Getting Live ID to work via WIF - wif

I'm attempting to use WIF to have my ASP.NET MVC app rely on Windows Live ID for authentication. I've followed this example exercise:
Exercise 4
However, it does not work for me. Mileage varies, sometimes I get an error about Windows Live ID experiencing problems, but most of the time it simply does not redirect back.
Has anyone got WIF and Live ID to cooperate?

Make sure you download the latest bits from the Training Kit just in case. One of the easiest ways of integrating with LiveID is through Windows Azure AppFabric ACS (Access Control Service). In addition to LiveID it gives you integration with other Identity Providers (Google, Facebook, any WS-Federation STS, etc).

Related

Okta secure web apps on Azure Virtual Machines

We have 2 web applications in production since several years. They are currently only accessible from the intranet of the company. Future changes in the company's organization require to make these applications accessible from the internet. It is planned to use Okta to reinforce security. I don't know nothing about Okta yet. As far as possible, the changes should have as little impact as possible.
Current situation:
Web App 1:
ASP.NET MVC solution secured with userid/password ASP.NET Membership with forms authentication. Userid is an internal user code like ADE465 for example.
Web App 2:
ASP.NET MVC solution secured with userid/password authentication through IdentityServer2 (Thinktecture). Userid is firstname dot lastname like john.doe for example.
All web apps are hosted on IIS on an Azure virtual machine named (let's say) FABVM03.
For the future Okta integration: no need to have SSO (Single Sign On). Would it be possible to simply secure with Okta everything accessed on the server FABVM03? Or everything accessed from a specific URL ?
For example, if someone tries to access https://example.com/webapp1/login.html Okta should comes up and ask for authentication (Okta verify) and if successful allow the user to access the requested url. In fact, the 'already in place' login/password should then be asked as it is already the case. I agree the user would have to enter credentials 2 times: first for Okta verify, next for login the specific web application. But that's okay. As you will have understood, no code modification in the web apps would be necessary in this scenario.
My question is to know if something like that is possible with Okta. If not what is the less impacting possible solution with Okta ?
Okta is not to enforce your policies (PEP), it's mainly SSO and Access Management solution.
Okta has a component, called OAG (Okta Access Gateway), which can be used to reverse-proxy your on-prem applications (which will work in your situation too, as your VPC is effectively equal to "on-prem in a cloud"). Which can do something like you want (protect your application and ask for authentication/authorization), but it's an additional package on top of basic Okta costs.
What you may need is a level of protection added on Azure Network layer, not sure if there is something like that though. I've seen some modules for nginx, capable of intercepting traffic and redirecting it to Okta, if not accompanied with a token. So try to dig into these 2 directions...
You need some proxy-based solution to talk to Okta and enforce the protection for your applications. There are open source tools:
https://github.com/vouch/vouch-proxy
https://github.com/oauth2-proxy/oauth2-proxy
https://github.com/buzzfeed/sso
Or you can checkout some commercial tools:
https://www.okta.com/products/access-gateway/
https://www.datawiza.com/platform/

Multiple Azure/ADFS/OpenConnect/oAuth Identity Framework options on single site

I have a Angular site that is multi-tenant. When they login they're linked to a specific organization that we keep track of using Web Api.
We're using the excellent articles written here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ as our starting point to get everything going with webapi and angular for handling the identity framework through Web Api with Angular and that works well.
We have the ability to login as facebook, google etc. which is all straight forward.
The issue is that we want to be able to setup for organizations the ability for them to have their users login using their ADFS server, or their azure ad (or any other oAuth 2 compliant server.)
Basically we use a subdomain xxx.yyy.com where xxx is unique to the organization. When they hit that subdomain we show them a button to login using their endpoint.
The problem I'm facing is that I can't find any documentation on how to set this up so that I can have multiple endpoints configured for wither oAuth over ADFS or oAuth over Azure (openconnect it looks like, can't tell if ADFS in Windows 2008 R2 supports openconnect, but it does support oAuth).
Can someone point me in the right direction of how to accomplish this? Do I need to setup a single app.UseOpenIdConnectAuthentication() and then intercept based on the request some how for all of them? Or is there different rules for ADFS versus Azure so I have to use something else.
Any details would be fantastic. Even an inkling of where to go with this without having to use something like Auth0 would be fantastic.
Have a look at IdentityServer3.
You'll see a number of connections as a general guide (albeit in C#!).
ADFS in Server 2008 R2 has zero OpenID Connect / Ouath2 support. ADFS Server 2012 R2 has zero OpenID Connect / some OAuth2 support (Web API). ADFS Server 2016 is pretty similar to Azure AD - supports both.
Note that you need to support the hybrid OAuth profile.
You could use other protocols for ADFS e.g. WS Federation / SAML (using the OWIN libraries).
Or go the ADAL route.

How do I add Google OAuth (OpenID Connect) as an IP in Azure ACS?

Disclaimer - I am an extreme n00b when it comes to SAML, ACS and OAuth .. and just auth in general. I'm used to Windows Auth and at a push ADFS. I'm afraid you might need to give me the slow "one word a page" version here
As you are I'm sure aware Google has now deprecated the use of the OpenId 2.0 API for authentication (as of May 19th 2014). This has of course completely broken the "Google" Identity Provider (IP) in Azure Access Control Services (ACS). I basically need to add Google Support back in for a new project and understand it might be a bit more complicated than "click a few buttons".
I have seen a few blogs mention that I might need to "create an STS for the Google Auth, which I then add to ACS as the IP" but they didn't go into any more detail and I honestly don't have any idea how to do this or what it involves. I am happy to write code (I've been writing C# for almost 10 years) but have never done anything like this before.
Can anyone point me at samples / tutorials that will hopefully not go completely over my head?
The latest samples for Google+ are the ones on the Google+ Github page. Check out the .NET sample, this shows the code flows for OAuth 2.0 using Google's client libraries. There's a blog post on the key OAuth 2.0 flows in .NET as well.
If you are using MVC, there is a blog post on integrating OAuth 2.0 with Microsoft's MVC framework.
Although the samples are not targeted to Azure, I have deployed them to Azure instances without issue. If getting integrated into Azure is shown to be problematic and you think it would be worth it for Google to provide support, please request a feature in the issue tracker.
If you create a plugin, extension, etc that would be useful to other developers, please share with the Google+ developer community.

Configure application pools in IIS Express

Recently I have been using IIS Express and it works really great. However, I have on scenario I am unable to solve.
I am developing a webapp where users should be able to login with their AD account. Since the server which will run the webapp is outside the domain I use ADFS 2.0 as a SSO solution to solve this problem.
To make development for this project easier, I have chosen to use IIS Express when developing.
To be able to exchange claims information with the ADFS 2.0 server from my development environment, I have to configure the application pool for the site to have Load User Profile set to true (like i.e. IIS 7.5). I have searched around the web, and have so far found very little documentation on how to configure application pools in IIS Express.
This has nothing to do with ADFS but it's the way WIF uses to sign and encrypt the cookie that will be used to identify the user after the initial sign in. The default implementation in WIF uses DPAPI which relies om the user profile to get key material.
You can override that default and use the machinekey as key material instead. Indeed thats the way it works in NET 4.5 by default precisely because all the issues with DPAPI. Here you have the way to do it in Net 4
http://leastprivilege.com/2012/07/12/machinekey-based-session-protection-for-wif/

Fake Open ID provider for testing purposes

Like SO, I am gonna depend on many Open ID providers to provide user authentication and I will use my own authorization methods. but I'm still in development phase, and don't want to work with real OpenID providers currently, what approach can I use to test my users and their activities in the website (w/o TDD), to emulate real users but not really use Open ID providers.
No need to make auto-transfer of users into real OpenID servers (when moving to production mode) since the current users are just for testing purposes and Unit-test code.
I guess, I need a User Service layer which provides a higly abstracted way to deal with users, so that the move to the real Open ID providers can be smooth in the future and doesn't affect the logic of my already written code.
Using C#.Net 4, ASP.Net MVC 3, Ninject
DotNetOpenAuth provides both server and client portions of OpenID and can be used to run your own OpenID provider for local testing.
Give your site members their own OpenIDs with the provider support included in this library.
Sample relying party and provider web sites show you just how to do it.
I simply register my test id as user with various organisations. I don't see anything wrong with that. I get to see the various responses and their differences.
I found it terribly easy to code for openid consumer. Just need to understand the sequence of responses. Draw the UML sequence diagram to aid your understanding before you start coding. No need to fake openId. Otherwise, whip up an openid server yourself.
Your services shouldn't depend on OpenID. Just have OpenID plug into an authentication module to provide a local user principal. In development, you can have the auth module return a fake user principal with the permissions you desire.
In a beta environment you could turn on OpenID and use test accounts from any OpenID provider. Having to log in during the development phase will just slow down all the developers. Any authentication bug or internet outage will kill everyone's productivity.

Resources