When I use a service used for online authentication, I get an url to navigate to that will automatically open an app that is used for the passcode input.
The url is in this format:
bankid:///?autostarttoken=2a1b5e2c-c9fb-4402-1239-2a1619d655e9&redirect=null
The navigation to this kind of urls do only make sense on a mobile unit where a certain app is installed.
Nevertheless, desktop browsers (not everyone) also try to navigate to such an url, like it would ever be possible. That of course results in an error page.
Why do they do that?
Do I need to use a hidden form?
Will every mobile unit honor that?
The custom URL scheme is used to be able to start an application locally, in this case the BankID client which handles the 2FA.
This works nicely on both mobile and desktop, as long as the custom url scheme is registered. AFAIK for mobile, if the URL scheme is not registered locally, it will query the appstore and let the user install from there. The BankID is available for both iPhone and Android in the appstore. On Windows it also query the appstore, but the BankID client is not available as Windows App, so it has to be installed manually from https://install.bankid.com. On Mac I have no idea if it queries the app store, but I know it has to be installed manually from https://install.bankid.com
Android, iPhone, Windows Phone, Windows mobile, Windows XP and later, MacOSX all honors the custom URL scheme but it also need to be honored by the browser, which all the major browsers do.
Historically, before mobile, we used to start programs using the NSS plugin support in the browsers. NSS plugin support was removed by the browsers since it was easy to mis-use from a security point of view.
That's why the custom URL schemes are used.
As you can read about in the BankID relying party guidelines, there is a transition to use https://app.bankid.com links to start the client instead. Basically, that's just a custom url scheme similar to bankid:// but registers both protocol (https://) and host (app.bankid.com), which then starts the app. This has the added benefit that if a user who hasn't got the client installed and is not able to find the client via a appstore or similar, will get the web site available, which then can help the user to install the client.
As the idea of an applink is to let the user navigate to the website if the URL is not registered locally, don't hide the navigation.
Related
My app is on Azure AD and I'm using the following code to request authentication on the Auth Service:
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/Home/Index" }, WsFederationAuthenticationDefaults.AuthenticationType);
What happens is that this works in some browsers (there is no pattern) and sometimes it doesn't work in others.
When the application redirects to /home/index, sometimes the object User.Identity has the user's email but sometimes it has no information.
Why is this happening?
Seamless SSO doesn't work in private browsing mode on Firefox and Microsoft Edge browsers. It also doesn't work on Internet Explorer if the browser is running in Enhanced Protected mode.
For SSO implementation , please consider browser consideration doc published here
As per last update , here is supporting browser list
Mozilla Firefox (all platforms)
Mozilla Firefox doesn't automatically use Kerberos authentication. Each user must manually add the Azure AD URL to their Firefox settings by using the following steps:
Run Firefox and enter about:config in the address bar. Dismiss any notifications that you see.
Search for the network.negotiate-auth.trusted-uris preference. This preference lists - - Firefox's trusted sites for Kerberos authentication.
Right-click and select Modify.
Enter https://autologon.microsoftazuread-sso.com in the field.
Select OK and then reopen the browser.
Safari (macOS)
Ensure that the machine running the macOS is joined to AD. Instructions for AD-joining your macOS device is outside the scope of this article.
Google Chrome (all platforms)
If you have overridden the AuthNegotiateDelegateWhitelist or the AuthServerWhitelist policy settings in your environment, ensure that you add Azure AD's URL (https://autologon.microsoftazuread-sso.com) to them as well.
Google Chrome (macOS and other non-Windows platforms)
For Google Chrome on Mac OS and other non-Windows platforms, refer to The Chromium Project Policy List for information on how to whitelist the Azure AD URL for integrated authentication.
The use of third-party Active Directory Group Policy extensions to roll out the Azure AD URL to Firefox and Google Chrome on Mac users is outside the scope of this article.
Hope it helps.
I have created an MSI / exe file using Visual Studio Installer. I want to run this installer from a web browser.
The purpose for doing this is that one of my client wants to perform a digital signature, the private key token of which is stored in the USB attached to the client machine.
As the USB can't be accessed from the browser due to security reasons (restricted access), I am trying to create a windows form installer app, which opens from any browser application (made in say MVC etc.), accesses the private key, and returns the encrypted string back to the browser from the windows app.
So my primary questions are:
1.) How to run the installer from the web browser. If installer already installed, how to check for newer versions?
2.) How to pass a string from web app to the windows form app
3.) How to return the modified string from windows form app back to the same web browser application
So any suggestions / recommendations / approach you can guide me through.
Thanks In Advance!!!..
There is a way to make it work.
Let's say you created a windows application for the clients and the name of the application is "AwesomeApp"
If you want to launch the application from the browser then you need to write an HTML href tag like this
<a href="AwesomeApp://<input arguments>" role="button" class="btn btn-primary">
Launch AwesomeApp</a>
When a user clicks on this button, the browser is going to ask to open your application. If the user clicks on "yes" then your application will be launched with input arguments
Now let's move to another part of the problem, how can you open a browser from your windows application
Definitely, you cannot talk back to the same tab that you opened in the browser. What you can do is that you can launch the browser with a specific string appended with your main Url.
Launching browser totally depends on what language you are using to develop windows application.
I guess you will be able to achieve what you wanted from this.
After I installed my APP in Google Chrome, I noticed that if I open the Store in Safari, It show a Install the APP page in my Iframe. I don't want my clients to see that Installation Process. If someone Installed the APP in the Store, I want to check if the Store has Installed the APP and show the Iframe without authentication.
The Iframe query the Price of the Product with Heroku to another API. I use Rails, as shown in the 5 minute APP.
See this image showing the message:
and this one without (desired):
If an iframe works (your information is scrictly informational) then its src attribute should be to a root relative proxy url. The application proxy can return liquid that Shopify will interpret for you.
I am in the process of creating an iOS app with Phonegap and jQuery, however, I am running into issues trying to allow both iFrames (to load normally) and external URLs (to open in Safari). I decided to choose the path of using iframes as I was not able to send POST and open the resulting page in Safari (i was trying to create a mobile friendly login window that opens to the full site in safari).
I recently updated to v1.5 hoping to resolve the issue, but it still occurs.
I have tried the trick "[url scheme] isEqualToString:#"http"...." however this forces any page in the iframe to load in safari.
So, I would like either to have external URLs and iframes to behave just like it does in a Webapp (add to homescreen button on iOS) or be able to send POST to Safari?
Has anyone got ideas? :)
Thanks!
You could change tactic slightly and login fully using your app, but then create an authentication token which would be passed via a standard link to be opened in safari.
You could generate the token new each time. Tokens are a valid system for access.
I successfully installed an SSL certificate on my website but Chrome strikes through "https" saying there are still some resources on the website that are not secure. I made sure there's no reference to http on my webpages and also replaced the google's ajax js file with https version. How do I find what else is unsecure on my website and make sure my website is secure for users to browse and do stuff?
Chrome can show you everything that it's loading for a page. This is what you could do on the OS X version, the menu locations and/or modifier keys might be slightly different on other version.
In Chrome, open up View -> Developer -> Developer Tools
Click on Network.
Hold Shift and click the refresh button.
You should see a list of every network request made for that page. Look for one that is using http instead of https.