Can anybody let me know the possibility/steps to use Kentor Authservices with customer ADFS ?
So far we have successfully implemented Kentor library to integrate with customers' Okta setups (Okta as the IdP). We have got another customer requiring their employees to login on our site using its ADFS credentials.
For test purpose, I added another IdP node in the web.config setting login.microsoft.com as "signOnUrl" to post SAML login request, and expected to redirect back to our portal after authentication. But it presented with Microsoft apps options page and stayed there. What should be "entityId" ? How to set "ReturnUrl" etc are blank area for me as of now.
I need to know what direction I should move to enable SSO using customers' adfs with Kentor.
On the ADFS side you can import the AuthServices metadata. It would be on:
https:/xxx/AuthServices/ address.
On the Kentor side, use the ADFS metadata:
https://my-adfs/FederationMetadata/2007-06/FederationMetadata.xml
The entityID, endpoints etc. are all there.
Related
We have an MVC application (<myapp.somedomain.com>) .net 4.5.2 (OWIN/ADAL) that uses ADFS2016 for AuthN/AuthZ via OIDC/OAuth2. Users' credentials and attributes are stored in AD LDS. A client (X) requested to authenticate in the application via their IdP over SAML2. Is this possible WITHOUT making changes to the application?
The flow I am looking for; for this client the app’s URL would be (<myapp.somedomain.com/?client=x>). Our ADFS would recognize and redirect the client to their IdP where they would authenticate and than they would be send back to our ADFS along with some predefined claims. Our ADFS would map these claims to an Id Token / Access Token for our application to use. Am I dreaming or is this indeed feasible?
Any links to articles / documentation on how this could be achieved would be most helpful.
As #Wiktor suggests, you could add a SAML client-side stack to your app.
The other way is to federate ADFS with the SAML IDP.
When the user is redirected to ADFS, they use Home Realm Discovery to either redirect to the SAML IDP or authenticate on ADFS directly.
ADFS should handle the token conversions but you may have to fiddle around with the claims rules.
I want to create an ADFS session in the browser using APIs only.
I don't want to redirect users to ADFS login page. I collect user's AD credentials and using those credentials I want to create ADFS as well as my site's session in the browser. Currently, I can create my site's session but not ADFS's session.
For this, I am using OIDC's Password Grant flow which works fine as I am getting access_token, id_token and refresh_token but it does not create ADFS's session in the browser.
I am using other federated applications with the same ADFS, so ADFS's session in the browser is critical for me.
Creating User session using APIs is supported in OneLogin (https://developers.onelogin.com/api-docs/1/login-page/login-user-via-api) and I want a similar approach for ADFS.
I am also open to any other approach which can help me achieve this goal.
If anybody can help me with it, it will be a BIG RELIEF.
ADFS Version: 4.0
OIDC Flow: Resource Owner Password Credentials
ADFS (and Microsoft Identity products in general) do not have authentication API.
You can do this via WCF (WS-Fed active profile) but this by definition is not browser-based.
I'm working with a client who would like to authenticate with Active Directory Federated Services using SAML. As it was explained to me, the client ADFS server is the SAML identity provider and I simply need to provide a webview in the app for them to load a login page. Upon successful authentication the response should give authenticated metadata?
I've tried researching SAML and iOS and have only been able to find third party software which offers solutions, but no explanation of how this may be done without any third party integration into the app.
Resources I've looked into:
https://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/
http://leandrob.com/2012/02/request-a-token-from-adfs-using-ws-trust-from-ios-objective-c-iphone-ipad-android-java-node-js-or-any-platform-or-language/
http://blog.centrify.com/ideal-solution-for-sso-across-native-mobile-applications/
https://msdn.microsoft.com/en-us/library/bb897402.aspx
Since I don't know anything about the content of this login page, how do I determine if the response has authenticated correctly? Additionally how do I extract and pull relevant information from this response into the app to store for future authenticated web service requests?
If the customer has ADFS 2012R2, it supports OAuth for public clients. Use the ADAL (Active Directory Authentication library) that supports ADFS. In this case, it will pop up a browser dialog window to do the authentication and then get a an authorization code. This code is then converted to an access token (JWT) which can then be used against a WebAPI.
I have 3 web sites in my company and each has its own login page, but authenticating against same authentication ( let's say custom DB) store. Recently, we thought of implementing SSO and by having a centralized Authentication website and all these web sites will rely on this new Authentication website for sign-in. Let me call Authenticating website as IP (Identity provider) and Relying parties as RP1, RP2, RP3.
I'm aware that this is fairly achievable using SAML / WS-Fed (since all websites are asp.net based) based implementation and lot of examples are there in internet. My question is whether the same is achievable using OpenID or OAuth ? There are some scenarios where I think it may not be possible.
Scenario 1:
After I SSO sign-in in RP1 and type the URL of RP2 in browser, will RP2 know that I’m already authenticated and allow me to proceed or will I be forced to login again through IP?
Scenario 2:
Assume that I have signed in and able to navigate between RP1 & RP2, If I sign-out of RP2, and navigate to RP1, will I be redirected to login page? is Single log out achievable ?
Please click here SSO Image
I appreciate your help.
OpenID Connect is an authentication protocol that supports "true" (whatever that means) SSO.
Read about it here: https://openid.net/connect/
Scenario 1: This is never how it works - RP2 will still need to make a roundtrip to the IP to get an identity token. But the user will not see a login screen and will sign-in automatically.
Scenario 2: Single Sign-out is part of the protocol - yes.
I am developing an asp.net MVC web application that will be deployed in the cloud and should support the following authentication scenarios:
Transparent authentication for domain users on an intranet. These users should be able to access the application without signing in.
Forms login for arbitrary non-domain users on the internet. These users should be presented with a login page using Forms authentication, and membership is managed internally by the application.
Forms login for domain users on the public internet. They should be able to use the same login form as non-domain users, but sign in with their domain credentials instead.
Active Directory Federation Services (ADFS) with passive authentication can cover cases #1 and #3. Since it redirects to the federation provider's login page, it doesn't cover the #2 case. I understand active authentication by my application could possibly support all three cases, however there is not much documentation around on how this would be implemented.
Ideally there should be a way for my application to authenticate a domain username and password with the ADFS federation provider.
Does anyone know whether this is possible, and if so, how?
The standard pattern for this is ADFS with a split DNS - IWA for intranet and Forms for internet.
However, ADFS can ONLY authenticate against AD so option 2 can't be achieved.
I would suggest using IdentityServer for option 2 - you may have to customise it depending on your "flavour" of membership - and then federate ADFS and IdentityServer.
IdentityServer is free / open source.
To expand on nzpcmad's answer, you can set up Claims Provider trusts other than Active Directory in the ADFS Management console under Trust Relationships > Claims Provider Trusts, they effectively chain ADFS with custom STS services.
The entries you add will be added to the Home Realm discovery page within the ADFS web site, such that authenticating users will be presented with a drop-down list to essentially choose the Claims Provider they wish to be authenticated against.
Automatic sign-in will still work for internal users who choose your Active Directory (ADFS provider), whilst members of other Providers will be redirected to their chosen Claims Provider's web site, which will typically present a Forms login page and authenticate against a back-end membership database, all external users (who are not able to present an NTLM or Kerberos token will be required to enter their details - for AD users this will mean they have to enter their domain\user string (or user#domain) and internal password.
Of course, you have to create these providers yourself, in the old WIF days this meant using the fairly clunky Custom STS template, however you can now streamline the procedure with a simple OWIN-based MVC5 site. Alternatively, as nzpcmad suggests, you could look at using IdentityServer.