I am faced with a project that uses custom authentication via a WCF service that returns a set of claims based on some data identifying a user, close to user name and password. Then on top of this, I have a custom STS, derived from Microsoft.IdentityModel.SecurityTokenService, that resides in an ASP.NET web site project. This project looks like it was created with the VS2010 template, and not carefully had-crafted.
My gut feeling, and lots of on-line advice tell me that this web site STS project is very far from production ready. I am now looking for an MVC based STS that I can use in anticipation of being production ready. TinkTecture's IdentityServer looks promising, but it is so much more than simply implementing a custom derivation of SecurityTokenService, I have no idea where to start. If somebody could steer me toward an open project or walk-through that does this, or offer some guidance as to where and how I can start extending or modifying Identity Server, that would be great.
Have you looked at Thinktecture.IdentityServer v3? I'm at the moment using it and very simple to use.
It is still in Beta but RTM will be available soon. It has good documentation and samples too.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki
Update:
Identity Server 4 is also available. It supports cross-platform deployment with .NET Core.
https://github.com/IdentityServer/IdentityServer4/
Have you looked at the MSDN article by Michele Leroux Bustamante?
It's a little old and based on WCF, but it has code accompanying it.
Building A Custom Security Token Service
If you want ASP.NET based example, Microsoft published this:
ASP.NET Security Token Service Web Site
There's also this STS project on CodePlex.
Related
I feel a bit overwhelmed right now with how to approach building an SSO solution for a project I'm taking on. I understand that I need a centralized login site, but, I'd like input on what framework I should be using to achieve this. I've been reading a bit about Windows Identity Foundation (WIF), but, the lack of documentation and code samples is quite disappointing. DotNotOpenAuth sounds like it has much more usage by the community than WIF, but, I'm not sure if that's the right framework for me to use given that I am not going to be letting third-party accounts be used for logging in.
There are multiple user data stores to take into account as well; active directory and a SQL Server database.
I really don't care what framework I use so long as it's simple and intuitive; I don't want an overly complex solution. Documentation and samples are also a plus! I already have experience with creating custom role providers and membership providers; those were a breeze and easy to do.
Here is a very quick visual of the structure I'm dealing with:
Refer: Claims Based Identity & Access Control Guide and Identity Developer Training Kit. There's WIF samples there.
In terms of what you want to achieve, ADFS v2.0 will get you most of the way but it can only authenticate against AD. For SQL server, use IdentityServer and then federate ADFS and IdentityServer.
Have a look at SAML. It is designed to address SSO. You may also want to look into OpenID.
There are enterprise products out there, such as CA Site Minder or IBM Tivoli for this kind if thing. They are not cheap because building a custom solution for this will be quite a feat.
If you are .NET based - then .NET 4.5 (which includes WIF) is the way to go.
But the framework will be you simplest problem. Building that kind of security infrastructure is hard. Have a look at both the book and idenitity server from nzpcmad's answer as a starting point.
As far as cross-platform goes, SAML tends to lead the pack. There are many implementations (java, php, perl). As Dominick (#leastprivilege) mentioned, if every application is .Net based, WS-Fed via WIF is the way to go. (btw, Dominick is the man when it comes to WIF - definitely hit his blog and forums up if you plan on exploring that route)
OpenId and OAuth are alternatives that you will hear about. They are somewhat less secure (the trust is in the user, rather than the infrastructure) and you will find that you will have to build a provider in order to support sign-in using your own user store.
Regardless of the route you choose, be prepared to do a lot of reading and learning. Check out the wikipedia articles above for a nice overview of how these technologies work, and don't be afraid to ask questions..
I need to add social media login capabilities to a site and got stuck a bit, mostly because of the, more or less, non existing beginner documentation regarding these two.
I grasped the basics of DotNetOpenAuth by checking nerddinner but some here suggest WIF so I started looking into it. I realized quickly that just getting clear info explaining if this is feasible at all on shared hosting was not easy. I don't really want to pump through all reference knowledge, technical overviews (checked some out anyway), but just to be able to see the basic functionality.
So my questions are:
Where can I find any tutorials showing the basics and bare minimums needed for WIF to function in an explanatory manner? Preferably setting up WIF in a single MVC site combined with local authorization. Is there any step-by-step documentation at all?
Is WIF feasible, at all, on a single site or would the best option be to find other solutions like DotNetOpenAuth or use the separate APIs? When trying to get to the bottom of this, I have only found information regarding the value of WIF in large, multi-application, and platform environments combined with AD / ADFSv2. Which is completely outisde the bounds of what I need.
When I look at information on WIF, it's mostly linked to ADFSv2 and STS. Is this possible to implement at all for deployment on shared hosting for example?
Any input on the matter is appreciated.
WIF - see the How-to section here.
Also Get Started with Windows Identity Foundation (WIF).
Your best bet is probably to use WIF / ACS. Good link here or look at Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Content Map.
The other way is to add OAuth2 to a custom STS. Refer Identity Server for a really good example of this.
DotNetOpenAuth definitely works on shared hosting, and requires no set up on the web server at all (it's just a .dll in your web site's Bin folder). Depending on the social networking sites in particular that you want to hook up to, it can be just a few lines of code to wire everything up if you're hooking up to OpenID enabled sites.
If the sites you're hooking to use OAuth or OAuth 2, there is more code to write for each individual site to work against their particular proprietary API, but that would also be true for WIF unless they have code to support specific web sites that happen to align with your own.
What is the best way to use live id authentication with azure based asp.net mvc project?
I find the options
1) With in Live SDK, there are options like REST, JavaScript, C# etc.
2) Since my project will be hosted in azure, there is another way "Securing Web Applications with ACS" http://msdn.microsoft.com/en-us/library/gg185928.aspx
Please suggest the design and also support with pros when an particular approach is good.
You definitely want to work with ACS. Not only is it intended for this purpose, there's a fully worked up example at
http://msdn.microsoft.com/en-us/library/gg185975.aspx
which will give you a flying start.
ACS, and Windows Identity Foundation in general, lets you take the approach of separating identity verification from your application altogether. This saves a ton of code and means that you have much less "plumbing" to support.
I need to set up an asp.net mvc website in which all user information is to be stored in mysql database and user authentication needs to implemented. The MySql database on located on a web hosting.
Till now, I have only relied on the default asp.net mvc project provided in visual studio and do not know much on how to setup membership and login functionality for a website.
Can anyone please advice where to start looking.
Thanks.
Here is a link with custom membership providers for MySql.
You will have to register them in Web.Config. Linked article explains well though.
When in doubt you can always refer to the sample Microsoft implementation. Their source is available here
I've done several sites with custom membership providers.
If you want to use something non-typical, like MySQL in .NET, I would suggest that you at least make it as much non-typical-part-agnostic as possible. In your example, that would be membership provider based on DB-agnostic data access, that is Entity Framework. Then you can even "switch" your underlying DB later without pain.
Look here :
http://efmembership.codeplex.com/
http://www.codeproject.com/KB/web-security/EFMembershipProvider.aspx
What would be best practice to integrate Azure ACS with local custom authentication in ASP.NET MVC application running on Azure? So basically the requirement is that web application must have custom authentication and must also support main identity provides.
I think the best approach is to use Azure ACS (to nicely support main identity provides) and since ACS in based on WIF (Identity Foundation) it would nicely fit with local STS.
What are your recommendations about this approach? Do you have better suggestions? Do you maybe have any examples how to integrate ACS with local STS?
Do I thinking wrong and those entities (ACS and local STS) are completely separated? And those are not have to be aware of each other? This would make sense to me.
I am new to the Azure ACS in WIF.
The short answer is yes, this is all possible. The "local STS" part is the one that might or might not be necessary. If you wanted to keep your own authentication, you don;t necessarily need your own STS to do so. I would start with the simplest thing possible: an MVC app relying on an STS (e.g. first a local one, then ACS, then maybe both).
There're many examples here.