Using Bubble with Microsoft ADFS / OAuth2

Hi everyone,

I understand Bubble can integrate with Microsoft Active Directory Federation Services (MS-ADFS) to achieve single-sign on capabilities if OAuth2 is enabled.

I’m looking at exposing my app to a client company that users MS-ADFS.

Can someone describe (or point me in the direction of the doc that describes it) what the user experience would be in that case and what happens “under the hood”?

For example, for the user experience, I imagine that to access my app, users from the company with ADFS will point their browsers to my app’s URL and they will land “automagically” in a page of my app as if they had logged in using a special purpose screen in the app. Also, they would be identified as the Current User. Is that how it works from a user point of view?

What else happens under the covers?
To which page do they land? To the one pointed to in the URL or a to redirected one? And if the latter, where’s the logic to do that placed?

Since no one in this company has connected an app before using federated authentication (ADFS is very new, only installed to access Office 365), it may be good to have someone from Bubble help us do that. Is that help available?

Many thanks,

Alex

1 Like

Once you have the Oauth2 part figured out on your IT side, you’ll get some URLs for the authentication endpoints and you’ll enter them in the API connector. it’s similar to what you can see in the manual at https://manual.bubble.is/building-plugins/adding-api-connections.html#oauth2-user-agent-flow

The experience to authenticate depends on your system.

1 Like

Edit to add, I see the change in the plugin editor that should solve this issue. Leaving my previous message below

I have already tried to implement this but ran into the same issue where MS does not like the ?debug_mode=true parameter when you test giving a redirect URL error. Removing the parameter and trying seems to work, but then bubble won’t let you use since it is not tested properly. Same problem mentioned in this thread for MS graph Anyone built an API plugin for Microsoft Graph yet?

Hi Andrew,
Thank you for the post. Can you describe the sequence of steps you followed to make this work and also, what does a normal user “see” when trying to sign in to your application?

Many thanks,

Alex

Hi Alex, I am not trying to use the Azure AD endpoints anymore since they work MS Graph anyway and allow access to Office365 data as well. You can see the issues that I have ran it recently trying to use MS Graph here.

As far as Azure AD, it seems there is a problem where you need to specify a “resource” in the authentication URL via a parameter and this caused trouble for bubble.

Edit to add: As far as what the end user sees it will work in the same way as the other social network logins available. You are redirected to a MS login page asked to login, then redirected back to bubble.

Thank you Andrew. Would it be accurate to say that if Mary is inside her company network, she logs in to MS Active Directory using her MS credentials, and then opens a browser and from it goes to my Bubble application, then Bubble would log her in and she would become the current user in the bubble application?

If so, where does the mapping occur between the Bubble user “key” which is the email and the MS credential supplied by the user at login (her user id) which in most companies it is usually not her email?

I’m very curious about all this and feel that I do not fully understand it.

Hi Alex,
The scenario you describe is ADFS with single-sign-on; this is not my goal. I am going for same-sign-on so that the same credentials are shared between AD/Azure (synced by Azure AD Connect) and Bubble without ADFS. I done what you describe with some other apps using ADFS and SAML for authentication, but not with Bubble. Our AD is 2012 and the oAuth support in ADFS is not great, so I haven’t bothered to look into it. However I understand that ADFS in 2016 has improved oAuth support.

I didn’t know about Azure AD Connect to enable same sign on. Can you describe it a bit more? I’d assume that the user provides Bubble the same LAN ID and password she uses in her PC when she logs in in the morning.

Maybe Same Sign On a good alternative to Single Sign On if the latter becomes too complicated or if it does not work well.

Thank you again!

Alex, yes, more than just login credentials you could get access to most of your directory information, including security groups, etc. In theory, if you use Office 365 you would then be able to access email, contacts, calendars, onedrive via MS graph API. This is my stumbling block in the other thread.

Have you found a technical documentation for your specific ADFS. there should be some endpoints that you can enter in the API connector to get the tokens. Looking at this thread, I don’t see such information.

I know they connected to another application. I requested the info they gave to the other application and here’s what I got:

Issuer URL http://adfs.companydomain.com/adfs/services/trust

SSO Endpoint: https://adfs.companydomain.com/adfs/ls

Is that what you’re looking for? That’s all I have…

Well we need the actual endpoint here. A real documentation. Without it, it’s not going to be possible to help. Did you ask the team that gave you that to have a look at the API connector. If they’re familiar with OAuth they should be able to do it.

2 Likes

Hey there following this thread and wondering if anyone has been able to either 1) build a plugin for MS Azure AD auth or could point me in the right direction. Specifically I am looking for help with accessing the Teams API .

2 Likes

Hi, did you find a solution for the ad authentification (scim)?

Sebastian

Hi Alex5, did you get this action with Bubble?