Azure AD Sample Application | Custom Claims with Extension Attributes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys hope you all doing well welcome back to our series of Azure Active Directory and in this video we are going to talk about sample application so the core agenda of this video will be knowing how to add a sample application and the application that we are going to add will be an asp.net MVC app this application is going to use M cell authentication libraries we're in the protocol which will be used will be open I reconnect and then I will be showing you the fiddler trace to track how different tokens are getting generated now the reason behind covering different tokens or different claim types because there was a community post within it was mentioned that you guys want to know more about how the custom claims work now if you will read the Microsoft article it will let you know how to customize claims or how to add a transformation but as of now there is no article which lists how to use extension attribute and that's exactly what I'm going to show you so for the lab I'm going to use a VM wherein I have already installed Visual Studio and that machine has Internet connectivity as well so as of now I'm going to switch to my browser from where I will be downloading a sample app and then I will be copying that up into my VM from where we will be doing all the configuration so this is my browser from where I will go to Azure ad sample application and I will install the one which is asp.net and that will work with Open ID Connect protocol so all you have to do is you have to click on the very first article and you will land up to a page where you are getting the sample of applications that work on WE 2.0 endpoints okay so this is the app which i'm going to use at the moment i will click on this i will be redirected to get page now it is the best practice to read about the sample that you are going to use because this set of information actually lets you know what and all this application is going to do okay so now what I'm going to do is I'm going to click on clone or download and then I will click on download zip and as you can see the application sample is downloaded on my machine now what I'll do is I'll copy the sample to my VM where we will be doing all the configuration so this is my machine where I have already installed a visual studio and now what I'm going to do is I'm going to paste my sample solution which I have copied and as you can see this is my app which is going to use Open ID Connect now I'm going to right-click and then I'm going to click on extract ore and the moment I will click on extract all the files will be extracted and we will be accessing the solution file now for this particular VM what I already have is a Visual Studio 2019 Enterprise Edition now if you want to download you can download it for free I think as of now it is available for at least 90 days and I think 90 days will be more than enough for you to understand how a particular technology works okay so as of now I have just initiated the sample file and as you can see my application is loaded the very first thing that you have to do is you have to go to the web dot config section now the moment you will land up the web config section the first set of information that you see here that it needs the client ID and client secret now what I'll do is I'll switch to my browser where we will be creating a new application and we will be creating a new client ID and client secret and we will be embarrass our application so that we can test authentication now I'm going to click on new registration and here I'm going to type open ID Connect and since this application is going to use emcell and we will be checking user authentication that's exactly what I have named my application now since this application is going to use M cell I am going to select this option now this value is something that exists on your application so what I'll do is I'll switch back to my VM and I'll copy the redirect URI from here now if there is any mismatch in terms of the redirect value that's available on your application as well as portal then you will get errors okay so make sure that this value is exactly same which exists on your app so as of now what all has been done I have downloaded a sample and I have registered an application now I have to update client ID and client secret in my application and as you can see this key value is asking me to update my client ID I'll come back to my portal and I will generate a client secret that I will be using with my application so to generate that just click on certificates and secrets and then click on new client secret and then click on add now by default the one which is generated as of now it's for one year so I will copy this value and I'll come back to my application and then I will paste that value here now once you have updated both the values it's better so that or it is a much efficient way to just a right-click and rebuild solution before you launch your application okay and make sure that you should not get any error because if you will get any error your application will not work as expected ok now the next step will be checking authentication I'm sure we will get some errors as of now because the configuration is not complete now the reason behind showing this method is because I would like you guys to know how to troubleshoot application on real time now if you get any error message like this don't worry since this is the first instance at times if you are using Visual Studio IIS Express on the Box might take couple of minutes to load the application completely okay so as of now as you can see this application is still loading so I'm not going to make any change let's wait and let's see whether we get the default application page or not what the expected behavior is the moment the application will be loaded I will get an option button I have to select or where and I have to click on sign-in with Microsoft and as you can see I have not made any change and the application is loaded now I have to click on this option and a redirect request will land to my tenant where the application is registered and as you can see now I'm getting the option to enter my credential so what I'm going to do is I'm going to type my username and then I will type my password okay now as of now I'm not really sure whether the authentication will get completed because the consent is not accepted and as you can see I'm getting an error okay now it says that response type ID token is not enabled for this application now the reason behind I'm getting this error because this application requires implicit flow to be enabled on the application okay so I'll come back to my console where the application is and then I'll click on token configuration sorry I'll click on authentication and then I'll enable these two options which is complicit grant access token and ID token now depending upon the application sample with which you are working as I've said before if you will read all this documentation it will help you a lot and in this itself it is mentioned that you have to enable implicit crack but if implicit grant is not enabled the error which we have got is one of the sample the reason behind showing you guys all this is because we are learning how to troubleshoot the advanced level configuration that's required for different applications so I will close this now and let me wait for this to get refreshed and as you can see it's being closed now so I will again launch my application now if this time also it gives you an error as I said before wait for some time or just click on reload because at times is Express a couple of minutes to process the entire application okay now as you can see I'm again getting the same prompt wherein I have to click on sign-in with Microsoft and this time the expected behavior is once I will type in my username and password I should get consent prompt ok that is what I'm expecting but let's see what happens ok so I've started my password and as you can see I'm getting the consent prompt now there are three different consent that I am getting the first one is view basic profile the other one is the generic consent which you will see in most of the requests but I'm also getting read your mail now the reason behind I'm getting these three problems because if I'll go to my startup section you can also refer this on your app and then if I'll go to this configuration section you will see there will be different attributes or there will be different values that will be included in any authentication request and as you can see mail dot read is also being sent as one of the scope that's the reason why I am getting these three consent prompt now the moment I will click on accept I should learn back to my application and this time it should work as expected and as you can see I am signed in with my user object now capturing a fiddler trace for this example will not make any sense because we have done it so many times ok now what I'll show you is a advanced custom claim rule that we will be using and we're in the extension attribute will be sent for this application so if I'll come back to my deck and let me show you the rules have created okay so usually what happens that depending upon the object type that you are using you have to mention ID here for a normal attribute or the attribute which are already publicly exposed okay but if you are trying to query an extension attribute likewise this is one of the examples which I have already covered and a video is available in the channel wherein I was discussing about directory extension so if you have not watched please watch that video of how to enable custom attributes or how to enable direct extension attributes okay so as of now I have one of my user in fact two users in my tenant for which this attribute value is populated and this is a custom attribute that I have created in my on-prem 80 okay what I am saying now in this particular case mapping policy that you have to query user go for extension ID copy this value and send it as employee type whereas the other attribute which you have to query is a normally publicly exposed attribute which is on-prem distinguished name and send it as on-prem dn and this is the name of my policy or the display name of my policy which I am going to create okay so now as I addressed before that this is something which requires as your ad preview PowerShell module and make sure you run the appropriate commands because if there will be any issue in terms of syntax that you are doing then your policy will not work as expected okay so now I'm going to paste this value and I'm going to click on enter now this will create a new policy which we will be mapping to our application which we have just created so let's go back to that portal where we have our application and this is the application which we have just created and the name is open ID connect em sol user now this is application object but if you guys remember the policies are mobbed to service principle object okay so now what I'll do is I'll open my service principal object of open ID connect em Sol - user app and from here we need the object ID of this particular object so I will copy this value and I'll come back to my PowerShell and now what I will say that ad - service principle ad - azure ad service principle policy - object ID of my service principle - reference object ID of the policy which we have just created so I will copy this value and I will paste it here and then I'll click on enter now there is one more very common error that you will get when you will create claims mapping policy and that is moreover related to signing key and the you know geeks the surprising part is the set of information that you will get from browser or in the browser is not at all relatable now what do I mean by this that as of now we have created a custom claim policy and I should be using that policy to sign in with that with this particular user object but the error that we will get on the portal now once we use a fresh sign in it will never let you know what exactly the issue is okay so this has not been signed out completely let me forcefully sign out so this is the endpoint that you can use for sending logout requests to Azure ad so now this will be completely signed out okay so now I'll again launch my application but before I launch my application let's this time enable fiddler as well so as of now this machine doesn't have fiddler what I'll do is I'll quickly install fiddler and I'll resume the video so I have configured fiddler now and it's up and running on the HTTP traffic is also getting decrypted and now I will again launch my application now this time what we have to check is the new ID token that we are getting whether it has the extension attribute value or not but let me tell you guys we will again get a particular error in this case and that will be moreover related to claims mapping policy not enabled for this application so let me sign in again and let me show you the exact error that we get okay so now as you can see I'm getting the prompt type my password and the moment I will click on sign in I should again get an error now the reason why we should get an error because the consent part is already configured now as you can see this error shows me that this application is required to be configured with an application-specific sign and key now if you will read the documentation of claims mapping policy there is a particular command done by any of the user who is addressing this issue but long back there was a article on social TechNet as well which says that in order to fix this issue all you have to do is you have to go to the application object of your application which you have just registered so in our case this is the application and then go to manifest and then here where it says accept map the claims just set it to true that's it your issue will be resolved now this part is actually something which is publicly documented but I thought of including it here so that if you get this error now with any of your application you will be able to relate what exactly going on okay so I'll again forcefully initiate a sign out and then again will relaunch the application and this time we should get the expected token with all the claims okay so as of now the application is stopped and again I'm going to click on the same option which is is Express Google Chrome and as you can see this is something which we are getting again and again because this is something which I've also addressed that at times is Express takes type so it all depends upon how good the hardware of your VM is maybe you are using n number of you know n times better hardware that I'm using so maybe you will never get this error but on my machine it's a generic error that usually comes okay so I have again selected my account and then I'm going to type in my password and I will click on sign in and let's see what all we get on fiddler okay so I'll go back and I'll click on yes and let's see this is the frame which should contain our token and let's see if we got that or not and as you can see this is my ID token I'll copy this value and I'll go to JWT dot ms or JWT io whichever website you prefer to to decode the token both of them do the same thing or they both have the same purpose but you can choose any one according to you okay so as you can see i'm getting now on-prem DN okay but still I'm not getting the value for SSO concepts work that specific custom claim type that we have registered now there is one more reason for this and that is as of now the SSO account does not have the company total or that specific attribute which was concepts worth employed type populated okay now see these are small small things which I am covering deliberately to make you guys understand that if you are getting some result with the policy that you have configured it means the policy is perfect there must be something which is missing from a user object prospective itself okay so now what I'll do I'll close this I'll come back to my browser I'll again forcefully send a log request and this time I'm going to use the object which has absolutely perfect settings all the claims populated and this time the result that we will get will be the ideal result which we will be discussing or which we were discussing on our deck okay so I'm going to use an account which has both the values populated and the token that we should get must have a value which is concepts work - employ type as the attribute and then depending upon that particular employee or depending upon that particular user if he is FD or if he is a contractor we should get the appropriate value so I'll again click on iris Express Google Chrome because the last session was active and it landed - SSO itself okay so now the moment we get the prompt to sign in with the user object we'll use the object which has all the details there are two objects which we can use the one is enter and the other one is ID P this is the same example which I have covered in the directory extension video as well so if you have already watched that you will be able to relate what I'm saying as of now okay so now I'm going to use another account and let's just verify perfect fiddler is also running so now what I'll do is I'll sign in with my account which has all the attributes populated and I will click on my password and then I will sign in and that's all now the token that we will get will have all the information now there is one more thing which you guys can observe here that since I have changed the user now this application will be accessing the information which is moreover related to this particular user so this user is also getting a prompt and this is the consent prompt which is user specific moreover related to something which you can relate with OAuth 2.0 authorization code flow because that's the flow we're in an identity layer is added for open ID connect okay so just to know how the protocol flow works I will be posting a video on the public channel you can view that as well but as of now just focus whether the custom claims are getting mentioned or not okay so we'll go to the same frame where we find token and we right-click here we copy this value and now we'll go to our browser where we will go to JWT dot ms and here we will be using the strength to actually decrypt and see whether the required claims are present or not so as I said before that you can either use GWT or ms they both do the same purpose or the both I use for decrypting token itself so the web page is loaded now and I'll just paste my token and as you can see I'm getting employed type FTE and on-prem DN is the same value that's coming from my on-prem environment and if you will now match this value with the rule that we have created it is exactly same so if I'll come back to my deck you can see that this value has to be queried but the jot game type is employee type whereas on-prem d n has to be queried for user but the value for the claim or the claim name is on-prem dn okay so this is how the custom claim mapping works for the extension attributes this is one of the more detailed version of what I have already covered in the public view of the channel video that exists over there which was moreover related to custom claims ok so from this particular video we have actually created a sample app and you can use the sample app to do lot more testing ok one of the example that I can show you right now or that I I can let you know that you can add multiple values here and depending upon the values that you are adding the consent prompt will be changed for a particular user so let's talk about a quick summary for all we have discussed in this video we have discussed about a sample app which was an MVC app which uses M Sol and Open ID Connect we also talked about custom claims referring to extension attributes in the next video I'm going to cover the entire not the entire at least five to ten very specific cases for advanced troubleshooting of azure ad and we'll also talk about the comparison between the 1.0 and v 2.0 endpoints so if you think our channel is helping you to learn more please feel free to share this with your technical community thank you so much thanks for your time bye bye
Info
Channel: Concepts Work
Views: 2,959
Rating: undefined out of 5
Keywords:
Id: fxWAwCmle6A
Channel Id: undefined
Length: 25min 3sec (1503 seconds)
Published: Sun Jan 31 2021
Related Videos
ARM Templates Parametrization | Expressions, Parameters and Variables
Adam Marczak - Azure for Everyone
20K
Hybrid Azure AD Join Devices | Managed Domains
Concepts Work
47K
Accessing Azure Key Vault Using Managed Identities
Marvijo Software
14
SAML & Azure AD | Demo with Drop Box | Azure AD Gallery Application | Setup SAML authentication
ITProGuide
20K
🤖 How to use Microsoft Power Automate Desktop - Full tutorial
Kevin Stratvert
644K
Configure Windows Auto Pilot | User Driven Mode
Concepts Work
11K
Onboard Windows 10 Devices from MDM | Microsoft Defender for Endpoint
Concepts Work
3.5K
Securing WebApI in Dotnet Core /. net5 with Identity (and JWT)
Data Vids
13K
OAuth and OpenID Connect in Plain English • Nate Barbettini • GOTO 2020
GOTO Conferences
8.4K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.