ASP MVC 5 Windows authentication with custom roles and Active Directory - asp.net-mvc

I have an MVC 5 application set up with windows authentication and my own custom roles table for authorization. This works fine if the user exists in my application database - username in my users table maps to the usernames in active directory.
My question is how do I keep my users table in sync with active directory. Any time a new user is hired, a new record has to be added to my intranet application to ensure this user has access to it.
Is there a way to load users from active directory into my own users table perhaps with some kind of scheduled job or is there a better way to achieve what I'm trying to do?

I think sync two database instances (AD database and you app database) will become management issue as your business grow. Even, adding new user and removing is day to day work, so in both cases you need to execute some sort of action to add or remove users from your app database.
Why don't you ask your team to give you access of AD database and consume this into your intranet app, this is what I was using in my past organization and this works great.

The AD can be used in a programmatic manner. Just look for LDAP stuff and you'll find lots of examples. Here's one to get you started : Connect to Active Directory via LDAP
If your application allows people to register then implement your own custom membership provider which talks to the AD. You can create the users in the AD, you will have to pass the password requirements which are set on the AD as well, which is more than likely a good thing. The roles information can be stored there as well, no need for a local custom roles table either.

Related

Multiple user tiers Google+ API?

The question is fairly simple, but I've yet to find an answer to it. Is it possible to use Google+ API in an asp.net-mvc web app that requires multiple tiers of users?
For example, this app basically needs three sets of users and permissions associated with each: Admins, Members, Guests. Mind you, I've never handled user authentication of any type before, so I'm happy to hear suggestions for other frameworks if you think those would be better.
I think its going to be very hard for you to get three sets of user credentials in a single app.
For you to be able to authenticate as user one your going to need user one to authenticate your application then you will have access to that users data. If you need access to user twos data your going to have to have that user authenticate your application. If you need access to both users the same time its going to be very hard for you to get this access unless they are both using the same computer together.
While it is possible to get a refresh token for user one returned which you could store on your server some place and then use that to access user ones data when user two is on their machine. This becomes a gray area as you are responsible of holding user ones data private especially from user two.
as for your different leaves of users thats just part of your system it should just be a matter of strong the users ids associated with their role within the system.
None of this has anything to do with doing this in .net. You could probably work it all out using the .net client library. Web applications (ASP.NET MVC)

azure active directory user group identification for asp.net mvc website

I'm actually making a website, in asp.net MVC, witch is accessible with azure active directory account sign-in. This part works great. But now, I want to make roles based on who is signed-in so they can access to different content.
I made a group in my azure active directory for admins and I tried this solution but it's not really working well :
if (principal.Claims.Any(x => x.Type == "groups" && x.Value == "id of the admin group")){ give admin rights}
Did someone knows a better solution or what's wrong with mine ?
Thanks in advance.
I'm assuming you've created an Azure AD "Application" that you're using.
The trick is that you need to modify the "Manifest" for the application to allow you to query for groups.
There isn't a UI for this in the portal, you have to just download the manifest, make the change, then upload it. Clunky at best.
You want to find the key "GroupMembershipClaims" and set it to "SecurityGroup". If you set it to all then you'll get email groups as well. The problem here is that you get a list of all the users groups and all the groups those groups belong to. In a large company, that could be a lot!
You next have to call back to get the group info which means getting a token.
If you generated the MVC app in Visual Studio and told it you wanted to use Azure AD it sticks in much of the plumbing, but there is a bug in the template. When it tries to persist the tokens, it will always retrieve the first token in the list, not the most recent. That means your demo works today, but fails tomorrow...
You can search for info on the ADAL library for more info. I recommend reading Modern Authentication with Azure Active Directory for Web Applications by Vittorio Bertocci for real insights into how it all works.
You could refer to some tutorials https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure , https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-manage-access-powershell/, help you to manage access.
Assign role to user/group/app...
Keep contact if you have any questions.

How to create a multi-domain app in Rails 4

I want to create a multi-domain app with Rails and have been wondering about the best approach.
The app will have a set of functionality that will be the same functionality across all domains, so the change in domain will only mean a change in the db used and the styling (and content obviously) but the models and controller will be the same.
The app will use MongoDB as the main storage (Redis for workers and other stuff that not directly relevant to model storage)
My idea is: Once a user signs up, a new record will be created but also a database will be created with the user id. The user model will store the database id (recently created), and the domain the user have just added. A vhost file would be created and the server reloaded.
Once the user visits the app (using the new domain). the app would check the url and find the correct db to use based on url. This would be saved into variable to be used throughout the app.
I imagine have this check to happen on each request.
I would appreciate thoughts and comments on this approach and best way to achieve this.

Associate a username with a workflow in the persistence store?

Im new to WF and i'm trying to build an asp.net MVC web site with several WF "wizards". All users will be logged in using forms authentication. The users will have many different WF workflows they can start and come back and finish at a later date. I've added an SQL persistence store to store the state of the workflow which works so far. However it seems to me you need to know the guid of the workflow in order to reload it and carry on.
Is there a way i can add the users username to the persistence so that i could list the users currently active work flows so they can carry on where they left off? Each user could have several active work flows at any one time.
The persistence store supports Persistence IO Participants which can supply values to be persisted along with the workflow. The code is a little tricky but there are samples available, just look for PersistenceIOParticipant.

Securing web application on the data access level

Please consider the following setup:
Multi-tenant webapp.
Tenants create company accounts and company accounts have user accounts under them.
Users have roles, there's a special role "Owner" (the user who created the company account).
I'd like to have users to edit other user accounts (some admin tasks), but two conditions must be met:
Noone may edit owner's data (except for owner, when he's editing his own profile, and own profile editing is the same user editing).
Users may access user data and edit users only within their company account.
The app uses MVC architecture. Currently I check for those two conditions in the web layer and it works for me, but I have some concerns. If I go with some sort of API or some other type of data consumer, I may "forget" to re-inforce these conditions. Also, there will be other objects in the app with similar functionality requirements and which will have similar restrictions on them, so it's better for me to come up with some sort of pattern which will enforce my restrictions on data access level.
Could anyone recommend some approach worth looking into?
Thanks!
I beleive aspects or interceptors should be able to help you. If you work with objects you should be able to intercept requests containing your business data and check wether your user is allowed to work on it. The interceptor could then stop or proceed the execution.

Resources