Plan :
Many asp net 4.5 sites hosted on azure (will be mapped to different domains) -->
How to share login between the sites?
Option 1 :
Use 1 database for all sites - how each site login and which site is the "master site" which hold
the database?
Option 2 :
Use database for each site with extra 1 global database for users(+forums posts)
Option 3 : ( combine 1+2 ?! )
2 database , 1 for users users(+forums posts) + 1 for data
Either option , I don't know how to do it ...
I'm using CodeFirst Membership Provider
If I login to SiteA is like login for SiteB and etc ( you got the point )
Is it "same domain" if all sites sits on Azure?
You need to use Azure Access Control Service (ACS) which is a part of Windows Azure Active Directory.
Create one ACS namespace and add all your applications urls as relying parties in this namespace through the portal. After that you need to Add a STS Reference from Visual Studio (that comes up when you install Windows Identity Foundation) for each of your application by giving the url of your ACS service namespace.
You will have to add your custom Identity Provider against which you need to do authentication. For example, in your scenario you can have a single database and create a custom STS that authenticates using forms authentication, and you will have to use the url of this service as your Identity Provider in ACS namespace. You have option to Add default identity providers such as Windows Live, Google, Yahoo and Facebook as well in case you want.
For some detailed steps refer this link
There are few sample codes available at MSDN Code Gallery as well.
Use database for each site with extra 1 global database for users
This option sounds good for me.
You can use CAS (Central Authentication Service) and this way you'll have a central point to authenticate the users. CAS will be configured to authenticate in the Global Database.
**It's necessary to configure each ASP Application to authenticate using CAS.
The basic authenticate flow is:
User tries access a specific ASP site.
The ASP site identifies that the users isn't authenticated and redirect the user to CAS (that runs in other web site).
User types your login and password.
CAS checks in the Global Database if the login and password are correct.
If yes, CAS redirects the user to the specific ASP site (step 1).
You will need to install Java and Tomcat (or other java application server) to run CAS. Because of that, I don't know if CAS is a good option for you.
http://www.jasig.org/cas
I'm using CAS authenticating against an Active Directory instance.
Sorry my english.
Related
We have 2 web applications in production since several years. They are currently only accessible from the intranet of the company. Future changes in the company's organization require to make these applications accessible from the internet. It is planned to use Okta to reinforce security. I don't know nothing about Okta yet. As far as possible, the changes should have as little impact as possible.
Current situation:
Web App 1:
ASP.NET MVC solution secured with userid/password ASP.NET Membership with forms authentication. Userid is an internal user code like ADE465 for example.
Web App 2:
ASP.NET MVC solution secured with userid/password authentication through IdentityServer2 (Thinktecture). Userid is firstname dot lastname like john.doe for example.
All web apps are hosted on IIS on an Azure virtual machine named (let's say) FABVM03.
For the future Okta integration: no need to have SSO (Single Sign On). Would it be possible to simply secure with Okta everything accessed on the server FABVM03? Or everything accessed from a specific URL ?
For example, if someone tries to access https://example.com/webapp1/login.html Okta should comes up and ask for authentication (Okta verify) and if successful allow the user to access the requested url. In fact, the 'already in place' login/password should then be asked as it is already the case. I agree the user would have to enter credentials 2 times: first for Okta verify, next for login the specific web application. But that's okay. As you will have understood, no code modification in the web apps would be necessary in this scenario.
My question is to know if something like that is possible with Okta. If not what is the less impacting possible solution with Okta ?
Okta is not to enforce your policies (PEP), it's mainly SSO and Access Management solution.
Okta has a component, called OAG (Okta Access Gateway), which can be used to reverse-proxy your on-prem applications (which will work in your situation too, as your VPC is effectively equal to "on-prem in a cloud"). Which can do something like you want (protect your application and ask for authentication/authorization), but it's an additional package on top of basic Okta costs.
What you may need is a level of protection added on Azure Network layer, not sure if there is something like that though. I've seen some modules for nginx, capable of intercepting traffic and redirecting it to Okta, if not accompanied with a token. So try to dig into these 2 directions...
You need some proxy-based solution to talk to Okta and enforce the protection for your applications. There are open source tools:
https://github.com/vouch/vouch-proxy
https://github.com/oauth2-proxy/oauth2-proxy
https://github.com/buzzfeed/sso
Or you can checkout some commercial tools:
https://www.okta.com/products/access-gateway/
https://www.datawiza.com/platform/
Our business use case is that we have four to five services deployed as java spring web applications. These services have user/customers derived from either registration process or some existing running applications exposed as rest services. We intend to make a single portal which provides users to be able to use a single account / credential to log into many services directly.
With internal approach we assume having individual customer table for each services. And a common Login table for all services whose id is tagged/mapped as foreign key in individual customer table of each services.
Also some services can be accessed without registration , in that case we fetch the data via customers account id from some third rest service and store it in individual services/application customer table and in common Login Table if not already present.
For services which require registration we store the customer credentials in login table if not present; and also in service/applications customer table with a common login table mapping.
But we need a secure portal with session tracking , session timeout just like Single Sign On
With some research we have narrowed the approach to implement the above scenario with either SSO or Oauth2 which her is applicable.
Refer the link (https://stormpath.com/blog/oauth-is-not-sso ) for more insight.
Can someone suggest which approach SSO or Oauth2 is applicable for our business usecase ?
if SSO , which is the best opensource simple SSO for java Spring applications?
if OAuth2 , what will act as Client application, Authorization Server , Resource Owner and Resource Server? As we have services(Java applications) as client application hosted in Common Application/Portal? will the common login table act as resource owner ?
You will likely want SpingSAML. If the applications are hosted on separate paths, like example.org/app1 and example.org/app2 then you could use a Shibboleth Service Provider as the SAML SP for the applications.
You'll still need an Identity Provider of some sort, which SpingSAML can't do, but there are innumerable IdP implementations out there: i.e. Shibboleth Identity Provider, ADFS, or a commercial IdP like Okta, OneLogin, Ping, etc.
I have read all the stack overflow posts and other blogs regarding mixed-mode authentication. I could not find a step by step implementation anywhere.
So here is my scenario. I have developed asp.net MVC 4.5 and asp.net identity 2.0 for individual user accounts. Some of our clients use active directory to authenticate their users whereas others use individual user accounts. Also, those that use active Directory can also remotely access the web portal and in that case authentication would be from database(Form Authentication/individual user account authentication).
My findings so far
create another web application. If this client does not use "active Directory", then redirect to login screen, else, authenticate from active directory (but how?)
Some of the links show that there is no need to create another web application like
Mixed mode authentication with OWIN
ASP.NET Identity + Windows Authentication (Mix mode - Forms + Windows)
ASP.NET MVC and mixed mode authentication
Truly confused as to what to do and how to do..most solutions seem vague and general
There's no need to create a second web application.
Owin is designed to let you use all available providers (such as, Windows authentication and form-based authentication) given that you enable them in IIS.
Briefly, you have to
Enable Anonymous and Windows authentication on IIS - Authentication
(with server or site scope as it best fits to you)
Anonymous authentication - Edit - Use Application Pool Identity
I recently implemented just this kind of authentication on an MVC project and it works like a charm. I suggest you to read this post https://github.com/MohammadYounes/MVC5-MixedAuth it's been really helpful to me.
Our customer is using LDAP and 3 web application. The problem is the user is constantly forced to log on to each different web application.
He shall be able to use Windows authentication / LDAP together with single sign-on in order to be able to use all 3 Web apps without redirect to each login page.
So far, I have found this solution:
https://msdn.microsoft.com/en-us/library/ms972971.aspx
in this case "This Web site verifies (Step 2) the user against their Windows credentials (through Active Directory)." I don't understand how to check users password.
In this example is used only userid. Does it mean, that I'm only able to get users ID and check if a user with the same ID exists in LDAP ?
I would like to know, if there's an another and better way how to implement described functionality.
Please help
I have the following architecture:-
Active directory server
IIS which will host asp.net MVC
Both the Active directory and the MVC web application are inside our company intranet.
I set the Asp.net MVC authentication type to be windows based.
But I have these questions:-
If our company employees tries to access the asp.net MVC web application from their home using their personal PC; will windows authentication work?
If the above answer is Yes; then how they will be typing their usernames, Something similar to username# domain.com ?
According to my above requirements, should I consider having form based authentication that is connected to AD? Instead of using windows based authentication?
Thanks for any help and advice
Best Regards
Assuming your website in IIS is visible to the outside through the firewall, then yes it will be accessible from home
depending on the browser, you should get a pop up asking for username and password, and the username should be typed
MYDOMAIN\JOEBLOGGS
This setup may well work fine but it depends on your needs - is your network admin happy to open this server up to the outside world
There can be a quirk if using Internet explorer externally, where IE does not display a pop up box, and instead tries to authenticate with the local windows username, which may not match AD username if it is a personal PC (to get around this on the client, go to Internet Options > Security > Custom Level then scroll down to User Authentication and select 'Prompt for username and password'