Can any one point me in the right direction. I want oAuth2.0 .NET sample that works with ADFS 2012 R2. The sample should manage the session cookies so my client application don't need to enter the password again and again for true SSO experiecne.
Hope this helps you.
-Securing a Web API with Windows Server 2012 R2 ADFS and Katana
http://www.cloudidentity.com/blog/2013/07/30/securing-a-web-api-with-windows-server-2012-r2-adfs-and-katana/
-Access Control Service 2.0
http://msdn.microsoft.com/en-us/library/hh147631.aspx
Related
I have an Angular application(ex. https://localhost:44301) that is
using Web API(ex. https://localhost:44302) to interact with data.
I have an Identity Server 4 (ex. https://localhost:44303) for authentication in which we have even
configured external login with Azure AD.
Our Architecture is something like below :
Now I want to add ADFS 3.0 (even ADFS 4.0 i.e. multiple ADFS) as a external login provider
So as per my research I have to go for only OAuth 2.0 with
Authrization Code Grant.
ref: https://github.com/nordvall/TokenClient/wiki/OAuth-2-in-ADFS
For that what type of configuration should I add into ADFS server. I am mainly confused about:
what should add as relying party trust identifier ?
what should as a resource into authorization request ?
what configurations for custom claims ?
There are three ways you can do this.
You can add ADFS via:
SAML 2
WS Fed
OpenID Connect
So:
SAML or you could use the Rock Solid Knowledge stack described in that blog
WS-Fed - use the built-in ASP.NET Core SP option
OIDC is doable but rather go with above
In both these cases, ADFS is a CP to idsrv4. idsrv4 is an SP to ADFS.
If you go with OIDC, it's an application group.
I have a Angular site that is multi-tenant. When they login they're linked to a specific organization that we keep track of using Web Api.
We're using the excellent articles written here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ as our starting point to get everything going with webapi and angular for handling the identity framework through Web Api with Angular and that works well.
We have the ability to login as facebook, google etc. which is all straight forward.
The issue is that we want to be able to setup for organizations the ability for them to have their users login using their ADFS server, or their azure ad (or any other oAuth 2 compliant server.)
Basically we use a subdomain xxx.yyy.com where xxx is unique to the organization. When they hit that subdomain we show them a button to login using their endpoint.
The problem I'm facing is that I can't find any documentation on how to set this up so that I can have multiple endpoints configured for wither oAuth over ADFS or oAuth over Azure (openconnect it looks like, can't tell if ADFS in Windows 2008 R2 supports openconnect, but it does support oAuth).
Can someone point me in the right direction of how to accomplish this? Do I need to setup a single app.UseOpenIdConnectAuthentication() and then intercept based on the request some how for all of them? Or is there different rules for ADFS versus Azure so I have to use something else.
Any details would be fantastic. Even an inkling of where to go with this without having to use something like Auth0 would be fantastic.
Have a look at IdentityServer3.
You'll see a number of connections as a general guide (albeit in C#!).
ADFS in Server 2008 R2 has zero OpenID Connect / Ouath2 support. ADFS Server 2012 R2 has zero OpenID Connect / some OAuth2 support (Web API). ADFS Server 2016 is pretty similar to Azure AD - supports both.
Note that you need to support the hybrid OAuth profile.
You could use other protocols for ADFS e.g. WS Federation / SAML (using the OWIN libraries).
Or go the ADAL route.
I have to develop an ASP.NET MVC website. For authentication, we have decided to use OKTA as the authentication provider. We do not want to use Okta API, but we would like to use SAML implementation. Are there any articles/guidelines available on this? I also would like to know how can we extend this to a WCF service. All of these will be hosted in Azure.
Here are the SAML libraries that I suggest using to add SAML to an ASP.NET MVC website:
For .NET Framework 4.5 or above use Kentor Authentication Services.
For .NET Framework 4 or below use ComponentSpace SAML 2.0. (Paid software, licenses start at $299)
High level guidance on adding SAML support to an existing application is available here: http://developer.okta.com/docs/guides/saml_guidance.html
I have not had any luck finding a consolidated view of changes from ADFS 2.0 to 2.1. Is there such a resource out there? I'm interested in new features.
Also, I'm looking specifically if AD/LDS can be used as an IdP for ADFS 2.1. I believe this was possible in ADFS 1.0, then not in ADFS 2.0, and I'm hoping (though against hope, I think) that it's back in ADFS 2.1.
Thanks for any help on either of these two questions.
Refer: Guidelines for Migrating an Application Built Using WIF 3.5 to WIF 4.5.
That's the basic difference.
In ADFS 2.1, ADFS and WIF are built-in - no need for seperate downloads.
For completeness, in R2, Extending device support in Active Directory.
No - no change to LDS.
I would like to use Windows Identity foundation in an Azure WebSite. I noticed that Azure Websites support .Net 4.0 and not .Net 4.5. Does anyone know if there is a way to use WIF in an Azure WebSite?
Vittorio Bertocci (Mr. WIF himself) just posted a blog post on this topic:
http://blogs.msdn.com/b/vbertocci/archive/2013/01/28/running-wif-based-apps-in-windows-azure-web-sites.aspx.
WIF 1.0 works fine in Azure - refer How to implement single sign-on with Windows Azure Active Directory - ASP.NET Application.
Or you go go the Azure ACS route - Facebook etc.
Are you asking - "Does anyone know if there is a way to use WIF 4.5 in an Azure WebSite"?
This will be available approximately end of this month. Please sees http://social.msdn.microsoft.com/Forums/en-US/windowsazurewebsitespreview/thread/3fab0f32-23c9-4122-9ece-8c3edbadde47 for more detail, or check back in a couple weeks.
Thanks!