I've followed the steps on http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ to create a new MVC application using ADFS to authenticate my users. Now the team behind the ADFS configuration needs the application metadata file to allow the application to connect the ADFS.
How can I generate this metadata file?
It normally "lives" at /FederationMetadata/2007-06/FederationMetadata.xml in your STS website. If you used a standard solution like thinktecture then that is the case. Otherwise, you can generate it yourself using the .Net classes in System.IdentityModel.Metadata. You can find some inspiration at https://github.com/IdentityServer/IdentityServer3.WsFederation/blob/25a2101f9bfe78e4ec856eb15c9bf19a9a9b256c/source/WsFederationPlugin/WsFederationController.cs and related classes.
Related
I built a claims-aware asp.net mvc application following the steps outlined in this page: https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-mvc-web-app-using-wif. The example in the page uses an STS on the local host, but in my application I am pointing to a fully-functioning AD FS on a different server.
I'm using Framework 4.7 and Windows Server 2016 to host the AD FS and to host the web application.
After I deployed the application I ran the Windows Identity Federation Utility against it (because I thought I needed it to add the application as a Relying Party Trust on the AD FS). This utility inserts a lot of tags into the web.config that refer to the Microsoft.IdentityModel namespace.
I then added the application as a Relying Party Trust to the AD FS, and navigated to the claims-aware app. The page failed because the sample code cast the claim returned by the STS as System.Security.Claims.Claim. When I changed it to cast as Microsoft.IdentityModel.Claims.Claim it worked fine.
The example I was following makes no mention of the Windows Identity Federation Utility. Do I need to use that? Or would this have worked without it?
When I try reversing the web.config changes that the utility inserted the site fails with a 401 error (access denied due to invalid credentials) so obviously the stuff inserted by the Utility is needed to get authentication from AD FS. Is this because I ran the Utility on the web site before adding it as a relying party trust to the ADFS?
The answer here is: don't run the Windows Identity Federation Utility if you are using ADFS Server 2016, as it forces use of the Microsoft.Identity libraries, which are deprecated. I mistakenly thought this utility was needed to create the FederationMetadata.xml file.
I created the FederationMetadata.xml file manually and reverted my web.config back to what it was before I ran the utility. This reverted me back to using the System.Identity libraries, which were added to the 4.5 framework, instead of the now-deprecated Microsoft.Identity libraries.
Just to note that the more "modern way" is to use the OWIN WS-Federation library.
This example is for Azure AD but you simply point to the metadata and the code figures all the rest out for itself.
I am upgrading a resource server that accepts access tokens from our oAuth server. In .NET 4.7, I had a startup configuration that looked like this:
appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
When I add the Nuget Package 'Microsoft.Owin.Security.OAuth', I get a warning that the package is not compatable with the target .NETCoreApp. Makes sense, but I'm not sure what the new package is.
I thought the package I needed was 'Microsoft.AspNetCore.Authentication.OAuth'. That allows me to add to startup:
services
.AddAuthentication(OAuthDefaults.DisplayName)
.AddOAuth("Bearer", options => options.AuthorizationEndpoint = "uhhh" );
Why would I be configuring an endpoint, I just want to look for an authorization token, not actually serve them up. This looks like the setup for an oAuth server, not a recipient. Also, the old 'OAuthBearerAuthenticationOptions' class allowed me to override things like 'AccessTokenFormat' but I'm not seeing that in the new options.
Lastly, I see that there is the option to configure oauth this way:
app.UseOAuthAuthentication
But it complains that it's Obsolete, looks like a Core 1 version of 'AddOAuth', and nothing about AccessTokenFormat.
Any ideas?
Core does not provide a direct replacement for those APIs or their associated token server. The current guidance is that you use a server like IdentityServer4 along with AddJwtBearerAuthentication.
To write custom federation , after generating jar using pom from wso2 docs , i put that in said folder . but how do use this custom federation , Documentation stops after this .
I cant see my new custom federation name in any drop down , i was expecting to see this in the list of federation drop down in Service Provider configuration
If we write custom federation for Oauth IDP , all the urls configuration have to be programatically managed in OSGI bundle, we wont get UI for that ?
Why is OAuth not supported if we have any other vendor apart from facebook and google, yahoo, which is not openid connect we cant use any out of the box SSO .
i got my Bundle loaded on to WSO2 these were the steps
i started wso2 with osgi console
$>wso2Server.bat -DosgiConsole
After this server starts and if we hit enter we can get osgi prompt
there we can type osgi commands
try $> package org.abc.whateverpackage
this will list all the bundles that import/export the given package name within the runtime.
try to $install file:<filepath> this gives an error message saying something is missing in imnport or whatever issue might be
im my case i started with pom from wso2 so i had to correct the configuration
from org.wso2.carbon.identity.application.authentication.framework.*,
to org.wso2.carbon.identity.application.authentication.framework.*;version="4.2.2"
the number 4.2.2 i got from the dependencies in the pom
i added BundleActivator
<Bundle-Activator>com.osgi.customauth.Activator</Bundle-Activator>
Now when i create an IDP i can see my custom Authenticator in the list along with google , yahoo etc
But all the urls for OAUTH are in my code i have to programatically externalize this , i did not yet find a clean way to do this
I wanted to implement a small Proof of Concept for ADFS integration with MVC application. For this I created a virtual machine for Windows 2008 R2 and configured ADDS, ADCS and added my updated my server domain to one created one using ADDS.
After this I created certificate using ADCS.
Now, installed ADFS 2.0 using Microsoft download of ADFSSetup.exe RTW.
With help of some I configured ADFS & added relying party trust from my MVC application SSL URI.
After this I tried to run the application however started facing 403.14 error page.
Following observations as outcome from entire configuration:
I tried to access "<>/federationmetadata/2007-06/federationmetadata.xml" and I
got a proper XML which is as per expected.
I saw couple of entries from server computer - IIS website as like "http://<>/adfs/services/trust" OR "https://<>/adfs/ls/" however couldn't get any response from server. even I tried to access same from server using localhost instead of server names, then also no luck.
Then to cross-verify I checked IIS's default website where I found adfs/ls however it was a like a website. Not sure correct or not. I couldn't find anything 'services/trust' under ADFS IIS application.
After that I installed ADFS from Server manager and saw one more virtual directory 'fs',added under adfs application. when I tried to access 'fs' using https I am able to access it easily and can see SOAP service and page displayed with available web method.
I tried to find more on 'adfs/ls' and 'adfs/services/trust' however couldn't get much more information.
Please, if anyone came across this issue. Do let me know.
This is not an issue, this is how ADFS works. Next step you have to configure claims providers and relying parties from ADFS management console (from Admin tools). Relying party could be a sample claims aware MVC application. It should work
The only URL's that ADFS "answers" to are the federation metadata endpoint and the IDPInitiated one.
adfs/ls expects either WS-Federation or SAML parameters after it. On its own it will throw an error.
Then follow How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.
Why are you using Windows 2008 R2? (ADFS 2.0)? You should rather use Windows 2012 R2 (ADFS 3.0).
I am creating a C#.NET windows service to create adwords. I understand that I need to use OAuth2 authentication. Do I have to use the services account set up for achieving this?
No. Just install the client library from Nuget.
You can then add your credentials to the app.config file (installing via NuGet creates a template for these credentials in your app.config for you)