on Application Tabs will be having the list of application like developing and owns.Click on the Application you want to create certificate for.on the bottom banner there will be link saying view endpoints.In that pop up first link will be federation link load that in browser search for x509.copy the string save it as .crt and you are done.

here is the link

Question:

Our product is a hosted Web application which needs to be accessed by a client X using SSO. The client credentials are maintained on a Azure Cloud platform, and users are authenticated when they login to their Windows PC. What is the best way for us to integrate our application on the client's Windows environment, so that all users are authenticated without logging in to our application? The client has pointed out that we could use ADAL but i'm not sure if that works as we do not have our own AD based or LDAP based user management platform. We currently store all the user management data in the DB.

I'm a newbie to this topic so any guidance is really appreciated.


Answer:

Based on my understanding, the issue is that the authenticated user from a portal access a url link of Java Web Application working with SSO when the Java webapp and the portal are not identical.

Per my experience, I think you can try to use Azure AD Application Proxy to solve the issue. You can refer to the document https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical to know the application scenario of Application Proxy.

You can try to follow the steps below to implement the needs. And as references, there are some documents explained how to do for each step.

  1. Enable the Azure AD Application Proxy on Azure Portal, and install & register the proxy connector for your application. Please refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-enable/ for more details.
  2. Publish your application using Application Proxy, please follow the wizard steps of the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-publish/.
  3. Enable SSO for your application and the portal, please review the section Working with SSO when on-premises and cloud identities are not identical of https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-sso-using-kcd/#working-with-sso-when-on-premises-and-cloud-identities-are-not-identical.

If some issue encounted in implementing the plan, you can firstly refer to the doc https://azure.microsoft.com/en-us/documentation/articles/active-directory-application-proxy-troubleshoot/ to troubleshoot.

Any concern, please feel free to let me know.

Question:

I have implemented Single Sign On with Windows Azure Active Directory in a Java web app by following the code sample and this topic. How can I implement Single Sign Out with WAAD in Java? I can’t find any useful topic.


Answer:

From the sample, we can find out the Single Sign On URL is:

https://login.windows.net/common/wsfed?wa=wsignin1.0&wctx=&id=passive&wct=${ISO_DATE_TIME_FORMAT_UTC}&wtrealm=${ENCODED_APP_ID_URI}&wreply=${ENCODED_REPLY_URL}

So the Single Sign Out URL is:

https://login.windows.net/common/wsfed?wa=wsignout1.0&wctx=&id=passive&wct=${ISO_DATE_TIME_FORMAT_UTC}&wtrealm=${ENCODED_APP_ID_URI}&wreply=${ENCODED_REPLY_URL}

The difference is the value of the parameter "wa". Of course, we should replace "${...}" with proper values.