SOLVED

Authorize access to web applications using OpenID Connect and Azure Active Directory

%3CLINGO-SUB%20id%3D%22lingo-sub-1196808%22%20slang%3D%22en-US%22%3EAuthorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1196808%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20register%20my%20application%20with%20AD%20Tenant%20with%20following%20steps%3A%3C%2FP%3E%3CP%3E1.%26nbsp%3BIn%20the%20Azure%20Active%20Directory%20left%20menu%2C%20select%20App%20Registrations%2C%20and%20then%20select%20New%20registration.%3C%2FP%3E%3CP%3E2.%20Given%20application%20name%20and%20under%20support%20account%20types%20%2C%20selected%20the%20option%20%22%3CSPAN%3EAccounts%20in%20this%20organizational%20directory%20only%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20Provided%20Redirect%20URI.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E4.%20Successfully%26nbsp%3Bregister%20my%20app%20and%20integrated%20with%20AzureAD.%20I%20can%20able%20to%20authenticate.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E5.%20The%20issue%20is%20anyone%20in%20my%20organization%20can%20access%20this%20app%20even%20if%20i%20have%20added%20limited%20users%20in%20Users%20and%20Groups%20section.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E6.%20I%20want%20to%20restrict%20my%20app%20to%20limited%20users%20only%20with%20permission.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E7.%20How%20i%20will%20do%20that%3F%20My%20application%20only%20support%20OPENID%20authentication.%20No%20SAML%20support%20.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E8.%20I%20am%20implementing%26nbsp%3BApache%20Guacamole%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1196808%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1196869%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1196869%22%20slang%3D%22en-US%22%3EHave%20you%20tried%20going%20to%20'Enterprise%20Applications'%2C%20finding%20your%20AAD%20App%20there%20and%20configuring%20'User%20assignment%20required%3F'%20to%20Yes%20in%20Properties%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198969%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198969%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%20Thank%20you%20so%20much%20for%20your%20help.%20It%20worked%20for%20me.%26nbsp%3B%20But%20facing%20another%20issue.%20I%20can%20see%20my%20app%20in%20Azure%20application%20list.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faccount.activedirectory.windowsazure.com%2Fr%23%2Fapplications%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faccount.activedirectory.windowsazure.com%2Fr%23%2Fapplications%3C%2FA%3E.%20But%20when%20i%20am%20clicking%20on%20my%20app%2C%20its%20throwing%20the%20following%20error%20%22%26nbsp%3B%3CSTRONG%3E%3CSPAN%20class%3D%22OneLineSpacer%22%3EYou%20cannot%20access%20this%20application%20because%20it%20has%20been%20misconfigured.%20Contact%20your%20IT%20department%20and%20include%20the%20following%20information%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22OneLineSpacer%22%3E%3CSTRONG%3EUndefined%20Sign-On%20URL%20for%20application%3C%2FSTRONG%3E%22%20But%20when%20i%20am%20trying%20my%20website%20url%20in%20browser%20it%20is%20working%20perfectly%20fine.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1199158%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1199158%22%20slang%3D%22en-US%22%3EHave%20you%20configured%20all%20the%20settings%20in%20the%20'authentication'%20tab%20of%20the%20app%20registration%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1199905%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1199905%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F186539%22%20target%3D%22_blank%22%3E%40Thijs%20Lecomte%3C%2FA%3E%26nbsp%3B%3CFONT%20size%3D%222%22%3EI%20am%20using%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fazuread-dev%2Fv1-protocols-openid-connect-code%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fazuread-dev%2Fv1-protocols-openid-connect-code%3C%2FA%3E%3C%2FP%3E%3CP%3EIn%20Authentication%20section%20i%20have%20set%20following%20attributes%3A%3C%2FP%3E%3CP%3E1.%20Redirect%20url%20set%20properly%3C%2FP%3E%3CP%3E2.%20Implicit%20grant%20enabled%20for%20Access%20Tokens%20and%20ID%20Tokens%3C%2FP%3E%3CP%3E3.%20Supported%20Account%20Type-%26nbsp%3B%3C%2FP%3E%3CUL%20class%3D%22azc-input%20azc-optionPicker-list%22%3E%3CLI%3E%3CSPAN%3EAccounts%20in%20this%20organizational%20directory%20only%20(PerkinElmer%20Inc.%20only%20-%20Single%20tenant%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3E4.%20Advanced%20Settings%3A-%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BDefault%20Client%20Type%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BTreat%20application%20as%20a%20public%20client.%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Required%20for%20the%20use%20of%20the%20following%20flows%20where%20a%20redirect%20URI%20is%20not%20used%3A%20%3CSTRONG%3ENO%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200937%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200937%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F568851%22%20target%3D%22_blank%22%3E%40Ashok_Mohanty%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20set%20the%20Home%20Page%20URL%20in%20the%20'branding'%20bit%20off%20the%20app%20registration%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1207076%22%20slang%3D%22en-US%22%3ERe%3A%20Authorize%20access%20to%20web%20applications%20using%20OpenID%20Connect%20and%20Azure%20Active%20Directory%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1207076%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20issue%20resolved%20now.%20Thanks%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

I have register my application with AD Tenant with following steps:

1. In the Azure Active Directory left menu, select App Registrations, and then select New registration.

2. Given application name and under support account types , selected the option "Accounts in this organizational directory only"

3. Provided Redirect URI.

4. Successfully register my app and integrated with AzureAD. I can able to authenticate.

5. The issue is anyone in my organization can access this app even if i have added limited users in Users and Groups section. 

6. I want to restrict my app to limited users only with permission.

7. How i will do that? My application only support OPENID authentication. No SAML support .

8. I am implementing Apache Guacamole

6 Replies
Highlighted
Best Response confirmed by Ashok_Mohanty (New Contributor)
Solution
Have you tried going to 'Enterprise Applications', finding your AAD App there and configuring 'User assignment required?' to Yes in Properties?





Highlighted

@Thijs Lecomte  Thank you so much for your help. It worked for me.  But facing another issue. I can see my app in Azure application list. https://account.activedirectory.windowsazure.com/r#/applications. But when i am clicking on my app, its throwing the following error " You cannot access this application because it has been misconfigured. Contact your IT department and include the following information: Undefined Sign-On URL for application" But when i am trying my website url in browser it is working perfectly fine. 

Highlighted
Have you configured all the settings in the 'authentication' tab of the app registration?
Highlighted

@Thijs Lecomte I am using Authorize access to web applications using OpenID Connect and Azure Active Directory 

https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code

In Authentication section i have set following attributes:

1. Redirect url set properly

2. Implicit grant enabled for Access Tokens and ID Tokens

3. Supported Account Type- 

  • Accounts in this organizational directory only (PerkinElmer Inc. only - Single tenant

4. Advanced Settings:- 

     Default Client Type: 

     Treat application as a public client.
      Required for the use of the following flows where a redirect URI is not used:​ NO

Highlighted

@Ashok_Mohanty 

 

Have you set the Home Page URL in the 'branding' bit off the app registration?

Highlighted

The issue resolved now. Thanks for your help.