Closed scholar6admin closed 2 years ago
We are waiting on
del
del
not sure how to configure it, as it is old. can`t find instruction.
Here is the App federation Data URI for the “Brillder” enterprise app I have created.
[See lastpass]
you should be able to retrieve the data required for SAML logins from there.
Basic SAML Configuration
Identifier (Entity ID) = http://app.brillder.com/login/saml
Reply URL (Assertion Consumer Service URL) = https://app.brillder.com/ @ivanromakh do we need to alter this to https://api.brillder.com?
Sign on URL = https://app.brillder.com/
Attributes & Claims
Givenname = user.givenname
Surname = user.surname
Emailaddress = user.mail
Name = user.userprincipalname
Unique User Identifier = user.userprincipalname
Set up Brillder
You'll need to configure the application to link with Azure AD.
[See lastpass]
Hopefully, this is enough info to start with the SAML login attempts
[see lastpass]
We can investigate the Multi-Tenant app later.
Best regards
Dunstan
OK I try to make it work
in any way, I still need button to login in our site. will do microsoft login button first. For saml users. https://www.figma.com/file/LMraQn88VxZ9cHt1CAiZXN/Brillder?node-id=578%3A2593
seems like we can`t use default microsoft library as SAML is old we can use SAML library probably. https://medium.com/@pradeep1991singh/getting-started-with-saml-azure-and-nodejs-341879c64b01
need some certificate to make saml request.
cert: the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses, see Security and signatures
ther is another library. http://www.passportjs.org/packages/passport-azure-ad/
Domains for the three colleges: kedst.ac.uk hereford.ac.uk wsfc.ac.uk
This is in the Startup.cs
file that runs when the app first launches:
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(options =>
{
options.Events.OnRemoteFailure = context =>
{
context.Response.Redirect("/");
context.HandleResponse();
return Task.CompletedTask;
};
options.ClientId = "<the client ID of your multi-tenant app>";
options.TenantId = "common"; //Standard value for multi-tenant app
options.Instance = "https://login.microsoftonline.com"; //Standard value for multi-tenant app
options.Authority = "https://login.microsoftonline.com/common"; //Standard value for multi-tenant app
options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(60);
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.SignedOutRedirectUri = "<URL to send users to when they log out>";
options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
options.CorrelationCookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true //As far as I know, if this is set to false, you can't rely on the tenant ID the user says they are from
};
options.MaxAge = TimeSpan.FromDays(1);
}, cookieOptions =>
{
cookieOptions.Cookie.MaxAge = TimeSpan.FromDays(7);
cookieOptions.ExpireTimeSpan = TimeSpan.FromDays(7);
cookieOptions.SlidingExpiration = false;
}, OpenIdConnectDefaults.AuthenticationScheme, CookieAuthenticationDefaults.AuthenticationScheme);
Note: the various timeouts, cookie expiration times, and associated settings are for our environment. You should remove them to fallback on defaults, or set to appropriate values for Brillder
In some middleware that runs for every request:
var emailAddress = filterContext.HttpContext.User.Identity.Name;
var tenantID = filterContext.HttpContext.User.Claims.ToList().Find(x => x.Type == "http://schemas.microsoft.com/identity/claims/tenantid");
if (tenantID == null || tenantID.Value == "" || tenantID.Value != institutionSettings.institution.microsoftTenantID.value)
{
//You don't recognise the tenancy the user is from, redirect them somewhere
return;
}
// You have the email address of the user above, now you should check they are a valid user already in your database and redirect/adjust UI as necessary
This only checks against a single tenant ID, because for us this is a known value that has already been determined based on the URL the user used to hit the web app. The if
statement could easily be adjusted to check the tenant ID against all valid values for all schools/colleges using Brillder with Microsoft authentication
Three of our tenant IDs:
wsfcacuk.onmicrosoft.com
HerefordSixthFormColl549.onmicrosoft.com
heartofmercia.onmicrosoft.com
Also in addition to Mark's comment, some users might have an @heartofmercia.org.uk
email address
@sampayne @lindsaymacvean I managed to login user. user profile has the data below.
backendBranch: miscrosoft-openId fontendBranch: microsoft
seems like there could be tenant id
getting tenatId is possible
It seems like I need to add redirectUrl to user entity. we need to store actually only brickId user will be redirected to after successfull login with microsoft. It will probably be nullable string field for redirects.
They will have only exit button in the end.
need redirect url for heart of mercia users.
Users by those domains no longer need to spend credits to play bricks.
this task seems completed.
As a student from heart of mercia virtual college, I need to be able to access Brillder seamlessly When I click on a Brick in Canvas Then I should be immediately be authenticated using my Microsoft credentials. And I should arrive back at the Brick cover ready to play (without popups) And at the end of the Brick I should be redirected back to Canvas (and not to the Brillder catalogue)