Thinktecture IdentityServer V3 without Sign in page - asp.net-mvc

I am spiking a solution with Thinktecture IdentityServer V3. The setup of the project is an Asp.net MVC 5 site which uses forms authentication to authenticate the user, we also have a number of web api sites which are hosted seperately.
I would like to use IdentityServer to SSO into the web api sites. this is an internal solution and would like to somehow programatically login to the identity server instead of been shown the login screen.
Is this possible?
Many thanks

Check this link.
https://github.com/IdentityServer/IdentityServer3/issues/831.
You can sign in as resource owner, but SSO won't be possible.
We can always customize the login page provided on IdentityServer.

Related

How to do salesforce authentication (pages) from ASP.Net MVC application login page using OAuth?

We have the requirement like to do sales force authentication from ASP.Net MVC application login page directly using OAuth (authentication) protocol.
Can anyone help me how to do this one?
thanks in advance
You can start with checking out these Salesforce docs:
Using OAuth to Authorize External Applications
Create a Connected App
Step Two: Set Up Authorization

Azure AD Authentication from ASP.NET MVC

I am struggling to find if I can authenticate my users with Azure AD using ADAL in a MVC Web Application directly.
I have the application setup and working. When a user hits a page requiring authorization it redirects to MS to login, then redirects back just fine. I need to host the login form.
Is this supported? I find a lot of misleading information and no definitive documentation or examples.
Thanks in advance.

ThinkTecture IdentityServer flow with SAML?

My understanding is I would have:
My MVC application
IdentityServer, running as a separate web application, possibly on the same IIS server
If I used a package support SAML such as Kentor to add SAML support to IdentityServer, what would the SAML authentication experience look like to the user?
They go to a restricted page on my MVC application, it detects they are not logged in, redirects them to IdentityServer, and IdentityServer would then redirect them to the SAML endpoint(such as ADFS) to enter their credentials, then be redirected back to IdentityServer which would them redirect them back to my web application.
Is that correct?
Correct - for identityserver 3 and sample as below.
What protocol is your MVC app. using to connect to identityserver?
OOTB, identityserver would show you its logon page (much like HRD) and the user would have to click the SAML IDP button.
Refer : IdentityServer : ASP.NET MVC application to idsrv3 to ADFS via SAMLp 2.0

Securing ASP.NET WebAPI - Custom Login + Social Login

I am writing an ASP.Net WebApi application and I want to secure it using a combination of Custom Login (like ASP.NET Membership) and Social Logins (Google,Facebook,Twitter,LinkedIn and hopefully many more). User should be able to select any of them.
My client is pure HTML/JS SPA application and for that i will need to implement Implict grant flow of OAuth.
The options i see right now are
Use Thinktecture's Identity Server and Authorization Server.
Use DotNetOpenAuth library.
Can anyone point me in the right direction ? Which one of the above options can work for me?
Thanks
Why not follow the same pattern in MVC 5 SPA template, which already did exactly what you want to do:
It uses resource owner password login flow with ASP.NET Identity API
Support Social Login (Google, Facebook, Twitter, Microsoft Account)
Its client uses knockout and pure html/js
It uses implicit grant flow to convert social login to application access token
The template uses OWIN security middlewares, which can support:
Cookie auth
Bearer token auth
Social login auth
OAuth 2.0 Authorization Server flows and extension grant, which you can customize your own
You may need my blog to better understand the whole security story in the SPA template.

Supporting ASP.NET forms authentication for extranet users and ADFS federated login for intranet users

I am developing an asp.net MVC web application that will be deployed in the cloud and should support the following authentication scenarios:
Transparent authentication for domain users on an intranet. These users should be able to access the application without signing in.
Forms login for arbitrary non-domain users on the internet. These users should be presented with a login page using Forms authentication, and membership is managed internally by the application.
Forms login for domain users on the public internet. They should be able to use the same login form as non-domain users, but sign in with their domain credentials instead.
Active Directory Federation Services (ADFS) with passive authentication can cover cases #1 and #3. Since it redirects to the federation provider's login page, it doesn't cover the #2 case. I understand active authentication by my application could possibly support all three cases, however there is not much documentation around on how this would be implemented.
Ideally there should be a way for my application to authenticate a domain username and password with the ADFS federation provider.
Does anyone know whether this is possible, and if so, how?
The standard pattern for this is ADFS with a split DNS - IWA for intranet and Forms for internet.
However, ADFS can ONLY authenticate against AD so option 2 can't be achieved.
I would suggest using IdentityServer for option 2 - you may have to customise it depending on your "flavour" of membership - and then federate ADFS and IdentityServer.
IdentityServer is free / open source.
To expand on nzpcmad's answer, you can set up Claims Provider trusts other than Active Directory in the ADFS Management console under Trust Relationships > Claims Provider Trusts, they effectively chain ADFS with custom STS services.
The entries you add will be added to the Home Realm discovery page within the ADFS web site, such that authenticating users will be presented with a drop-down list to essentially choose the Claims Provider they wish to be authenticated against.
Automatic sign-in will still work for internal users who choose your Active Directory (ADFS provider), whilst members of other Providers will be redirected to their chosen Claims Provider's web site, which will typically present a Forms login page and authenticate against a back-end membership database, all external users (who are not able to present an NTLM or Kerberos token will be required to enter their details - for AD users this will mean they have to enter their domain\user string (or user#domain) and internal password.
Of course, you have to create these providers yourself, in the old WIF days this meant using the fairly clunky Custom STS template, however you can now streamline the procedure with a simple OWIN-based MVC5 site. Alternatively, as nzpcmad suggests, you could look at using IdentityServer.

Resources