Reputation: 3897
ADAL.js with Multi-Tenant Azure Active Directory
The sample code provided for using ADAL.js looks something like this:
window.config = {
instance: 'https://login.microsoftonline.com/',
tenant: '[Enter your tenant here, e.g. contoso.onmicrosoft.com]',
clientId: '[Enter your client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]',
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', localhost.
};
var authContext = new AuthenticationContext(config);
This works fine, but I'm trying to allow access for a multi-tenant application - users from an organisation should only be able to sign in if the application has been granted access by their account administrator.
I've implemented the first part - allowing admin users to enable - as per this example.
So at this point my application is listed in the third party's Active Directory.
I'm not sure what the correct settings should be for the tenant. I tried using 'common', but then it shows a dialog asking an individual user if they would like to grant access to the application, which is not what I'm looking for.
If I was making a straight MVC app, I'd continue on with the example above, using app.UseOpenIdConnectAuthentication on the server. But my app is a SPA, with Web Api backend, and I haven't been able to find a multi-tenant example for this scenario.
Upvotes: 5
Views: 2459
Answers (2)
Reputation: 131
There is a way to configuring your app for authenticating with multiple tenant without using "common" is. You can ask user to input their email while starting the login process and pass the user type parameter like if user is using contoso.com then pass usertype = 0 else 1; After declaring the two tenants and its client id, you can initialize the authContext by making it a function.
import AuthenticationContext from "adal-angular/dist/adal.min";
const adalConfig1 = {
instance: 'https://login.microsoftonline.com/',
tenant: '[Enter your first tenant here, e.g. contoso.onmicrosoft.com]',
clientId: '[Enter your first client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]',
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', localhost.
};
const adalConfig2 = {
instance: 'https://login.microsoftonline.com/',
tenant: '[Enter your second tenant here, e.g. contoso1.onmicrosoft.com]',
clientId: '[Enter your second client_id here, e.g. g075edef-0efa-453b-997b-de1337c29185]',
postLogoutRedirectUri: window.location.origin,
cacheLocation: 'localStorage', localhost.
};
export const authContext = (usertype)=>{
if(usertype=== 0){
return new AuthenticationContext(adalConfig1)
}else{
return new AuthenticationContext(adalConfig2)
}
};
Use this authContext(usertype) to user login in function.
Upvotes: 0
Reputation: 7394
The correct way of configuring your app for authenticating with any tenant, which is what you want in your scenario, is to use common.
The per-user consent is a provisioning consideration. If you want an administrator to consent for the app on behalf of the entire organization, you can implement the admin consent flow by triggering an authentication request and appending prompt=admin_consent to it. Provided that an administrator performs an authentication flow in response to that request, Azure AD will offer to the admin the chance to consent for the app on behalf of everybody in the organization.
Upvotes: 4
Related Questions
- Azure Active Directory Multi-tenant: User doesn't exist in tenant
- Validate a username and password against Active Directory?
- Azure multi-tenant ASP.Net-Core application with Bearer authorization
- With ADAL.js use of ClientId as Audience in Endpoints for SPA config
- ADAL.JS Support for multiple authentication with WAAD and ADFS onpremise
- AADSTS65005 error on adal.js multi-tenant authentication
- ADAL.JS with Mobile App
- Choosing the closest authority match for a multi-tenant app
- Authenticating against a webapi using azure b2c from an spa (angular and adal.js)
- Multi-tenant ADAL JS SPA along with an Azure AD web application back-end