How to integrate Azure ACS with local (custom) STS? - asp.net-mvc

What would be best practice to integrate Azure ACS with local custom authentication in ASP.NET MVC application running on Azure? So basically the requirement is that web application must have custom authentication and must also support main identity provides.
I think the best approach is to use Azure ACS (to nicely support main identity provides) and since ACS in based on WIF (Identity Foundation) it would nicely fit with local STS.
What are your recommendations about this approach? Do you have better suggestions? Do you maybe have any examples how to integrate ACS with local STS?
Do I thinking wrong and those entities (ACS and local STS) are completely separated? And those are not have to be aware of each other? This would make sense to me.
I am new to the Azure ACS in WIF.

The short answer is yes, this is all possible. The "local STS" part is the one that might or might not be necessary. If you wanted to keep your own authentication, you don;t necessarily need your own STS to do so. I would start with the simplest thing possible: an MVC app relying on an STS (e.g. first a local one, then ACS, then maybe both).
There're many examples here.

Related

Open source cross domain authentication? Custom databases

So I have been looking into OAuth lately, I want to authorize another of my domain which has separate database using OAuth. Upon searching I found auth0.com. Which sounded similar to Oauth and I created a sample implementation, it offers support for custom databases also. We have users stored in external api running on .net core, and I learnt that auth0.com is not free after trial expiration. So my efforts kindof got wasted. Now I am looking for authorization method that works for both domains.
Now my question is, does it even make sense to use Oauth for this task? Since I won't be giving it to third party and it's matter of two databases. How should i approach this and what are opensource Oauth services that allow custom database.

Looking for a secure and robust STS implementation

I am faced with a project that uses custom authentication via a WCF service that returns a set of claims based on some data identifying a user, close to user name and password. Then on top of this, I have a custom STS, derived from Microsoft.IdentityModel.SecurityTokenService, that resides in an ASP.NET web site project. This project looks like it was created with the VS2010 template, and not carefully had-crafted.
My gut feeling, and lots of on-line advice tell me that this web site STS project is very far from production ready. I am now looking for an MVC based STS that I can use in anticipation of being production ready. TinkTecture's IdentityServer looks promising, but it is so much more than simply implementing a custom derivation of SecurityTokenService, I have no idea where to start. If somebody could steer me toward an open project or walk-through that does this, or offer some guidance as to where and how I can start extending or modifying Identity Server, that would be great.
Have you looked at Thinktecture.IdentityServer v3? I'm at the moment using it and very simple to use.
It is still in Beta but RTM will be available soon. It has good documentation and samples too.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki
Update:
Identity Server 4 is also available. It supports cross-platform deployment with .NET Core.
https://github.com/IdentityServer/IdentityServer4/
Have you looked at the MSDN article by Michele Leroux Bustamante?
It's a little old and based on WCF, but it has code accompanying it.
Building A Custom Security Token Service
If you want ASP.NET based example, Microsoft published this:
ASP.NET Security Token Service Web Site
There's also this STS project on CodePlex.

WIF simple WITHOUT Federation - Where to start

I am little lost at the moment. Hopefully you can point me in the right direction...
Scenario: WinForms App / Active Directory / ONLY internal network
What I want: Achieve the same that NetSqlAzMan does (authenticate and authorize single operations) using WIF. No Federation, nothing that's not needed for that. Just authenticate a given user via his current Account, get the claims and see if he's allowed to call specific operations.
What is really needed for that? Do I absolutely need ADFS 2.0? What (simple) STS to use? Where to start? All I found on that is going to start with an enormous setup using WCF Federation Bindings and what not. Do I better stick to NetSqlAzMan?
Any help would be greatly appreciated! :)
What you're looking for is active federation (versus passive federation) which uses web services for authentication. Take a look at the Lab 4 here for some samples on how to do this.
As for an STS, you don't have to use AD FS 2.0 (although for Active Directory authentication, it's probably the best option). You can always write your own custom STS using WIF, or you can look at the IdentityServer, but I don't think it has native integration with AD. You'd have to add that, but it wouldn't be too difficult using the ActiveDirectoryMembershipProvider.

dotnetopenauth versus WIF

I need to add social media login capabilities to a site and got stuck a bit, mostly because of the, more or less, non existing beginner documentation regarding these two.
I grasped the basics of DotNetOpenAuth by checking nerddinner but some here suggest WIF so I started looking into it. I realized quickly that just getting clear info explaining if this is feasible at all on shared hosting was not easy. I don't really want to pump through all reference knowledge, technical overviews (checked some out anyway), but just to be able to see the basic functionality.
So my questions are:
Where can I find any tutorials showing the basics and bare minimums needed for WIF to function in an explanatory manner? Preferably setting up WIF in a single MVC site combined with local authorization. Is there any step-by-step documentation at all?
Is WIF feasible, at all, on a single site or would the best option be to find other solutions like DotNetOpenAuth or use the separate APIs? When trying to get to the bottom of this, I have only found information regarding the value of WIF in large, multi-application, and platform environments combined with AD / ADFSv2. Which is completely outisde the bounds of what I need.
When I look at information on WIF, it's mostly linked to ADFSv2 and STS. Is this possible to implement at all for deployment on shared hosting for example?
Any input on the matter is appreciated.
WIF - see the How-to section here.
Also Get Started with Windows Identity Foundation (WIF).
Your best bet is probably to use WIF / ACS. Good link here or look at Windows Identity Foundation (WIF) and Azure AppFabric Access Control Service (ACS) Content Map.
The other way is to add OAuth2 to a custom STS. Refer Identity Server for a really good example of this.
DotNetOpenAuth definitely works on shared hosting, and requires no set up on the web server at all (it's just a .dll in your web site's Bin folder). Depending on the social networking sites in particular that you want to hook up to, it can be just a few lines of code to wire everything up if you're hooking up to OpenID enabled sites.
If the sites you're hooking to use OAuth or OAuth 2, there is more code to write for each individual site to work against their particular proprietary API, but that would also be true for WIF unless they have code to support specific web sites that happen to align with your own.

What is the best way to use live id authentication with azure based asp.net mvc project?

What is the best way to use live id authentication with azure based asp.net mvc project?
I find the options
1) With in Live SDK, there are options like REST, JavaScript, C# etc.
2) Since my project will be hosted in azure, there is another way "Securing Web Applications with ACS" http://msdn.microsoft.com/en-us/library/gg185928.aspx
Please suggest the design and also support with pros when an particular approach is good.
You definitely want to work with ACS. Not only is it intended for this purpose, there's a fully worked up example at
http://msdn.microsoft.com/en-us/library/gg185975.aspx
which will give you a flying start.
ACS, and Windows Identity Foundation in general, lets you take the approach of separating identity verification from your application altogether. This saves a ton of code and means that you have much less "plumbing" to support.

Resources