In simple My only requirements are to implement SSO in my application:
Use ADFS 2012 R2 for SSO (OAuth2 protocol).
User will get token using oAUth 2.0 VIA ADFS Server using login prompt for credential or what ever authentication scheme is configured on ADFS form based or windows based.
If same user that is authenticated using oAuth for one application if second application want to use the same user then the login box that ADFS presented using oAUth2.0 should not appear.
Now, please help me how OWIN.SECURITY.OAuth or any other oAuth will help me and what is the best way to implement in MVC web application. Please provide sample applicaiton.
ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2. But you should not be too bummed, given that an OAuth2 authorization grant would not give you SSO anyway - OAuth2 is not a sign on protocol.
If you want to perform web sign on using OAuth-like technology, I recommend you consider OpenID Connect and the ADFS version that comes with Windows Server 2016 (currently in technical preview 4).
Related
We have an MVC application (<myapp.somedomain.com>) .net 4.5.2 (OWIN/ADAL) that uses ADFS2016 for AuthN/AuthZ via OIDC/OAuth2. Users' credentials and attributes are stored in AD LDS. A client (X) requested to authenticate in the application via their IdP over SAML2. Is this possible WITHOUT making changes to the application?
The flow I am looking for; for this client the app’s URL would be (<myapp.somedomain.com/?client=x>). Our ADFS would recognize and redirect the client to their IdP where they would authenticate and than they would be send back to our ADFS along with some predefined claims. Our ADFS would map these claims to an Id Token / Access Token for our application to use. Am I dreaming or is this indeed feasible?
Any links to articles / documentation on how this could be achieved would be most helpful.
As #Wiktor suggests, you could add a SAML client-side stack to your app.
The other way is to federate ADFS with the SAML IDP.
When the user is redirected to ADFS, they use Home Realm Discovery to either redirect to the SAML IDP or authenticate on ADFS directly.
ADFS should handle the token conversions but you may have to fiddle around with the claims rules.
I have a Delphi web application developed using Intraweb framework (IW 15), currently user are authenticated with database of the application. Now we need to enable this application with SSO.
Our customer uses SAML2.0 and WS-Federation protocols with ADFS.
I have searched over the internet regarding ADFS and SSO but could not find any details about this.
Is this something where I can send a simple HTTP requests and get a token or some authentication information and allow user to login ?
Is there any component (in built with Delphi or third party) available to implement SSO with ADFS using SAML2.0 ?
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
We have a ADFS server farm running version 3.0. Right now, we have it enabled to authenticate 3rd party vendor applications. We are planning to leverage this existing server farm to generate a JWT token for it to be consumed by our in-house custom applications. Does anyone know the steps to be followed for generating a JWT token which returns all the AD groups associated with the user?
Configuration - Windows Server 2012 R2, ADFS 3.0.
Can use either OAuth or SAML.
Please help.
This link should help.
Note that you should really use OpenID Connect for authentication but that's not available on ADFS 3.0. Also the user case for ADFS 3.0 OAuth is web API not application.
I am writing an ASP.Net WebApi application and I want to secure it using a combination of Custom Login (like ASP.NET Membership) and Social Logins (Google,Facebook,Twitter,LinkedIn and hopefully many more). User should be able to select any of them.
My client is pure HTML/JS SPA application and for that i will need to implement Implict grant flow of OAuth.
The options i see right now are
Use Thinktecture's Identity Server and Authorization Server.
Use DotNetOpenAuth library.
Can anyone point me in the right direction ? Which one of the above options can work for me?
Thanks
Why not follow the same pattern in MVC 5 SPA template, which already did exactly what you want to do:
It uses resource owner password login flow with ASP.NET Identity API
Support Social Login (Google, Facebook, Twitter, Microsoft Account)
Its client uses knockout and pure html/js
It uses implicit grant flow to convert social login to application access token
The template uses OWIN security middlewares, which can support:
Cookie auth
Bearer token auth
Social login auth
OAuth 2.0 Authorization Server flows and extension grant, which you can customize your own
You may need my blog to better understand the whole security story in the SPA template.