Implementing ADFS SSO with Delphi 10.2 - delphi

I have a Delphi web application developed using Intraweb framework (IW 15), currently user are authenticated with database of the application. Now we need to enable this application with SSO.
Our customer uses SAML2.0 and WS-Federation protocols with ADFS.
I have searched over the internet regarding ADFS and SSO but could not find any details about this.
Is this something where I can send a simple HTTP requests and get a token or some authentication information and allow user to login ?
Is there any component (in built with Delphi or third party) available to implement SSO with ADFS using SAML2.0 ?

Related

OAUTH2 Hybrid Flow or Authorisation Code Flow for Web Application to 3rd party Application Access Control?

I have a web application written in MVC 5 Asp.Net 4.7, C# on Azure App Service. I want to integrate it with a 3rd party web application, via its API, using OAUTH2 whereby the server application punches out to it, causing its Identity Server to acquire user credentials and then to finally issue a Refresh and Access token so my application can make calls on it API.
Now to my question.... As I understand it the recommended OAUTH code flow for this is "Authorisation Code Flow", however the 3rd party wishes me to use "Hybrid Flow" as they have been advised this is more secure. Is this correct? I emphasise this is a web server to web server interchange, apart from the redirection by the 3rd party identiry server for user credentials.
Thank you in advance.

webapi authentication and authorization wsfed and oauth

We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.

How does an iOS App receive a SAML auth response?

I'm working with a client who would like to authenticate with Active Directory Federated Services using SAML. As it was explained to me, the client ADFS server is the SAML identity provider and I simply need to provide a webview in the app for them to load a login page. Upon successful authentication the response should give authenticated metadata?
I've tried researching SAML and iOS and have only been able to find third party software which offers solutions, but no explanation of how this may be done without any third party integration into the app.
Resources I've looked into:
https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
http://blog.centrify.com/ideal-solution-for-sso-across-native-mobile-applications/
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Since I don't know anything about the content of this login page, how do I determine if the response has authenticated correctly? Additionally how do I extract and pull relevant information from this response into the app to store for future authenticated web service requests?
If the customer has ADFS 2012R2, it supports OAuth for public clients. Use the ADAL (Active Directory Authentication library) that supports ADFS. In this case, it will pop up a browser dialog window to do the authentication and then get a an authorization code. This code is then converted to an access token (JWT) which can then be used against a WebAPI.

How to show my O365 SSO enabled web application in windows store (O365 app launcher)?

We have web application built on ruby on rails and added Azure AD SSO feature. We are using OAuth2 and JWT gems for achieving SSO functionality. But after successful user login, our application is not visible on users office portal myapps dashboard. Instead it is only visible if AD admin assigns this app to the user.
But..
Our objective is to show our application on any user(multi-tenant) apps (https://portal.office.com/myapps) once he successfully performs SSO. Like, developing a Web app(ruby-on-rails) that users can install directly from the Office Store.
After our googling we found this ASP.NET DEMO application(https://github.com/OfficeDev/O365-WebApp-MultiTenant) which is working same as we expected. After login we are able to see this demo app on users myapps. In the app description following is written "web application that uses Azure AD for sign-in using the OpenID Connect protocol, and then calls a Office 365 API under the signed-in user's identity using tokens obtained via OAuth 2.0. This sample uses the OpenID Connect ASP.Net OWIN middleware and ADAL .Net.".
It is clear that DEMO app uses OpenID Connect protocol, which we are not using. is this creating problem? Kindly guide us in right direction.
The administrator have to accept the app for the whole Tenant so called admin consent.
http://blog.mastykarz.nl/implementing-admin-consent-multitenant-office-365-applications-implicit-oauth-flow/
https://github.com/waldekmastykarz/sample-azure-adminconsent
hope this help
I found working ruby on rails working example which implements Openid-connect protocol here https://github.com/nov/openid_connect_sample_rp. Then modified db/seeds.db to

OAuth2 SSO implementation using ADFS in MVC4 with Owin Oauth middleware

In simple My only requirements are to implement SSO in my application:
Use ADFS 2012 R2 for SSO (OAuth2 protocol).
User will get token using oAUth 2.0 VIA ADFS Server using login prompt for credential or what ever authentication scheme is configured on ADFS form based or windows based.
If same user that is authenticated using oAuth for one application if second application want to use the same user then the login box that ADFS presented using oAUth2.0 should not appear.
Now, please help me how OWIN.SECURITY.OAuth or any other oAuth will help me and what is the best way to implement in MVC web application. Please provide sample applicaiton.
ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2. But you should not be too bummed, given that an OAuth2 authorization grant would not give you SSO anyway - OAuth2 is not a sign on protocol.
If you want to perform web sign on using OAuth-like technology, I recommend you consider OpenID Connect and the ADFS version that comes with Windows Server 2016 (currently in technical preview 4).

Resources