I have an Angular application(ex. https://localhost:44301) that is
using Web API(ex. https://localhost:44302) to interact with data.
I have an Identity Server 4 (ex. https://localhost:44303) for authentication in which we have even
configured external login with Azure AD.
Our Architecture is something like below :
Now I want to add ADFS 3.0 (even ADFS 4.0 i.e. multiple ADFS) as a external login provider
So as per my research I have to go for only OAuth 2.0 with
Authrization Code Grant.
ref: https://github.com/nordvall/TokenClient/wiki/OAuth-2-in-ADFS
For that what type of configuration should I add into ADFS server. I am mainly confused about:
what should add as relying party trust identifier ?
what should as a resource into authorization request ?
what configurations for custom claims ?
There are three ways you can do this.
You can add ADFS via:
SAML 2
WS Fed
OpenID Connect
So:
SAML or you could use the Rock Solid Knowledge stack described in that blog
WS-Fed - use the built-in ASP.NET Core SP option
OIDC is doable but rather go with above
In both these cases, ADFS is a CP to idsrv4. idsrv4 is an SP to ADFS.
If you go with OIDC, it's an application group.
Related
I have a Angular site that is multi-tenant. When they login they're linked to a specific organization that we keep track of using Web Api.
We're using the excellent articles written here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ as our starting point to get everything going with webapi and angular for handling the identity framework through Web Api with Angular and that works well.
We have the ability to login as facebook, google etc. which is all straight forward.
The issue is that we want to be able to setup for organizations the ability for them to have their users login using their ADFS server, or their azure ad (or any other oAuth 2 compliant server.)
Basically we use a subdomain xxx.yyy.com where xxx is unique to the organization. When they hit that subdomain we show them a button to login using their endpoint.
The problem I'm facing is that I can't find any documentation on how to set this up so that I can have multiple endpoints configured for wither oAuth over ADFS or oAuth over Azure (openconnect it looks like, can't tell if ADFS in Windows 2008 R2 supports openconnect, but it does support oAuth).
Can someone point me in the right direction of how to accomplish this? Do I need to setup a single app.UseOpenIdConnectAuthentication() and then intercept based on the request some how for all of them? Or is there different rules for ADFS versus Azure so I have to use something else.
Any details would be fantastic. Even an inkling of where to go with this without having to use something like Auth0 would be fantastic.
Have a look at IdentityServer3.
You'll see a number of connections as a general guide (albeit in C#!).
ADFS in Server 2008 R2 has zero OpenID Connect / Ouath2 support. ADFS Server 2012 R2 has zero OpenID Connect / some OAuth2 support (Web API). ADFS Server 2016 is pretty similar to Azure AD - supports both.
Note that you need to support the hybrid OAuth profile.
You could use other protocols for ADFS e.g. WS Federation / SAML (using the OWIN libraries).
Or go the ADAL route.
I am trying to use this username in my code but I do not know if it is provided in the environment variables. Thanks!
Additional information: I am using using PingFederate and Ping One.
My website is based on C sharp and it used to get the windows environment variable for username. now I want it changed to the user logged in through ping identity.Is it possible to do so and in that case which SDK should I get (I am assuming the .net integration kit right?)?
As a .NET hosted application on IIS, your application would be considered the Service Provider (SP). In this architecture PingFederate is the Identity Provider (IdP). This is a brokered authentication design pattern, or more commonly known as Single Sign-On (SSO). When PingFederate authenticates the user, a token is sent to your application that would contain the username. The code (or library) within your application would process the token and then read out the username.
Here’s a list of options that you could pursue to solve your problem:
WS-Federation protocol using the Windows Identity Foundation (WIF) libraries. The config on the PingFederate side is very simple, and you just have to integrate the WIF libraries on your side. Once the WIF libraries and associated web.config configuration is established, you read the claims object passed to your application.
OpenID Connect (OIDC) protocol using the OWIN middleware. This is also a native MS solution that leverages an open standard. It will require that you have some understanding of OWIN/Katana, as examples are not exactly exhaustive online. PingFedeate supports the OIDC protocol, which is also a very straight forward configuration.
PingFederate Agentless Integration Kit. The integration kit is installed on PingFederate and is easy to configure. It is essentially a REST interface between PingFederate and your application to provide a JSON object with the identity information including username. Your application would need to implement the REST APIs to PingFederate.
PingFederate .NET Integration Kit. This solution implements the PingFederate Opentoken solution for exchanging attributes between your app and PingFederate. The .NET code libraries for handling the Opentoken are provided to you by the integration kit, you just have to integrate them into your code baseline along with about 10 lines of code to read the OpenToken to get username. Configuration on PingFederate is simple.
I'm wondering if it is possible to use Thinktecture IdentityServer simply as an STS alongside an existing web app? That is, I want to use ASP.NET Identity for authentication in my web app because I want to use all of the built-in functionality like 2-factor, etc. However, I want to use IdentityServer as an STS to serve up tokens to access my web services (WCF and Web API).
I thought perhaps I need to authenticate normally through ASP.NET Identity, then again through IdentityServer to get the token. However, this seems heavy and wasteful.
Is there perhaps some way to authenticate against the IdentityServer directly from ASP.NET Identity? I saw the sample where we can integrate the two together (IdentityServer using ASP.NET Identity), but it seemed like I might lose the ability to use all of the built-in stuff like two-factor workflows.
I'm hoping I'm way off base here, and apologies if I have some fundamental misunderstandings about how IdentityServer works. Perhaps there is a way to get all of the added functionality that ASP.NET Identity provides from within IdentityServer?
Identity Server will handle all authentication, no need for double sign-ins if you are using it correctly.
You'll have to implement two factor authentication yourself though as it is not currently supported by Identity Server. However extending Identity Server's existing support for ASP.NET Identity to allow for two factor authentication is definately possible.
I think your first port of call should be to have a bit of a deep dive into the Identity Server documentation and the OpenID Connect protocol. After that check out UserService documentation and then derive from the existing ASP.NET Identity UserService to add support for two factor authentication.
I am looking for Single sign on (SSO) with SAML2 tokens and I have to used ADFS. I can't use WIF.
I googled a lot to understand SSO, SAML2 and ADFS, now I have some doubts which I am not getting.
Scenario: The applications are asp.net MVC application
1. App-A(Windows Authentication) : hosted and it is using ADFS.
2. APP-B(Form Authentication): authenticates the user using the UID and PWD stored in DB.
Do I need a intermediate application to accept the SAML2 token and process it(similar to Identity provider) or it can be done in the App-A itself?
In the App-B what are the things I have to implement to make it aware of SAML2 request(do i need to implement custom handler)?
please help me to choose the right things for the implementation.
--Thanks--
You need a SAML stack for your application.
Refer SAML : SAML connectivity / toolkit and the links in that entry.
For A, perhaps you can use the WIF SAML extension mentioned in the article above?
For B, you need to rip out the DB authentication and add the SAML functionality as for A or else have a look at Identity Server which you can federate with ADFS and which also authenticates using a DB (but doesn't support SAML itself).
I am building a website using ASP.NET MVC 3 and have forms authetication setup correctly (user is able to register and login). I want to setup an OData WCF Data Services service so a Windows Phone 7 (Mango Beta 2 Refresh) client can authenticate and query the Odata service, with CRUD actions. This idea comes from the FullStack episodes here. They use OAuth login, but I wanted to use the user setup I already have, instead of an OAuth solution.
I do have this all working without auth currently (MVC app with Odata client on wp7), but am looking to make the Odata service secure. I guess I am looking for some articles or walkthroughs on how to get this working.
If forms authentication is not the correct choice, please let me know.
UPDATE
So lots of research done on this. There is an official how-to series on the blog for the WCF team here. Since forms auth is already configured on the web app, adding a check inside the QueryInterceptor provides the auth. However it uses a 'standard authentication endpoint' for client apps to actually 'login' that seems to use the base Membership providers, which I don't use. Is there a way to override this?
You could turn your custom forms authentication setup into a Claims based Federated Authentication Provider (STS) using Windows Identity Foundation. Then use that to authenticate your wp7 app with the STS provider and then send that claim (token) to your Odata service which will verify its an authentic claim. There is an example of this in the WIF training kit