Hello,
I want to authenticate Azure AD users with SAML.
As of now, I completed Configuration of Azure AD from this Link : https://success.outsystems.com/documentation/11/developing_an_application/secure_the_application/end_users/end_users_authentication/configure_azure_ad_authentication/?_gl=1*pvwpg3*_ga*MjA5MTI5Mjk0LjE2NDgwMTEwNjY.*_ga_ZD4DTMHWR2*MTcwNTg5MjAzOS4zMDcuMS4xNzA1ODkyMTA4LjYwLjAuMA..
Can any one tell me that what the next step is so User can come to our OutSystems Applications log-in page and click on one button and they can log in with Azure AD and also return me a response so I can compare with our Users and Log in accordingly?
Hi Nihil,
if you have completed the configuration as described in the documentation you are already good to go. Once you have configured configured and applied the configuration in OutSystems User Provider there are - by default - no additional steps to take.
If a user now that is not already logged in to OutSystems, visits a protected screen then the user is automatically redirected to the Entra Authorization Url. This is handled in your application in the OnException handler (Common). The User_GetUnifiedLoginUrl returns the url of your Entra authorization endpoint if you have configured Azure AD in the User Provider.
If a user does not exist in the OutSystems user table the user is automatically created and logged in. If that is not the desired behaviour because you want to restrict who can access to OutSystems you have to configure your Entra Enterprise App configuration. I already answered that in your other post https://www.outsystems.com/forums/discussion/93537/authentication-of-users-from-azure-ad/
Best
Stefan
hello sir,
as of now, I already saw your webinar, and I just want to know: right now, do I have to perform all those steps that you did in the webinar? or something else because I am confused about how users can log in from our outSystems login screen with SAML authentication.
and whatever you said in that YouTube video is application for SAML authentication? or is that only for OAuth authentication?
to be short. No. The webinars i held are about OAuth flows. Oauth is a different protocol than SAML. The User Provider in O11 only supports SAML and the access token you get via SAML cannot be used to consume Microsoft API resources.
If you just want to login then you should go for the SAML integration which is the built-in functionality.
PS: Not a sir, just Stefan 😊
Sorry I am confused.
Can you please tell me that suppose 1 Azure AD user comes to the Outsystems Login Page, and then what is the next step for that user? Here, users can log in with their Azure credentials on our Outsystems Login Page, or do I have to create one button that redirects the Azure AD users to the Azure AD Login Page? and the user can log in, and the call-back action will redirect that user with "log in" if the user enters the right credentials.
Hi. If you have configured everything correctly and left the default User_GetUnifiedLoginUrl in you exception handler, then the user will not be redirected to the OutSystems Login page but will be redirected to Entra (Azure AD) Login page instead.
hello,
Right now, I am doing Azure ad configuration. Will it be the same as SAML 2.0?
"requirement is to Azure AD users can use SSO with SAML authentication while logging in."
Yes. The only difference is, that when you select Azure AD you will get some preconfigurations in regards to claims mapping.
This URL automatically takes the Entra (Azure Ad) Login Page, right?
But suppose Some user want to Log in with outsystems Log in then ?? they don't have Azure ad credentials.
No. The OriginalUrl is the url a user is redirected back to after successful authentication.
If you want to use both, you have to modify the OnException handler to redirect a user first to a login page and yes in that case the login page would need one form with OutSystems credentials and a button Login with OutSystems and another button with Login with Microsoft. A user clicking on the latter would then be directed to the Entra authorization page.
But! Start with the default as described in the documentation. Once you have that up and running do the all the other modifications. Dont try to do everything at once as it will be too confusing :-)
I got this Error
:-) That screenshot doesn't really help. Potentially there is a configuration issue. You should check the SAML Log Messages in the users app
to get the details of a error. In the configuration of Azure AD make sure that you can successfully perform a test. In OutSystems User Provider make sure you uploaded the federation xml and check the claims mappings (especially the username and emailaddress claims)
Error: Does it happen because no users are assigned from Azure Ads to the app?
Hard to tell without seeing your complete configuration but the error could relate to a missing signature. If you have set the "Accept only Signed Login Response" then OutSystems expects a signature. To get such a signature you have to make sure that you have configured the signining process in Azure Ad here
Make sure that you download the federation xml AFTER you have configured Azure AD enterprise app. Then upload to OutSystems. Only then the XML contains all the necessary information.
Currently, I am trying an Azure ad. Will it be fine? or do I have to use SAML 2.0?
requirement is that Azure AD users can use SSO with SAML authentication while logging in.
Also, I share SP metadata File in Azure Ad portal and Also upload Federation File from Azure Ad portal to OutSystems
Is it necessary to do this? My application is Reactive Web App
Yes you have to choose Azure AD. Please follow the instructions in the documentation very carefully and step by step.
Could you please tell me what changes I need to make in the "On exception" action so that the user can first land on the OutSystems login screen before deciding whether to login with OutSystems credentials or use Azure Ad SSO?
see below a screenshot of the default implementation of the security exception handler
The User_GetUnifiedLoginUrl is retruning the SAML authorization page of Azure AD once you configured the User Provider. You can simply remove the that part from the exception handler to always redirect to the Login Screen.
Btw: You may consider a central application that has the whole Login actions and screens for your OutSystems factory. In that case you would use a redirecttourl to redirect a user to central login page.
Hi Stefan,
I have followed the same and login process is working fine using azure AD credentials.
But I am facing issue with this while logout the user. After clicking on logout button it's giving an error "Unable to process request". On the logout button which code I need to implement ? I am stuck here in implementation.
Please suggest some work around it.
Thanks