Reputation: 12988
How to authenticate synced users using openid on ADFS?
I have the following scenario:
An on-premise AD synced to AAD using Azure AD Connect. The azure portal login is federated to this on-premise AD. I need to allow these synced users to authenticate in a mobile app using oauth2 token endpoint https://login.microsoftonline.com/tenantid.onmicrosoft.com/oauth2/v2.0/token. To make that possible, I registered an Application on App Registrations, and it´s working fine to the users which are created using the Azure Portal, but it does not work with the synced on-premise users. The problem here is because just the usernames are synced, without the password. So when I make a post to this endpoint I get and error saying that the username or password are wrong.
So I´m stuck here in what do I need to configure to make this work, I have read a lot of Microsoft documents but cannot figure out how to do that.
Upvotes: 0
Views: 298
Answers (2)
Reputation: 58743
The authentication flow you are using (Resource Owner Password Credentials) has issues with federated users. It has sometimes worked, though I'm not quite sure why.
Your app should use a redirect-based authentication flow like the portal. It should not be handling user passwords and posting them to Azure AD. By using e.g. the Authorization Code flow, your users can sign in with a local account / federated account / Microsoft account / account with multi-factor authentication / reset an expired password. Your app does not need to care what the user had to do to authenticate.
With ROPC flow, your users cannot use multi-factor authentication for example. They also cannot reset an expired password.
See my article for further thoughts on why to avoid ROPC: https://joonasw.net/view/ropc-grant-flow-in-azure-ad
Upvotes: 2
Reputation: 18387
You need to enable password hash synchronization otherwise there's no way to authenticate on premise users into your app.
More info:
Upvotes: 1
Related Questions
- How to Authenticate Azure AD users?
- Azure AD sync users to on premise AD
- Access token and user ID
- Web application authenticating ADFS connected to Azure AD with the OAuth 2.0 authorization flow
- OpenId Connect Only Token AAD
- asp.net web application adfs authentication of client intranet in azure cloud without azure AD
- How to add AD FS Server to authenticate against AD
- How to authenticate user with Azure Active Directory using OAuth 2.0?
- Authenticating external ADFS users in my SAAS application
- Connecting ADFS to Windows Azure Active Directory