MS Office URL-authentication - ithit-webdav-server

We are willing to implement a web application with edit functionalities of WORD documents using WebDav.
We are starting to have a better picture of the implementation required however, we have read on your site (http://www.webdavsystem.com/server/documentation/ms_office_read_only) that it is possible to avoid MS office Word login dialog to open when URL-authentication is implemented.
We can hardly find solutions on how to achieve this or on how to use URL-authentication with MS Office.
Would you be able to point us in the right direction with this process or even let us know how to get some examples on that?

Here are some options to avoid login dialog:
Implement URL authentication. You will need to include some session
ID in the URL. Note that you will need to include it in path. For
example:
https://server/[SessionID1234567890]/path/file.docx
Do not include your session ID in the query string, as MS Office will
truncate it when saving a document.
Implement cookies/Forms authentication. In this case you will need the IT Hit
WebDAV Ajax Library to open documents for editing. You will also need to install the protocol application (Edit Document Opener, supplied with the WebDAV Ajax Library) on a client machine.
Implement MS-OFBA authentication. You can generate sample MS-OFBA
code using 'Add WebDAV Server Implementation' wizard for Visual
Studio supplied with IT Hit WebDAV Server for .NET SDK.
Note that MS-OFBA will display an HTML login dialog inside MS Office UI, which is rendered by Internet Explorer. If you open a document from any other web browser the login dialog will be always displayed during first open.
To avoid login dialog during subsequent access you will need to set permanent
authentication cookie (check the 'Keep me logged-in' checkbox).
Use Kerberos authentication. By default Kerberos authentication will display login dialog during first document access only. This option can be configured in Active Directory policies.

Related

Acumatica report authoring and single sign-on

Our users authenticate to Acumatica using OAuth2-based SSO with Google as the identity provider. They do not have passwords to access the system (we generate very long, strong passwords which are discarded as soon as SSO is set up).
I don't want to go into all the reasons why SSO is important to us. It's critical, and I'll leave it at that. SSO was a policy and business requirement for us to select Acumatica.
The Report Designer doesn't seem to support OAuth2.
Is there a way we can give users the ability to download the RPX files via the browser, edit them outside the browser, and then upload the changes via the browser, using only SSO credentials?
Also, where can I get the source code to Report Designer? I'd love to see if I can add OAuth2 support myself.
There are 2 types of report in Acumatica:
Standard Reports
Analytical Reports
The links above describe how you can customize these reports using Acumatica Cloud ERP.
You can notice that standard reports have the following limited customization possibility using Cloud ERP:
You can adjust the report settings to meet your specific informational
needs. For example, you can specify sorting and filtering options and
select the data by using report-specific settings—such as financial
period, ledger, and account. You can configure additional processing
settings for each report.
Analytical reports have more customization possibilities through Cloud ERP:
The Analytical Report Manager is a web-based tool for creating and
modifying analytical reports. Users can design and run custom
analytical reports using advanced data selection criteria, data
calculation rules, and customizable report layout design features. By
using the Analytical Report Manager, you can: Create the layout and
structure of reports based on your business requirements. Define data
selection criteria for the report with a high level of granularity.
For example, data sources can include a range of accounts,
subaccounts, and financial periods. Use advanced formulas to calculate
values based on the information extracted from the data source. Create
consolidated reports based on the data from multiple data sources or
other analytical reports. Localize data used by a report if
multilingual support of user input is enabled.
Acumatica marketing material shouldn't refer to the standard report editor (Windows Form Desktop Application) as part of the Cloud ERP product. The reason for this is quite simple, a Windows Desktop application is not a cloud product, it can't be accessed with a browser and is not supported on unix/apple OS.
Analytical reports designer support SSO OAuth since the designer is running on the Cloud ERP product.
Standard reports designer doesn't support OAuth. You could fill a feature request for it though. Our marketing material should not refer to standard report customization as part of the Cloud ERP product because the designer requirements are different.
We strive to make every feature available on Cloud ERP platform. At the moment these are the features not available on Cloud ERP to my knowledge:
Standard Report Editor
DeviceHub, this is a Windows program that acts like a device
spooler so you can access windows desktop hardware like printer
and scales from the Cloud ERP.
Login page customization, this can't be achieved through
Customization Project Editor, you have to change files manually on
the server.
From now on, I'll focus on the Standard Report Designer, the Windows Desktop Application.
The designer uses the Web Service API to communicate with Acumatica Database.
Besides loading and saving RPX files the report designer also uses the Web Service API for features in 'File->Build Schema' dialog like 'Load Schema'. If your user are not using the 'Build Schema' features then having only the RPX file locally should be enough to allow them to modify the report using the designer.
Code for loading and saving RPX files is located in PX.Reports.Design.ReportUtils class which is part of PX.Reports.Design.dll assembly. It's using the SOAP API which to my knowledge is not the preferred API to use OAuth, the REST Contract API is recommended for OAuth enabled Web Services. Refactoring the PX.Reports.Design.dll assembly to use REST Contract API instead of SOAP API isn't trivial.
That said I believe it's possible to load and save RPX files using the Rest API and you could write a wrapper for the report designer to handle that task as long as you forgo 'Build Schema' feature. I'll touch on that at the end of my answer.
You can find the documentation for using OAuth with Rest API here
There are two ways you can use Acumatica Web Service, attended or unattended.
Attended use requires a user to enter his credentials in some form of UI before using the web service. The report designer uses this form of authentication.
The alternative for unattended use is to configure and save the authentication credentials before using the web service. That way an automated program can use web service API without requiring a user sitting in front of the computer.
Unattended use typically doesn't involve OAuth because you can't have a user dedicated to the task of authenticating. For example, if you integrate Acumatica with an ecommerce provider, requiring him to use OAuth authorization to push the orders to Acumatica is problematic because that process usually doesn't involve a UI where a user sitting at the computer provide authorization.
You could technically create a OAuth access token that never (rarely) expires for this task but it circumvents the purpose of OAuth which is having temporary access tokens to mitigate man in the middle attacks. Certifications that mandates use of OAuth typically forbid use of tokens that never expire. That's why requesting OAuth for automated process can raise eyebrows and lead programmers to question your security policies.
Now let's get to possible solutions for your problem. You'll have to assess whether your security policies allows use of unattended web service without OAuth authorization. If that's the case then your job will be much easier. If not then you'll likely run into similar problems later on if dealing with third party web service integration for Acumatica is required.
In order to write a wrapper over the report designer you'll have to write a windows desktop application and have the '.RPS' file type associated with your wrapper instead of being associated with Acumatica report designer.
When a user clicks the EDIT REPORT button on the website, a '.RPS' text file is generated in memory on the server and the user browser is redirected to that file in order to download it locally. When the user clicks on the RPS file, windows launches the associated program (Acumatica report designer) and passes the RPS file path by command line parameter. The report designer then presents the authorization dialog where user can enter his credentials and the report RPX file is downloaded by the Web Service API.
Example of the content of an RPS file:
ServiceUrl|http://localhost/AcumaticaInstance/
ReportName|gl633000.rpx
User|admin
The idea is to have your wrapper parse this RPS file, download the associated RPX file using the Web Service API that comply with your security policy and then launch Acumatica report designer for this RPX file using command line parameter:
"c:\...\ReportDesigner.exe" "c:\...'gl633000.rpx"
When you launch the report designer you want to halt your main thread until the user closes the report designer. Framework methods that do this are typically named 'wait for exit'. Before closing the report designer the user would save the RPX file. After the designer is closed your main thread will resume and you can then re-upload that RPX file to Acumatica database using Web Service API.
The easy way would be to create a report designer user to use Web Service API in unattended mode. You could store those credentials locally (in encrypted form) wherever you see fit and never expose them in UI. When making Web Service call you decrypt those credentials on the fly. In such a scenario the asset to protect is the decryption key.
If use of attended web service is required for OAuth support you will need to implement a UI to get those credentials. If you have to use Google login page for entering the credentials you would have to include an embedded browser in your wrapper for that purpose.
As a remainder, note that this solution will enable you to modify the report definition in the RPX file but will not enable you to use report designer features that require web service API like 'Build Schema'.

Is 'Word as a Service' possible via MS Graph API?

I have found some, but not all, pieces of the puzzle.
Using Graph APIs, when a user selects a document in my own web application, I can:-
Create a new temporary folder in their OneDrive account
Upload my.docx file to this location
Get the url for my.docx
Open the URL in a new tab, loading Office 365's MSWord editor (or viewer and editor after one more click)
This is where it gets a bit trickier. How can I get the edited content back into the location where my web application historically stored these documents?
Theorising, I can:-
Create a webhook subscription to the new folder I create
Implement a webhook listener (and validation) service
When the listener receives an 'update' notice for the document:-
Call the download(content) API, or from the driveItem metadata, download it from #microsoft.graph.downloadUrl
Persist it to my desired location within my web application
To me this sounds like it'll suffer from big delays. The webhook subscriptions typically send batches of changes and the frequency looks uncertain. It certainly wouldn't be great for versioning every individual save operation during the editing session.
Have I missed some more obvious path to Word as a Service? i.e. another API or a mixture of APIs?
Alternatives I've considered but haven't yet scoped: implement WOPI or WebDav within my own web application.
It sounds like you're only using OneDrive to take advantage of its built-in support for the MS-WOPI protocol. WOPI is basically an enhanced WebDav interface that is used by Office to work with remote document (i.e. files stored on OneDrive, Box, DropBox, etc.).
Your solution is generally fine and it is certainly easy enough to orchestrate. You can absolutely use webhooks to subscribe to changes to the file. You'll likely want some mechanism in your app to notify your system when they're "done" so you can clean up the file afterwards.
If you want a more robust solution, you'll need to look at WOPI. Implementing WOPI would allow you to keep these files on your system permanently. Office Online would use the WOPI interface to speak with your storage system and open/save/edit files in-place.
Keep in mind that implementing WOPI (or any protocol for that matter) is often a non-trivial endeavor. You will also need to get your final solution validated and whitelisted by Office before it can be used. Details on this process and how to request access can be found at the Microsoft Cloud Storage Provider Program website.
Today OneNote and Excel are the only office "document clients" that have API's exposed via a REST API publicly available in the Microsoft Graph.
The only other "publicly available options" I'm aware of are:
WOPI APIs, that kind of act like a REST API but muche older
The office add-in model (hosted in a client) with the JavaScript API
The word object library (old, relying on dcoms and needs to have office installed and licensed on the machine)

Request forms based authentication protected url from windows service on same machine

I have an MVC3 website using forms authentication. On the same server is a windows service.
Both share the same database (which includes the standard asp.net membership tables) and they also share code up to the service layer.
I have a need for the windows service to be able to impersonate any membership user and then call a url on the website as that user. I'm not calling the url personally, it's called via a component which coverts URL output to a PDF.
I don't have the passwords because they're hashed in the database, so what I need is to be able to get a valid aspxauth cookie and send it with my request.
I've had no joy so far. Every PDF which is made is just a copy of my login screen.
Is it possible to generate a valid ticket from the windows service, which the website will accept and act as if that user had actually been through the login process?
Thanks.

SSO SharePoint 2010 through ASP.NET MVC3-Application, Document Editing

We have a ASP.NET MVC3-Application which includes a lot of links to Documents in SharePoint 2010 - Libraries. If the User clicks on one of these links, he'll be invited to choose between ReadOnly-Mode or Edit-Mode of the Office-Document. If he chooses "Edit-Mode", he will have to enter the credentials for SharePoint.
Is it possible to do some kind of SingleSignOn out of the MVC-Application, using the Users MVC-App-Creentials to log into SharePoint2010? We'd like to have the user clicked on the link and to be able to edit the document and click save (saving back to SharePoint) without entering his credentials once again. Are there any experiences?
//edit: the MVC-Application & SharePoint are both in a different Active Directory than the User, so this problem is not solvable by implementing a User > SharePoint SSO. Further it is not possible to access SharePoint through the SharePoint Server Object Model in the MVC3-Application: SharePoint uses .NET 3.5 and MVC3 requires .NET 4.0
You can achieve what you are trying to do, however, you would need to enable claims based suthentication on SharePoint and write a custom provider.
One of the possible solutions in your case is Active Directory Federation Services.
http://blogs.technet.com/b/andrew/archive/2010/06/09/what-is-adfs-and-why-you-should-care.aspx

ASP.NET MVC 2 and authentication using WIF (Windows Identity Foundation)

Are there any decent examples of the following available:
Looking through the WIF SDK, there are examples of using WIF in conjunction with ASP.NET using the WSFederationAuthenticationModule (FAM) to redirect to an ASP.NET site thin skin on top of a Security Token Service (STS) that user uses to authenticate (via supplying a username and password).
If I understand WIF and claims-based access correctly, I would like my application to provide its own login screen where users provide their username and password and let this delegate to an STS for authentication, sending the login details to an endpoint via a security standard (WS-*), and expecting a SAML token to be returned. Ideally, the SessionAuthenticationModule would work as per the examples using FAM in conjunction with SessionAuthenticationModule i.e. be responsible for reconstructing the IClaimsPrincipal from the session security chunked cookie and redirecting to my application login page when the security session expires.
Is what I describe possible using FAM and SessionAuthenticationModule with appropriate web.config settings, or do I need to think about writing a HttpModule myself to handle this? Alternatively, is redirecting to a thin web site STS where users log in the de facto approach in a passive requestor scenario?
An example of WIF + MVC is available in this chapter of the "Claims Identity Guide":
http://msdn.microsoft.com/en-us/library/ff359105.aspx
I do suggest reading the first couple chapters to understand all underlying principles. This blog post covers the specifics of MVC + WIF:
Link
Controlling the login experience is perfectly fine. You should just deploy your own STS (in your domain, with your look & feel, etc). Your apps would simply rely on it for AuthN (that's why a app is usually called a "relying party").
The advantage of the architecture is that authN is delegated to 1 component (the STS) and not spread out throughout many apps. But the other (huge) advantage is that you can enable more sophisticated scenarios very easily. For example you can now federate with other organization's identity providers.
Hope it helps
Eugenio
#RisingStar:
The token (containing the claims) can be optionally encrypted (otherwise they will be in clear text). That's why SSL is always recommended for interactions between the browser and the STS.
Notice that even though they are in clear text, tampering is not possible because the token is digitally signed.
That's an interesting question you've asked. I know that for whatever reason, Microsoft put out this "Windows Identity Foundation" framework without much documentation. I know this because I've been tasked with figuring out how to use it with a new project and integrating it with existing infrastructure. I've been searching the web for months looking for good information.
I've taken a somewhat different angle to solving the problem you describe.
I took an existing log-on application and integrated Microsoft's WIF plumbing into it. By that, I mean that I have an application where a user logs in. The log-on application submits the credentials supplied by the user to another server which returns the users identity (or indicates log-on failure).
Looking at some of Microsoft's examples, I see that they do the following:
Construct a SignInRequestMessage from a querystring (generated by a relying party application), construct a security token service from a custom class, and finally call FederatedSecurityTokenServiceOperations.ProcessSignInresponse with the current httpcontext.response. Unfortunately, I can't really explain it well here; you really need to look at the code samples.
Some of my code is very similar to the code sample. Where you're going to be interested in implementing a lot of your own logic is in the GetOutputClaimsIdentity. This is the function that constructs the claims-identity that describes the logged-in user.
Now, here's what I think you're really interested in knowing. This is what Microsoft doesn't tell you in their documentation, AFAIK.
Once the user logs in, they are redirected back to the relying party application. Regardless of how the log-on application works, the WIF classes will send a response to the user's browser that contains a "hidden" HTML input that contains the token signing certificate and the user's claims. (The claims will be in clear text). At the end of this response is a redirect to your relying-party website. I only know about this action because I captured it with "Fiddler"
Once back at the relying party web site, the WIF classes will handle the response (before any of your code is run). The certificate will be validated. By default, if you've set up your relying party web site with FedUtil.exe (by clicking "Add STS Reference in your relying party application from Visual Studio), Microsoft's class will verify the certificate thumbprint.
Finally, the WIF framework sets cookies in the user's browser (In my experience, the cookie names start out with "FedAuth") that contain the users claims. The cookies are not human readable.
Once that happens, you may optionally perform operations on the user's claims within the relying party website using the ClaimsAuthenticationClass. This is where your code is running again.
I know this is different from what you describe, but I have this setup working. I hope this helps!
ps. Please check out the other questions I've asked about Windows Identity Foundation.
UPDATE: To answer question in comment below:
One thing that I left out is that redirection to the STS log-on application happens by way of a redirect with a query-string containing the URL of the application the user is logging in to. This redirect happens automatically the first time a user tries to access a page that requires authentication. Alternatively, I believe that you could do the redirect manually with the WSFederationAuthentication module.
I've never tried to do this, but if you want to use a log-on page within the application itself, I believe the framework should allow you to use the following:
1) Encapsulate your STS code within a library.
2) Reference the library from your application.
3) Create a log-on page within your application. Make sure that such page does not require authentication.
4) Set the issuer property of the wsFederation element within the Microsoft.IdentityModel section of your web.config to the login page.
What you want to do is an active signin. WIF includes WSTrustChannel(Factory) which allows you to communicate directly with the STS and obtain a security token. If you want your login form to work this way, you can follow the "WSTrustChannel" sample from the WIF 4.0 SDK. Once you have obtained the token, the following code will take that token and call the WIF handler to create a session token and set the appropriate cookie:
public void EstablishAuthSession(GenericXmlSecurityToken genericToken)
{
var handlers = FederatedAuthentication.ServiceConfiguration.SecurityTokenHandlers;
var token = handlers.ReadToken(new XmlTextReader(
new StringReader(genericToken.TokenXml.OuterXml)));
var identity = handlers.ValidateToken(token).First();
// create session token
var sessionToken = new SessionSecurityToken(
ClaimsPrincipal.CreateFromIdentity(identity));
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
}
Once you have done this, your site ought to behave the same as if passive signing had occurred.
You could use the FederatedPassiveSignIn Control.
Setting your cookie like this:
FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
Doens't work for SSO to other domains.
To cookie should be set by the STS not at the RP.

Resources