Closed aherrick closed 6 years ago
Hi @aherrick, With the new MSAL there is no option to restrict an app to a single tenant when creating the app. If you'd like to restrict login for given tenant(s), you can add those here.
You would use something like this:
IssuerValidator = (issuer, token, tvp) =>
{
if (issuer == "your-tenant-id-here")
return issuer;
else
throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}
or if you have multiple tenants:
IssuerValidator = (issuer, token, tvp) =>
{
if (myTenantIds.Contains(issuer))
return issuer;
else
throw new SecurityTokenInvalidIssuerException("Invalid issuer");
}
Have a nice weekend! :)
hey @mark-szabo Thanks for the answer!
I guess what I'm getting at is I don't want in available for personal accounts at all. I don't like how when I got to /Signin if I'm already authenticated I still have to click through with my Work account.
Should I really just be creating an Azure AD only applications
and then setting up the Auth/Configuration that way? Are there any guides which show this? Thank you!
If you don't want to limit your user base to just work/school accounts, you'll want to use the ADAL library instead of MSAL. Here is an ASP.NET Core example that uses ADAL: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore You can see a number of ASP.NET core samples that demonstrate various authentication scenarios here:
https://github.com/azure-samples/?utf8=%E2%9C%93&q=aspnetcore
By the way, here is an earlier version of this sample using ADAL: https://github.com/microsoftgraph/aspnetcore-connect-sample/tree/6d2fcf63eefe4b61d769e4ce93050de736e0ab44
Before switching back to ADAL, I'd try this:
You can set the login_hint
param to the user email address and it should redirect automatically as described in the docs:
You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during re-authentication, after already extracting the username from an earlier sign-in by using the
preferred_username
claim.
@mark-szabo thanks for the latest thoughts!
So I believe I am implementing this correctly.. I've tried both login_hint and domain_hint. However my Work tenant is not automatically selected. I'm still presented with both Work/Personal accounts.
Any thoughts?
OnRedirectToIdentityProvider = context =>
{
// var user = System.Security.Claims.ClaimsPrincipal.Current.FindFirst("preferred_username").Value;
context.ProtocolMessage.LoginHint = "me@tenant.com";
context.ProtocolMessage.DomainHint = "tenant.com";
return Task.CompletedTask;
},
From Fiddler:
Yes, you are doing it right as I see. I've just asked it in some internal groups. If you can wait some days, I'll get back with an answer as soon as I get something.
Can do - thanks again! 👍
Hi @aherrick, it seems this is a bug in MSAL for .NET. Can you please raise an issues here? https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues Thanks!
@aherrick we just found some (maybe) useful info for you: http://www.cloudidentity.com/blog/2016/07/25/controlling-a-web-apps-session-duration-2/
Can you please check it out?
Closing due to inactivity. Please reopen if you have questions!
Are there any examples showing similar Auth/Graph access with Core and Azure AD Only app?
In my case I only want to login users for a given Work tenant, and don't care about the app being Converged.
Or what is the best way to restrict Auth to a given tenant? Would I still want to create a Converged App?
Thanks!