Menu
How can I grab domain user security context (username etc.) in electron app running under Windows?
I know I can use environment variables (process.env.USER), but I don't think it's secure.
510
Single sign-on (SSO) solutions allow users to login to multiple applications with just one set of credentials, eliminating the hassle and risk of managing different combinations of usernames and passwords. To enable single sign-on with Active Directory, you'll need to use ADFS or a third-party tool.
This means any Microsoft customer using a subscription of a commercial online service such as Azure, Office 365, Dynamics and Power Platform can enable SSO for all their cloud apps, even with Azure AD Free.
Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to your corporate network. When enabled, users don't need to type in their passwords to sign in to Azure AD, and usually, even type in their usernames.
A proper answer would depend on many different aspects of your environment, but here some ideas.
Passportjs
Passportjs is a goto package for nodejs authentication. With a bit of googling, I found that Microsoft has created a github repo called passport-azure-ad with strategies (the interfaces passportjs uses to connect to things) specifically for Azure AD authentication. So if you're using Azure AD, passport-azure-ad is a good way to go.
A passport-azure-ad Issue
If not, and you try to use passport-azure-ad to authenticate to ADFS, WS-FED, or SAML you will likely run into this issue. In short, it is not supported by that repo.
Passport-ldapauth
So in that case, have a look at this SO post describing how to use the passport-ldapauth strategy to authenticate to ADFS. It doesn't seem to be too difficult, though there are some "gotchas" to watch out for. There are also other good suggestions for OAuth, and further explanation on passport-ldapauth by the owner of that repo.
While I haven't used passport-ldapauth, I've done many AD/LDAP integrations over the years and LDAP is a well known and well documented method of authentication, and it is reasonably secure. This article is a good example of the security concerns to be mindful of when using LDAP. However, these concerns are regarding the use of the protocol and are not related to the Passport-ldapauth package directly.
As of Electron version 0.35.0 the new app.allowNTLMCredentialsForAllDomains(allow) may also effect your situation. According to the docs it allows you to dynamically set whether to always send HTTP NTLM credentials or negotiate them normally. There is also a disclaimer about this option not working on some "badly configured" networks, but it's worth a shot.
180
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
