Configure application pools in IIS Express - wif

Recently I have been using IIS Express and it works really great. However, I have on scenario I am unable to solve.
I am developing a webapp where users should be able to login with their AD account. Since the server which will run the webapp is outside the domain I use ADFS 2.0 as a SSO solution to solve this problem.
To make development for this project easier, I have chosen to use IIS Express when developing.
To be able to exchange claims information with the ADFS 2.0 server from my development environment, I have to configure the application pool for the site to have Load User Profile set to true (like i.e. IIS 7.5). I have searched around the web, and have so far found very little documentation on how to configure application pools in IIS Express.

This has nothing to do with ADFS but it's the way WIF uses to sign and encrypt the cookie that will be used to identify the user after the initial sign in. The default implementation in WIF uses DPAPI which relies om the user profile to get key material.
You can override that default and use the machinekey as key material instead. Indeed thats the way it works in NET 4.5 by default precisely because all the issues with DPAPI. Here you have the way to do it in Net 4
http://leastprivilege.com/2012/07/12/machinekey-based-session-protection-for-wif/

Related

Okta secure web apps on Azure Virtual Machines

We have 2 web applications in production since several years. They are currently only accessible from the intranet of the company. Future changes in the company's organization require to make these applications accessible from the internet. It is planned to use Okta to reinforce security. I don't know nothing about Okta yet. As far as possible, the changes should have as little impact as possible.
Current situation:
Web App 1:
ASP.NET MVC solution secured with userid/password ASP.NET Membership with forms authentication. Userid is an internal user code like ADE465 for example.
Web App 2:
ASP.NET MVC solution secured with userid/password authentication through IdentityServer2 (Thinktecture). Userid is firstname dot lastname like john.doe for example.
All web apps are hosted on IIS on an Azure virtual machine named (let's say) FABVM03.
For the future Okta integration: no need to have SSO (Single Sign On). Would it be possible to simply secure with Okta everything accessed on the server FABVM03? Or everything accessed from a specific URL ?
For example, if someone tries to access https://example.com/webapp1/login.html Okta should comes up and ask for authentication (Okta verify) and if successful allow the user to access the requested url. In fact, the 'already in place' login/password should then be asked as it is already the case. I agree the user would have to enter credentials 2 times: first for Okta verify, next for login the specific web application. But that's okay. As you will have understood, no code modification in the web apps would be necessary in this scenario.
My question is to know if something like that is possible with Okta. If not what is the less impacting possible solution with Okta ?
Okta is not to enforce your policies (PEP), it's mainly SSO and Access Management solution.
Okta has a component, called OAG (Okta Access Gateway), which can be used to reverse-proxy your on-prem applications (which will work in your situation too, as your VPC is effectively equal to "on-prem in a cloud"). Which can do something like you want (protect your application and ask for authentication/authorization), but it's an additional package on top of basic Okta costs.
What you may need is a level of protection added on Azure Network layer, not sure if there is something like that though. I've seen some modules for nginx, capable of intercepting traffic and redirecting it to Okta, if not accompanied with a token. So try to dig into these 2 directions...
You need some proxy-based solution to talk to Okta and enforce the protection for your applications. There are open source tools:
https://github.com/vouch/vouch-proxy
https://github.com/oauth2-proxy/oauth2-proxy
https://github.com/buzzfeed/sso
Or you can checkout some commercial tools:
https://www.okta.com/products/access-gateway/
https://www.datawiza.com/platform/

SSO MVC ASP.NET CORE 1.1

Can someone explain to me how to achieve single-sign on? I have an MVC ASP.NET core web app(let's say www.internalsite.com), how can the app get the user credentials automatically and authenticate etc.? I need a very clear explanation on how to do it.
By using www.internalsite.com I guess you are talking about a site on an intranet, right? How are you hosted? IIS in front of Kestrel? If so, then it's quite straightforward, you just need to configure IIS to foward the Windows identity (coming from a Kerberos token usually) by setting the proper value in the web.config: forwardWindowsAuthToken="true" as explained here: Asp.net Core Web API - Current user & Windows Authentication and make sure you have a controller/action protected by an [Authorize] tag so that the IIS middleware is challenged and set the identity of the request as explained here: NTLM authentication on specific route in ASP.NET Core No much code to write in your project. If you are using another hosting setup, WebListener, it is pretty much the same.
Another solution, would be to do SSO by client certificate which has the advantage of working cross domain, but SSO by Kerberos is by far easier and usually doing a good job on an intranet.

Multiple Azure/ADFS/OpenConnect/oAuth Identity Framework options on single site

I have a Angular site that is multi-tenant. When they login they're linked to a specific organization that we keep track of using Web Api.
We're using the excellent articles written here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ as our starting point to get everything going with webapi and angular for handling the identity framework through Web Api with Angular and that works well.
We have the ability to login as facebook, google etc. which is all straight forward.
The issue is that we want to be able to setup for organizations the ability for them to have their users login using their ADFS server, or their azure ad (or any other oAuth 2 compliant server.)
Basically we use a subdomain xxx.yyy.com where xxx is unique to the organization. When they hit that subdomain we show them a button to login using their endpoint.
The problem I'm facing is that I can't find any documentation on how to set this up so that I can have multiple endpoints configured for wither oAuth over ADFS or oAuth over Azure (openconnect it looks like, can't tell if ADFS in Windows 2008 R2 supports openconnect, but it does support oAuth).
Can someone point me in the right direction of how to accomplish this? Do I need to setup a single app.UseOpenIdConnectAuthentication() and then intercept based on the request some how for all of them? Or is there different rules for ADFS versus Azure so I have to use something else.
Any details would be fantastic. Even an inkling of where to go with this without having to use something like Auth0 would be fantastic.
Have a look at IdentityServer3.
You'll see a number of connections as a general guide (albeit in C#!).
ADFS in Server 2008 R2 has zero OpenID Connect / Ouath2 support. ADFS Server 2012 R2 has zero OpenID Connect / some OAuth2 support (Web API). ADFS Server 2016 is pretty similar to Azure AD - supports both.
Note that you need to support the hybrid OAuth profile.
You could use other protocols for ADFS e.g. WS Federation / SAML (using the OWIN libraries).
Or go the ADAL route.

Disable Security during development in AspNet MVC environment

I am looking for best practices around security configuration management in web application during development. I have 2 situations.
I have a bunch of functions (say REST APIs) that returns some data from the database. In production, the calling client will have to authenticate itself say against a AspNetMembership provider.
There is another set of functions where in the authenticated principal information is required to fetch the data.
During development the developer needs to setup security and https in IIS to make this happen. Is there best practices followed in Asp.Net or in other programming languages to disable security during development so that the developer does not have to setup security in local IIS server (not Cassini) where the application is hosted and also not supply credentials in header when debugging.
The best practices would be not to allow security to be disabled. If you're using Forms Authentication, security shouldn't need to be set up in IIS, just in the application, and Visual Studio easily lets you add a development certificate to enable HTTPS.
One last best practice: Use ASP.NET Identity, not AspNetMembership for your identity provider. AspNetMembership is legacy at this point, and does not follow modern security best practices.

Getting Live ID to work via WIF

I'm attempting to use WIF to have my ASP.NET MVC app rely on Windows Live ID for authentication. I've followed this example exercise:
Exercise 4
However, it does not work for me. Mileage varies, sometimes I get an error about Windows Live ID experiencing problems, but most of the time it simply does not redirect back.
Has anyone got WIF and Live ID to cooperate?
Make sure you download the latest bits from the Training Kit just in case. One of the easiest ways of integrating with LiveID is through Windows Azure AppFabric ACS (Access Control Service). In addition to LiveID it gives you integration with other Identity Providers (Google, Facebook, any WS-Federation STS, etc).

Resources