Heart of Mercia login

[scholar6admin]

As a student from heart of mercia virtual college, I need to be able to access Brillder seamlessly When I click on a Brick in Canvas Then I should be immediately be authenticated using my Microsoft credentials. And I should arrive back at the Brick cover ready to play (without popups) And at the end of the Brick I should be redirected back to Canvas (and not to the Brillder catalogue)

• [x] @ivanromakh we need to set up a Brillder multi-tenant app in azure
• [x] @ivanromakh try passport.js openIdconnect plugin to authenticate our own app DONT WORRY ABOUT CONNECTING TO HEART OF MERCIA AT THE MOMENT
• [x] Find the tenant id in the response and store that in the user record
• [x] Store in local storage that a user is from heart of mercia and do not show them options at the end of the Brick to go to the catalogue
• [x] Users validated from Heart of mercia tenants should be like 'Library users' and not have to use credits to play bricks
• [x] Sam is going to send us some example code and the tenantids for each of the colleges

[scholar6admin]

We are waiting on

• [ ] DNS txt file from Dunstan
• [x] SAML multitenant app on heart of mercia side
• [x] Test users for authenticating against the heart of mercia app

[ivanromakh]

del

[ivanromakh]

del

[ivanromakh]

Working way https://support.blueconic.com/hc/en-us/articles/360052778734-Setting-up-single-sign-on-SSO-for-Azure-Active-Directory.

[ivanromakh]

not sure how to configure it, as it is old. can`t find instruction.

[scholar6admin]

Here is the App federation Data URI for the “Brillder” enterprise app I have created.

[See lastpass]

you should be able to retrieve the data required for SAML logins from there.

Basic SAML Configuration

Identifier (Entity ID) = http://app.brillder.com/login/saml

Reply URL (Assertion Consumer Service URL) = https://app.brillder.com/ @ivanromakh do we need to alter this to https://api.brillder.com?

Sign on URL = https://app.brillder.com/

Attributes & Claims

Givenname = user.givenname

Surname = user.surname

Emailaddress = user.mail

Name = user.userprincipalname

Unique User Identifier = user.userprincipalname

Set up Brillder

You'll need to configure the application to link with Azure AD.

[See lastpass]

Hopefully, this is enough info to start with the SAML login attempts

[see lastpass]

We can investigate the Multi-Tenant app later.

Best regards

Dunstan

[ivanromakh]

OK I try to make it work

[ivanromakh]

in any way, I still need button to login in our site. will do microsoft login button first. For saml users. https://www.figma.com/file/LMraQn88VxZ9cHt1CAiZXN/Brillder?node-id=578%3A2593

[ivanromakh]

[ivanromakh]

seems like we can`t use default microsoft library as SAML is old we can use SAML library probably. https://medium.com/@pradeep1991singh/getting-started-with-saml-azure-and-nodejs-341879c64b01

[ivanromakh]

https://login.microsoftonline.com/123456-xxxx-xxxx-xxxx-123456/saml2

[ivanromakh]

https://www.youtube.com/watch?v=VBovU1JucO0&t=1482s

[ivanromakh]

need some certificate to make saml request.

[ivanromakh]

cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses, see Security and signatures

[ivanromakh]

ther is another library. http://www.passportjs.org/packages/passport-azure-ad/

[ivanromakh]

[mjridgway]

Domains for the three colleges: kedst.ac.uk hereford.ac.uk wsfc.ac.uk

[sampayne]

This is in the Startup.cs file that runs when the app first launches:

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(options =>
 {
     options.Events.OnRemoteFailure = context =>
     {
         context.Response.Redirect("/");
         context.HandleResponse();
         return Task.CompletedTask;
     };

     options.ClientId = "<the client ID of your multi-tenant app>";
     options.TenantId = "common"; //Standard value for multi-tenant app
     options.Instance = "https://login.microsoftonline.com"; //Standard value for multi-tenant app
     options.Authority = "https://login.microsoftonline.com/common"; //Standard value for multi-tenant app
     options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(60);
     options.ResponseType = OpenIdConnectResponseType.IdToken;
     options.SignedOutRedirectUri = "<URL to send users to when they log out>";
     options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
     options.CorrelationCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
     options.TokenValidationParameters = new TokenValidationParameters
     {
         ValidateIssuer = true //As far as I know, if this is set to false, you can't rely on the tenant ID the user says they are from
     };

     options.MaxAge = TimeSpan.FromDays(1);
 }, cookieOptions =>
 {
     cookieOptions.Cookie.MaxAge = TimeSpan.FromDays(7);
     cookieOptions.ExpireTimeSpan = TimeSpan.FromDays(7);
     cookieOptions.SlidingExpiration = false;
 }, OpenIdConnectDefaults.AuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme);

Note: the various timeouts, cookie expiration times, and associated settings are for our environment. You should remove them to fallback on defaults, or set to appropriate values for Brillder

In some middleware that runs for every request:

var emailAddress = filterContext.HttpContext.User.Identity.Name;

var tenantID = filterContext.HttpContext.User.Claims.ToList().Find(x => x.Type == "http://schemas.microsoft.com/identity/claims/tenantid");

if (tenantID == null || tenantID.Value == "" || tenantID.Value != institutionSettings.institution.microsoftTenantID.value)
{
    //You don't recognise the tenancy the user is from, redirect them somewhere
    return;
}

// You have the email address of the user above, now you should check they are a valid user already in your database and redirect/adjust UI as necessary 

This only checks against a single tenant ID, because for us this is a known value that has already been determined based on the URL the user used to hit the web app. The if statement could easily be adjusted to check the tenant ID against all valid values for all schools/colleges using Brillder with Microsoft authentication

[sampayne]

Three of our tenant IDs:

wsfcacuk.onmicrosoft.com
HerefordSixthFormColl549.onmicrosoft.com
heartofmercia.onmicrosoft.com

Also in addition to Mark's comment, some users might have an @heartofmercia.org.uk email address

[ivanromakh]

@sampayne @lindsaymacvean I managed to login user. user profile has the data below.

[ivanromakh]

backendBranch: miscrosoft-openId fontendBranch: microsoft

[ivanromakh]

seems like there could be tenant id

[ivanromakh]

getting tenatId is possible

[ivanromakh]

It seems like I need to add redirectUrl to user entity. we need to store actually only brickId user will be redirected to after successfull login with microsoft. It will probably be nullable string field for redirects.

[ivanromakh]

They will have only exit button in the end.

[ivanromakh]

need redirect url for heart of mercia users.

[ivanromakh]

Users by those domains no longer need to spend credits to play bricks.

[ivanromakh]

this task seems completed.