I have a WIF web application which authenticated with ADFS. I need to create an intermediate page which can be accessed anonymously. So when an anonymous user access website, it always open this intermediate page, from there, user can click 'Sign In' button or HyberLink to redirect to ADFS. After authenticated by ADFS, redirect back to real web page(such as 'Profile' page). When authenticated user click 'Sign Out' button, it should redirect back to intermediate page(anonymous page).
You can "unprotect" any page using the standard ASP.NET security configuration. In web.config you could add :
<location path="openpage.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
On the page you can just put a button to redirect to the adfs login page and logout page (You can create the correct urls using SigninRequestMessage and SIgnOutRequestMessage.
p.e. :
var request = new SignInRequestMessage(new Uri("http://adfslocation"), "originalRealm")
{
Reply = "http://localhost/openpage.aspx"
};
Then you can redirect to request.WriteQueryString();
Related
I have 2 applications, one is mvc web application with Msal .net code for Azure ad B2C login and second application is power apps portal using same azure ad b2c login. I have added iframe into both application for silent login if user logged in any one of the application, on power apps portal it worked on all browser like chrome, firefox, edge, opera. But for mvc application it work only on firefox browser, other than firefox it's request does not get authenticated. When I debug iframe request, able to see acquire token
IConfidentialClientApplication confidentialClient = MsalAppBuilder.BuildConfidentialClientApplication(new ClaimsPrincipal(notification.AuthenticationTicket.Identity));
Globals.ClientInfo = confidentialClient;
// Upon successful sign in, get & cache a token using MSAL
AuthenticationResult result = await confidentialClient.AcquireTokenByAuthorizationCode(Globals.Scopes, notification.Code).ExecuteAsync();
Globals.AuthenticationResult = result;
Globals.Claims = notification.AuthenticationTicket.Identity.Claims;
Globals.EncryptedClaim = notification.JwtSecurityToken.RawData;
but into call back function Request.IsAuthenticated is false.
My web application is using .net framework 4.7.1 and Microsoft.Identity.Client version 4.29.0, please help me to resolve this issue.
Also i am getting below error for my b2c callback method on chrome and edge, automatically response cookies are getting set Lax instead None, is this causing problem to set cookies for iframe.
Thanks,
Sandy
Request.IsAuthenticated is FALSE when you deal with <authentication mode="Forms"> and TRUE if you deal with <authentication mode="Windows" />.
So, to solve this problem check the authentication mode in your web.config. Add the following code in your web.config :
<authentication mode="Forms">
<forms loginUrl="~/_Login/Login" timeout="30" />
</authentication>
and
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</modules>
<system.webServer>
Set the reply URL to your main homepage URL in both the registration and the config and make sure that the application ID and client ID are matching.
Refer the following links for more information :
Microsoft AAD Identity And Access Management With MVC 5 Web Application.
Request.IsAuthenticated is false after logging into Active Directory| MSDN
If in case you are getting redirected to the login page after successfull login then you will need to change the CookieManger :
var cookieOptions = new CookieAuthenticationOptions();
cookieOptions.CookieManager = new SystemWebCookieManager();
app.UseCookieAuthentication(cookieOptions);
Check this document for more information.
I am having MVC application which is integrated with ADFS .
Summary
I am setting a session before calling ADFS authentication. After the return of ADFS call,that session got lost which i set previously.
Detailed Description
Step 1 Calling application URL
https://hrcentral/mainmodule/expense/index
step 2 Above call redirect the request to WIF component which is a httphandler in my application
hence url : https://hrcentral/federationMetaData/wif.axd ?ReturnUrl=https://hrcentral/mainmodule/expense/index
Web.config i have setting like below for redirection
<authentication mode="Forms">
<forms loginUrl="~/FederationMetadata/WIF.axd" name="smartForms" />
</authentication>
Step 3: setting a session inside the WIF.axd httphandler reading returning url from query string
HttpContext.Current.Session["ReturnUrl"]="https://hrcentral/mainmodule/expense/index";
After setting session,it will redirect to ADFS
Step 4 ADFS authenticate and POST request https://hrcentral/federationMetaData/wif.axd will be send inside the same WIF handler.We have a condition to check whether request is POST or NOT.
As this request is POST, previously stored session which contain the ReturnUrl and try to redirect back and land to our application.
Now the issue is the session which is set on step 3 (HttpContext.Current.Session["ReturnUrl"]=ReturnUrl) is not accessible after redirection from ADFS in wif.axd.
In general any session ,any session which is set in our application is lost after the redirection from ADFS.
Authentication will happen after that it will redirect to https://hrcentral/mainmodule/expense/index
Setting session
I made a mvc web app based on this example:
https://github.com/OfficeDev/PnP/tree/master/Samples/MicrosoftGraph.Office365.Generic/OfficeDevPnP.MSGraphAPIDemo
Strange thing is when I work from localhost then all the auth2 authentication works. When I deploy on Azure this happens:
On first page call on Azure I get the response:
An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set.
On second page call the message:
IDX10803: Unable to create to obtain configuration from: '__AADInstance____AuthenticationContext__/.well-known/openid-configuration'.
I've already seen this post on SO, but I've already set the tenant GUID in the configuration and the AAD privileges are "read directory data" and "sign in and read user profile"
Are there any configuration options on Azure maybe in the new management portal that I should grant?
I have a single tenant addin and this keys in web.config:
<add key="ida:AADInstance" value="https://login.microsoftonline.com/" />
<add key="ida:AuthenticationContext" value="https://login.microsoftonline.com/common" />
<add key="ida:TenantId" value="GUID..." />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44300/" />
<add key="ida:MicrosoftGraphResourceId" value="https://graph.microsoft.com" />
I tried the section authorization/authentication in the new management portal to enable app service authentication with aad
and could enter the first site of the addin, but the authorization code from my addin was not called and specific file functions don't work if you rely on the portal authorization.
I am trying to setup FormsAuth for my MVC app. When I browse to the login action (which has the AllowAnonymous attribute, I get a 401.2 error. My web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
My IIS authentication settings for the web app have Forms Auth and Anon Auth enabled the others (including Windows Auth) are disabled.
There are no web.configs in any parent directories overriding the settings.
As per the help screen, I have tried all the suggestions:
Causes
No authentication protocol (including anonymous) is selected in IIS. - Forms and Anon are enabled
Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication. - Not the case
Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server. - Not the case
The Web server is not configured for anonymous access and a required authorization header was not received. - Anon is enabled
The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access. - Set to allow all
Things To Try
Verify the authentication setting for the resource and then try requesting the resource using that authentication method. - Done
Verify that the client browser supports Integrated authentication. - Using Chrome, other sites work
Verify that the request is not going through a proxy when Integrated authentication is used. - No proxy
Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section. - Verified
Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here. - When I run this I get "AUTH_INVALID_ANON_ACCOUNT" error: Logon failure: unknown user name or bad password. (0x8007052e).
Any ideas? I've googled this for quite a bit, but canno't find a solution.
I've also tried changing the app pool to an app pool of a web app that I know works (with the same settings). Still failed.
It works fine with IIS Express
From the auth.gsp page i want redirect to create.gsp if the login is successful.In spring security how to do it?
redirect uri: "/user/create" in login Controller i tried this but after successful login it first go to the default uri then clicking on the login controller again only leads to the create.gsp.
By default spring security stores the request url you want to access before you are redirected to the login page. After you logged in successfully you are then redirected to the page you wanted.
E.g.
user tried to access /test
user not logged in -> redirect user to login page
user successfully logged in -> redirect to /test
You can override this behaviour with the successHandler.alwaysUseDefault config property:
grails.plugins.springsecurity.successHandler.defaultTargetUrl = '/your-url'
grails.plugins.springsecurity.successHandler.alwaysUseDefault = true