im developing a .net core mvc application with authentication against azure active Directory. My Problem is, that i have two different azure avtice directories which are undepentandend to eachother. Based on the user Input (mail or employenumber) i will decide which active Directory should used.
Any idea or reference?
Thank You!
You're describing a multi-tenant application where the AAD common endpoint is used as the entry point to the application rather than a specific AAD login page. You can configure your application to trust more than one AAD instance. It's rather involved, but MS had good documentation on how to adopt a single tenant app to multi-tenant. I'd also highly recommend Vittirio's blog as a place to learn about AAD auth, and while you're at it, his book titled 'Modern Authentication with Azure Active Directory for Web Applications'
Once you've turned on multitenancy for your application, you'll want to handle AAD validation yourself by checking the tenant id in the incoming SSO request. You do this by overriding SecurityTokenValidated in UseOpenIdConnectAuthentication. You can refer to this example where the code validates against a database.
There are other considerations such as admin consent where an AAD admin has to grant access to restricted permissions to your application. Good explaination here.
There is a very good reliable open-source project for that (Identity Server)
https://github.com/IdentityServer/IdentityServer4
And also you can check that (openiddict)
https://github.com/openiddict/openiddict-core
Related
I'm looking to employ Thinktecture's IdentityServer3 solution as a SSO service across multiple web application the organisation makes available to external users.
Taking the MVC Authentication sample as a starting point I'm looking at bolting on a registration process for new users to capture extra details when they first come to use the systems. This process is common across all the services we provide so I wish to bundle it alongside our SSO service.
Is there an elegant way to inject extra business logic into the IdentityServer3 core service? Basically if they're a new user I need to redirect them to some registration pages before flicking them back authenticated to the web application that they originally wanted to authenticate against.
Both docs
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
and samples
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService
cover this.
I have an MVC5 website that was created in Visual Studio 2013. It was set up from the start to use Organizational Authentication using a single-tenant single-sign on. There is no way to access any part of the site without logging in with an account that has the correct domain. This is the desired function.
However, I am looking to add role-based authentication using Azure Active Directory. The desired functionality is that some users in certain groups can see some pages, and people in other groups can see different pages, etc. This seems like the most relevant/updated tutorial https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. But since I already use WS-Federation to login with an organizational account, do I really have to use OpenID type authentication as stated in the tutorial? It seems like there should be an easy way to get the roles once I'm already logged in. I know I probably have to use the Graph API in some sense but I don't know how. Please advise.
At sign-in, when the user arrives at you app with an SSO token - your application can query the directory Graph API to determine the users group memberships. Per the group memberships you can either grant permissions to the user directly or map the group membership to a "role" in you application.
We have a topic that explains this in more detail and a sample application (that uses WSFed) to perform role-based authorization using Azure AD group memberships: http://msdn.microsoft.com/en-us/library/azure/dn195601.aspx
Enjoy :-)
I have an app that uses my own membership system. It uses ASP.NET MVC 3 which I'm updating to ASP.NET MVC 5. It's not possible to change the membership to use a new one like ASP.NET Identity. But, for the authentication side, do you think it is a good idea to replace my auth-ticket system with OWIN.Security? Are there any traps that I should know about?
The Katana security middleware is independent from ASP.NET Identity. You can use them both or just one.
There are some cases where it makes very good sense to use just the Owin/Katana middleware, but not involve aspnet identity.
I just rolled up a prototype webforms application using OpenID Connect against an Azure Domain. My domain is Federated with an on-prem ADFS. By the time I got OpenID Connect and the GraphAPI working, I realized that I didn't really need much from aspnet identity.
I use the GraphAPI to grab extra info about the user and their group memberships, and I am adding that info as claims on the user principal... my site's code can operate against just the information in the claims.
Of course, if you want to do any custom profile or role stuff in your application, it probably makes sense to link it to aspnet identity too.. create an aspnet identity user when a new user authenticates, map that user's AD groups to roles, etc. Then you can manage application specific data for the user directly in the application via aspnet identity, while relying on Azure AD for the core authentication, basic profile, and group/role assignments.
I setup and MVC 4 application and added authentication against our Azure AD server as outlined here: http://msdn.microsoft.com/en-us/library/windowsazure/dn151790.aspx
Authentication works as expected. However, I'm not getting any roles back by default. There should be several AD groups created and I would like to use them to role restrict the application via the [Authorize] attribute in MVC.
I can't really find a good place to even start figuring this out. Can anyone give me an outline or point me to a good tutorial?
I should mention that I'm not the administrator for our Azure account, so I need to be able to tell our admin what to do if any setup is required on that side.
First, tokens returned by Azure AD do not currently contain claims for roles or groups, so you need to get them from the Graph API. Second, roles in Azure AD that are returned by the Graph API are not necessarily intended for use in an ISV/LoB app, and in general you should use security groups for authorization instead. To perform authorization, you should use the checkMemberGroups or getMemberGroups operations in the Graph API, which are transitive and valid for this purpose.
If you check out the following resources in order, I think your questions will be answered. You'll learn how to authenticate to the Graph, call it, and configure your application to use the result of the group operations to perform authorization:
Using the Graph API to Query Windows Azure AD -- This is the second walkthrough to complete now that you've done the web SSO one.
Authorization with Windows Azure Active Directory
MVC Sample App for Azure AD Graph
Blog post describing checkMemberGroups and getMemberGroups
How do I get role and group membership claims for users signing in via Windows Azure AD? -- This one is out of date in regards to the methodology for authentication and the UI for managing users/groups, but it's still useful. Pay special attention to the section on the custom ClaimsAuthenticationManager, which gives you an idea of how to inject role/group data into the ClaimsPrincipal object early so that it can be used in the [Authorize] attribute or other authorization logic.
Sean answer is a bit outdated. You can now configure Azure AD so it will include groups or roles inside JWT token so it will be included into ClaimsPrincipal.Current.Claims so standard [Authorize(Roles = "yourRoleName")] attribute will work.
Here is introduction post. Which basically says you have two options:
Use groups claim - you need to change groupMembershipClaims value in app manifest and later in application you can check for ClaimsPrincipal.Current.FindFirst("groups").Value to see in what group user is (you only get group id). You can write you own Authorize attribute that use this. more info
Define roles for you application and then use normal code for testing if user is in role:
[PrincipalPermission(SecurityAction.Demand, Role = “yourRoleName”)]
[Authorize(Roles = “yourRoleName”)]
if (ClaimsPrincipal.Current.IsInRole(“yourRoleName”)) { //do something }
You need to edit roles in you app's manifest.
More info here and here. Values needed to be set in manifest are described here
What is really strange is that you can't assign more than one role to group from Azure web page. You need to use azure graph api for this.
If you can't see Users and Groups tab in Azure portal you probably need Azure AD Basic or Premium edition. If you are working on free azure subscription you can use free Azure AD Premium trial to test stuff.
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck