I am looking for Single sign on (SSO) with SAML2 tokens and I have to used ADFS. I can't use WIF.
I googled a lot to understand SSO, SAML2 and ADFS, now I have some doubts which I am not getting.
Scenario: The applications are asp.net MVC application
1. App-A(Windows Authentication) : hosted and it is using ADFS.
2. APP-B(Form Authentication): authenticates the user using the UID and PWD stored in DB.
Do I need a intermediate application to accept the SAML2 token and process it(similar to Identity provider) or it can be done in the App-A itself?
In the App-B what are the things I have to implement to make it aware of SAML2 request(do i need to implement custom handler)?
please help me to choose the right things for the implementation.
--Thanks--
You need a SAML stack for your application.
Refer SAML : SAML connectivity / toolkit and the links in that entry.
For A, perhaps you can use the WIF SAML extension mentioned in the article above?
For B, you need to rip out the DB authentication and add the SAML functionality as for A or else have a look at Identity Server which you can federate with ADFS and which also authenticates using a DB (but doesn't support SAML itself).
Related
I have a Java Spring MVC application (note that its not spring boot).
We have a requirement to implement SSO for the users of our application. I did some research, the identity provider (IDP) in our case is Azure AD. The service provider would be my application in this case. I am thinking of using SAML protocol for SSO.
Also note - The application is http based (not HTTPS)
What I've done so far -
I've created an Enterprise Application on Azure and configured entityId and replyURL. I also added a user for this application.
Where I'm stuck -
Although I did read the related Spring documentation to achieve this, since I'm a newbie here, I still don't have a clear path as to how can I take this forward in my application. I found some solutions, they seem to be examples for spring boot. Can someone please help me with guides as to how this can be done in Java Spring? Which maven dependency I could use and any sample example to start working with SAML? A step by step explanation would be highly appreciated, thankyou.
Also, any other options than SAML would also be fine.
The Spring Security SAML extension (https://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/index.html) had an example web app. You may read the referenced doc and apply it to Spring Security SAML. It should not be too much difference.
I’m very glad to register the flow in the event of implementing Azure AD B2C OIDC/OAuth protocol with existing Spring MVC architecture.
Below Spring docs reveal that how was our existing project's spring-security layer being served in the context of filter-chain.
Pre-requisites
Authentication Filter - Form Based Login with Legacy IDP
Authentication Manager – Providing the user details authorities along with http session object
For accomplishing this Azure B2C Integration, we've gone thro' lot of repos but most of them are relying with Java config based but we were interested on Spring namespace with limited code/architectural change.
Then finally we came to the conclusion that how to extend the spring default auth-filter/manager for getting valid session object from security context based on the Azure provided (id/access) token after the successful user authentication.
Customizing Spring-Security
The detailed documentation on how to extend auth-filter/manager is available here with © reserved by terasoluna.org
We customized the spring security in such a manner that auth-filter will carry the token_validation against the given token from Azure and authentication manager will extract user details such as roles/privileges w.r.t to the object-id mapped in our DB's user entity.
Once the Spring security customization is done then we can able to integrate the Authorization-server [Azure in our case] and Resource-server [Existing Spring Application] by following the conventional methods.
I have an Angular application(ex. https://localhost:44301) that is
using Web API(ex. https://localhost:44302) to interact with data.
I have an Identity Server 4 (ex. https://localhost:44303) for authentication in which we have even
configured external login with Azure AD.
Our Architecture is something like below :
Now I want to add ADFS 3.0 (even ADFS 4.0 i.e. multiple ADFS) as a external login provider
So as per my research I have to go for only OAuth 2.0 with
Authrization Code Grant.
ref: https://github.com/nordvall/TokenClient/wiki/OAuth-2-in-ADFS
For that what type of configuration should I add into ADFS server. I am mainly confused about:
what should add as relying party trust identifier ?
what should as a resource into authorization request ?
what configurations for custom claims ?
There are three ways you can do this.
You can add ADFS via:
SAML 2
WS Fed
OpenID Connect
So:
SAML or you could use the Rock Solid Knowledge stack described in that blog
WS-Fed - use the built-in ASP.NET Core SP option
OIDC is doable but rather go with above
In both these cases, ADFS is a CP to idsrv4. idsrv4 is an SP to ADFS.
If you go with OIDC, it's an application group.
I'm wondering if it is possible to use Thinktecture IdentityServer simply as an STS alongside an existing web app? That is, I want to use ASP.NET Identity for authentication in my web app because I want to use all of the built-in functionality like 2-factor, etc. However, I want to use IdentityServer as an STS to serve up tokens to access my web services (WCF and Web API).
I thought perhaps I need to authenticate normally through ASP.NET Identity, then again through IdentityServer to get the token. However, this seems heavy and wasteful.
Is there perhaps some way to authenticate against the IdentityServer directly from ASP.NET Identity? I saw the sample where we can integrate the two together (IdentityServer using ASP.NET Identity), but it seemed like I might lose the ability to use all of the built-in stuff like two-factor workflows.
I'm hoping I'm way off base here, and apologies if I have some fundamental misunderstandings about how IdentityServer works. Perhaps there is a way to get all of the added functionality that ASP.NET Identity provides from within IdentityServer?
Identity Server will handle all authentication, no need for double sign-ins if you are using it correctly.
You'll have to implement two factor authentication yourself though as it is not currently supported by Identity Server. However extending Identity Server's existing support for ASP.NET Identity to allow for two factor authentication is definately possible.
I think your first port of call should be to have a bit of a deep dive into the Identity Server documentation and the OpenID Connect protocol. After that check out UserService documentation and then derive from the existing ASP.NET Identity UserService to add support for two factor authentication.
I have a setup of IdentityServer with configuration of a client with hybrid flow. Is it possible to have an ASP.NET MVC app to use this instance of IdentityServer to log-in the user without looping to IdentityServer's log-in page? That is, use a custom log-in page on the client side to get user credentials and then make a server-side connection with IdentityServer to do the authorization? Is there any sample that demonstrates this? Thanks!
From how I interpret your question, the Resource Owner Password Credential Flow seems to fit your scenario.
See the FAQ-like answer here.
"Q. Which Flow Types designed to be used ONLY in trusted environment (like backend REST API/ micro-services isolated from internet, or owned servers/devices, in general: trusted OAuth2 clients)?
A.
Resource Owner Password Credential Flow (ROPCF) [it involve human: app show its own login page then pass user/pass... to STS].
Client Credential flow [machine to machine (API to API): supply client-id and secret]."
*Disclaimer - I understand you are currently using Hybrid flow- My answer simply implies you could change your solution. If that is not possible, then I would suggest looking into multiple OAuth implementations for an MVC app.
Since I didn't get an answer for this, I'm just posting what I've found so far.
It looks like it is not possible to bypass the IdentityServer's log-in page.
For more info about IdentityServer flows see: OIDC and OAuth2 Flows
I am building a website using ASP.NET MVC 3 and have forms authetication setup correctly (user is able to register and login). I want to setup an OData WCF Data Services service so a Windows Phone 7 (Mango Beta 2 Refresh) client can authenticate and query the Odata service, with CRUD actions. This idea comes from the FullStack episodes here. They use OAuth login, but I wanted to use the user setup I already have, instead of an OAuth solution.
I do have this all working without auth currently (MVC app with Odata client on wp7), but am looking to make the Odata service secure. I guess I am looking for some articles or walkthroughs on how to get this working.
If forms authentication is not the correct choice, please let me know.
UPDATE
So lots of research done on this. There is an official how-to series on the blog for the WCF team here. Since forms auth is already configured on the web app, adding a check inside the QueryInterceptor provides the auth. However it uses a 'standard authentication endpoint' for client apps to actually 'login' that seems to use the base Membership providers, which I don't use. Is there a way to override this?
You could turn your custom forms authentication setup into a Claims based Federated Authentication Provider (STS) using Windows Identity Foundation. Then use that to authenticate your wp7 app with the STS provider and then send that claim (token) to your Odata service which will verify its an authentic claim. There is an example of this in the WIF training kit