Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

Keith Voels

My feedback

  1. 23 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Web Apps » Deployment  ·  Flag idea as inappropriate…  ·  Admin →
    Keith Voels supported this idea  · 
  2. 160 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  API Management » Security  ·  Flag idea as inappropriate…  ·  Admin →
    Keith Voels supported this idea  · 
  3. 284 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  API Management » Policies  ·  Flag idea as inappropriate…  ·  Admin →
    Keith Voels supported this idea  · 
  4. 773 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  31 comments  ·  API Management » API management experience  ·  Flag idea as inappropriate…  ·  Admin →
    Keith Voels supported this idea  · 
  5. 270 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    started  ·  18 comments  ·  API Management » API management experience  ·  Flag idea as inappropriate…  ·  Admin →
    Keith Voels supported this idea  · 
  6. 39 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    10 comments  ·  Azure Active Directory » Authentication  ·  Flag idea as inappropriate…  ·  Admin →

    Reposting so that folks get a notification – from Paul:

    Depending on the exact scenario you can do this today. For applications that do interactive browser based sign in to get a SAML assertion, but then want to add access to an OAuth protected API such as Graph, you can simply make an OAuth request to get an Access token for the API. When the browser is redirected to Azure AD to authenticate the user, the browser will pick up the session from the SAML sign in and the user won’t have to enter their credentials.

    We are also supporting the OAuth SAML Bearer Asssertion flow for users authenticating with IDPs such as ADFS federated to AAD so that the SAML assertion obtained from ADFS can be used in an OAuth flow to authenticate the user. I’ll post here again when documentation for that is ready.

    Keith Voels supported this idea  · 
    An error occurred while saving the comment
    Keith Voels commented  · 

    Creating SAML Assertions is supported in Microsoft Identity Platform v1 but not v2. I do not understand with v2 why it when back to 'use ADFS'. We are a very large enterprise that under Microsoft's direction no longer have AD or ADFS - just Azure AD.

    Here is the v1 SAML Assertion endpoint documentation; we need this to continue to be supported!
    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow

    Our application is calling an Azure AD registered and protected API. That Azure API is then calling an SAP registered and protected API. SAP is federated to Azure AD. We do not want the application to be aware of SAP or call SAP directly.
    So we need to do a token exchange within the Azure API: exchange the Azure bearer token to a SAP bearer token while retaining the identity. Since two service providers (Azure and SAP) are involved we cannot exchange OAuth2 tokens we need to exchange SAML Tokens – a SAML assertion. This in an API so it cannot be a browser functionality.
    The v1 endpoint support this very well. You can send the Azure API’s Access Token to ‘oauth/token’ and get a SAML Assertion back. We then send the SAML Assertion to SAP and get the access token required to call the SAP API (see link below). We need a ‘grant_type:jwt-bearer’ to ‘token-type:saml2’ in V2 like exists today in V1.
    https://wiki.scn.sap.com/wiki/display/Security/Using+OAuth+2.0+from+a+Web+Application+with+SAML+Bearer+Assertion+Flow
    I am not alone please see the comments: https://answers.sap.com/questions/12852835/sso-using-azure-ad-and-sap-netweaver.html

  7. 182 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    35 comments  ·  Azure Active Directory » Other  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Azure AD Team responded

    Thanks for the feedback! We will look into this and share an update when we have more information.

    Keith Voels supported this idea  · 

Feedback and Knowledge Base