Are there any usable examples for writing .Net code which would allow SP-initiated SSO using Azure AD as the iDP and SAML2 as the protocol?
Everything I found online either doesn't have examples, doesn't explain clearly, or for the most part it's just outdated. For example, the Attributes tab so many guides refer to seems to be completely missing in Azure AD and so I have no idea how we're supposed to transform claims.
Does anyone have a good guide or sample code? Thanks!
I normally use the Kentor stack.
I did some posts here (plus links inside) which show what the OWIN interface looks like.
In your case. you would use the Azure AD metadata. You can get the URL for this from the "Endpoints" tab under "Applications" in the "Active Directory" section.
Related
I would like to know if One Drive supports those four ways of Authorization. Please refer to this link. https://www.rfc-editor.org/rfc/rfc6749#page-23
We are integrating our DVR and NVR with One Drive now and we need to understand which authorization method One Drive supports. We are trying to use OneDrive with embedded ARM processors, so the user does not have access to a browser as they would for a web-app.
Please kindly advise how we should proceed from here. Thanks for your time and I look forward to hearing from you.
Best Wishes,
Ted Yang
I am going to say yes, OneDrive probably supports those ways of authorization, because on their authentication documentations page they say the following:
The OneDrive API uses the standard OAuth 2.0 authentication scheme to authenticate users and generate access tokens.
That link takes us to the oauth.net site page for OAuth 2.0. On that page, we find the following:
The final version of the spec can be found at https://www.rfc-editor.org/rfc/rfc6749
which is the document you linked. The OneDrive API documentation says it supports OAuth 2.0, and your linking the definition of OAuth 2.0, so I think it's safe to say it's supported. How to use it is another question entirely, and one I am unable to answer.
I will note, however, that on the OAuth page, they have this to say about it's uses (emphasis mine):
OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
I would presume that living room devices could include DVRs, and although your DVRs are for security purposes, the development of cloud storage APIs for either would undoubtedly be similar. So I would say this is probably quite possible.
How to do it:
First things first, you'll need to register your app. This gets you a client id and a client secret which you'll need. Registration directions
There are two methods: token flow and code flow. Token flow is two steps, and code flow is three steps. However token flow uses tokens that expire, so it would require the user to reenter thigns periodically. You therefor want to use code flow. Here's some directions for that.
Basically the steps of the code flow are:
Get an authorization code
User authorization code to get an access token
User access token to make API calls
You WILL need to make HTTP requests. I'm sure you should be able to do this with ARM embedded C. However, step 1 is what gives you to the Microsoft account login page. I am note sure how to circumvent this, exactly. I'm not sure you're supposed to be ABLE to circumvent this, since Microsoft doesn't want you handling their customers' passwords.
They have an example in Javascript that might give useful details on oauth in the oauth.js file. Javascript sample project
I'am looking at the capabilities of WIF in terms of SSO. Actually we have a "legacy" users & rights management database under SQLServer and we like to build a brand new SSO system on top of this exsting database.
In many tutorials I found they talk about using existing STS like ADFSv2 for Active Directory authorization, but It did not fit my needs because my users/rights are not exposed through AD but in a custom a specific business oriented SQL Server database.
So, I thing I need a custom Security Token Service in order to be able to emit my own custom tokens, but I don't know how to do this.
I need some little help or an example about how to achieve this.
Thank you
You can find STS example in WIF SDK. It contain an example with custom token. Look here
More detail information about SSO I seen in a book 'Programming Windows Identity Foundation'
You can build your own Custom Security Token Service leveraging the underneath SQL Server database. You will have to define your scopes and Claims that needs to be shared after user does a Single Sign On. Here are some links to some articles below that has helped me build mine. I am pretty sure by following the below links you will be able to build a custom STS catering to your needs.
WIF : http://chris.59north.com/post/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Care to explain why #paullem's answer was deleted?
It is in fact the correct answer!
The question is about an STS that authenticates using a SQL DB. That is EXACTLY what IdentityServer does.
Since it's open source, you can customize it any way you want or else use it as a guide.
So to repeat the answer - "Take a look at Thinktecture.IdentityServer........".
Update
You want a custom STS that supports SAML protocol and authenticates against a SQL DB?
WIF won't do this for you.
You need to look at something like Shibboleth or simpleSAMLphp but they are not .NET based.
Or take IdentityServer and add a SAML stack to it.
Refer: SAML : SAML connectivity / toolkit.
Be warned: This is not a trivial exercise!
I am developing MVC application and want to use WIF & Claim based security.
However I am very disappointed with the way login is perfomed. I mean redirection to STS login page and then redirecting back to my page. That is not user-friendly at all.
I want to implement login page in my application (it fact it will be popup dialog). Than using Web API I want to be able to perform STS request and get security token and initialize WIF infrastructure (Principle etc).
Is it a good way to go with?
Did anybody do something similar?
Does anybody have some samples of what I am trying to do?
I just worry that I don't have control over the STS login page layout & style.
Also I will have mobile application and must perform login using Web API service.
What can you advice?
Thanks
Well - you can do that of course. This does not need to be WIF specific. Call a service, pass credentials - and when OK set the login cookie.
But if you want SSO you have to make a user agent roundtrip to the STS - otherwise you cannot establish a logon session.
Consider using MembershipReboot membership provider which uses claims-based security and is not based on microsoft's traditional membership provider.
It does not have a documentation, but in the zip file you can find 2 sample projects that uses MemebershipReboot provider, which explains all you need to know about it.
In fact after reading this blog post today, I decided to use this approach in my current project. I'm still struggling with it now and I'm so excited !
In addition to Ashkan's recommendation Brock Allen provides solid documentation about how to implement MembershipReboot in association with IdentityServer. You can find that their is a way to configure a custom implementation Here. Also their are a few tutorials on vimeo from Dominick Baier (leastprivilege) that will provide a full walk through on getting started! I hope this helps!
I need to add social media login capabilities to a site and got stuck a bit, mostly because of the, more or less, non existing beginner documentation regarding these two.
I grasped the basics of DotNetOpenAuth by checking nerddinner but some here suggest WIF so I started looking into it. I realized quickly that just getting clear info explaining if this is feasible at all on shared hosting was not easy. I don't really want to pump through all reference knowledge, technical overviews (checked some out anyway), but just to be able to see the basic functionality.
So my questions are:
Where can I find any tutorials showing the basics and bare minimums needed for WIF to function in an explanatory manner? Preferably setting up WIF in a single MVC site combined with local authorization. Is there any step-by-step documentation at all?
Is WIF feasible, at all, on a single site or would the best option be to find other solutions like DotNetOpenAuth or use the separate APIs? When trying to get to the bottom of this, I have only found information regarding the value of WIF in large, multi-application, and platform environments combined with AD / ADFSv2. Which is completely outisde the bounds of what I need.
When I look at information on WIF, it's mostly linked to ADFSv2 and STS. Is this possible to implement at all for deployment on shared hosting for example?
Any input on the matter is appreciated.
WIF - see the How-to section here.
Also Get Started with Windows Identity Foundation (WIF).
Your best bet is probably to use WIF / ACS. Good link here or look at Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Content Map.
The other way is to add OAuth2 to a custom STS. Refer Identity Server for a really good example of this.
DotNetOpenAuth definitely works on shared hosting, and requires no set up on the web server at all (it's just a .dll in your web site's Bin folder). Depending on the social networking sites in particular that you want to hook up to, it can be just a few lines of code to wire everything up if you're hooking up to OpenID enabled sites.
If the sites you're hooking to use OAuth or OAuth 2, there is more code to write for each individual site to work against their particular proprietary API, but that would also be true for WIF unless they have code to support specific web sites that happen to align with your own.
Please I would like someone to tell me if dotNetOpenAuth single-sign-on.
All I want to achieve is to be able to seamlessly logging to all domains without redirect to third party system for authorisation or Authentication within a mixture programming platforms e.g (PHP or .Net)
DotNetOpenAuth library is a simple library to implement Single Sign On for .NET based application. The only issue I faced was related to performance. It was found to be a known issue with a particular API that cause the sluggishnes.
DotNetOpenAuth can be used for SSO solutions, but each new web site a user visits does need to perform a redirect to the identity provider. In a controlled SSO environment, that provider may never appear to the user, so the login is totally transparent. There are a couple of samples of an SSO configuration that comes with the DotNetOpenAuth download.
DotNetOpenAuth will help you do what you want to do provided you can support OpenID from PHP. You need to implement a provider (the site that authenticates you against a DB or other store), and a consumer (the site you want to log into).
My recommendation would be to consider the authentication protocol you wish to use rather than a specific library at first. In the case if DotNet OpenAuth it has support for:
OpenID
OAuth
InfoCard
These are just a few of the protocols available. You should also look into the SAML family of protocols, in particular SAML 2.0.
There are implementations of SAML for PHP, .NET, and many other platforms. You might want to look at a comparison between OpenID and SAML in order to choose which is better for you.