What is the difference between AuthenticationStatus.Canceled and AuthenticationStatus.Failed in dotnetopenauth?
According to the metadata in DotNetOpenAuth.dll, the enumerations are described as:
AuthenticationStatus.Canceled: The authentication was canceled by the user agent while at the provider.
AuthenticationStatus.Failed: The authentication failed because an error was detected in the OpenId communication.
This should be shown by Visual Studio's intellisense (if you're using VS). I obtained it from v3.4.5.10202 of the dll.
Related
I built a claims-aware asp.net mvc application following the steps outlined in this page: https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-mvc-web-app-using-wif. The example in the page uses an STS on the local host, but in my application I am pointing to a fully-functioning AD FS on a different server.
I'm using Framework 4.7 and Windows Server 2016 to host the AD FS and to host the web application.
After I deployed the application I ran the Windows Identity Federation Utility against it (because I thought I needed it to add the application as a Relying Party Trust on the AD FS). This utility inserts a lot of tags into the web.config that refer to the Microsoft.IdentityModel namespace.
I then added the application as a Relying Party Trust to the AD FS, and navigated to the claims-aware app. The page failed because the sample code cast the claim returned by the STS as System.Security.Claims.Claim. When I changed it to cast as Microsoft.IdentityModel.Claims.Claim it worked fine.
The example I was following makes no mention of the Windows Identity Federation Utility. Do I need to use that? Or would this have worked without it?
When I try reversing the web.config changes that the utility inserted the site fails with a 401 error (access denied due to invalid credentials) so obviously the stuff inserted by the Utility is needed to get authentication from AD FS. Is this because I ran the Utility on the web site before adding it as a relying party trust to the ADFS?
The answer here is: don't run the Windows Identity Federation Utility if you are using ADFS Server 2016, as it forces use of the Microsoft.Identity libraries, which are deprecated. I mistakenly thought this utility was needed to create the FederationMetadata.xml file.
I created the FederationMetadata.xml file manually and reverted my web.config back to what it was before I ran the utility. This reverted me back to using the System.Identity libraries, which were added to the 4.5 framework, instead of the now-deprecated Microsoft.Identity libraries.
Just to note that the more "modern way" is to use the OWIN WS-Federation library.
This example is for Azure AD but you simply point to the metadata and the code figures all the rest out for itself.
I want to make a authorization mail.ru but can't find provider.
someone knows how to connect mail.ru or how to configure a different provider?
SS wiki
There's now an OAuth2 MailRuAuthProvider included in the ServiceStack.Authentication.OAuth2 NuGet package that's available from v4.5.1 that's now available on MyGet.
I wanted to implement a small Proof of Concept for ADFS integration with MVC application. For this I created a virtual machine for Windows 2008 R2 and configured ADDS, ADCS and added my updated my server domain to one created one using ADDS.
After this I created certificate using ADCS.
Now, installed ADFS 2.0 using Microsoft download of ADFSSetup.exe RTW.
With help of some I configured ADFS & added relying party trust from my MVC application SSL URI.
After this I tried to run the application however started facing 403.14 error page.
Following observations as outcome from entire configuration:
I tried to access "<>/federationmetadata/2007-06/federationmetadata.xml" and I
got a proper XML which is as per expected.
I saw couple of entries from server computer - IIS website as like "http://<>/adfs/services/trust" OR "https://<>/adfs/ls/" however couldn't get any response from server. even I tried to access same from server using localhost instead of server names, then also no luck.
Then to cross-verify I checked IIS's default website where I found adfs/ls however it was a like a website. Not sure correct or not. I couldn't find anything 'services/trust' under ADFS IIS application.
After that I installed ADFS from Server manager and saw one more virtual directory 'fs',added under adfs application. when I tried to access 'fs' using https I am able to access it easily and can see SOAP service and page displayed with available web method.
I tried to find more on 'adfs/ls' and 'adfs/services/trust' however couldn't get much more information.
Please, if anyone came across this issue. Do let me know.
This is not an issue, this is how ADFS works. Next step you have to configure claims providers and relying parties from ADFS management console (from Admin tools). Relying party could be a sample claims aware MVC application. It should work
The only URL's that ADFS "answers" to are the federation metadata endpoint and the IDPInitiated one.
adfs/ls expects either WS-Federation or SAML parameters after it. On its own it will throw an error.
Then follow How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.
Why are you using Windows 2008 R2? (ADFS 2.0)? You should rather use Windows 2012 R2 (ADFS 3.0).
I'm trying to configure the organization authentication in an ASP.NET MVC project in Visual Studio 2013 RC.
After filling the data in the create project dialog, like Microsoft instructed in their tutorials, I'm getting an error which says that the configure failed.
I've tried to do so as well in Visual Studio 2012 using the identity addon.
Maybe it's related to Windows Azure AD?
Here is the error that I'm getting:
Hopes that someone knows how to fix that issue. Thanks for any help and suggestion!
This question is old, but today I found a workaround that I'd like to share.
It seems like we can't use Microsoft Account when we're using WAAD.
So:
Create a WAAD.
Add an administrator
Choose local directory account, not Microsoft Account.
Grant this account Global Administrator permissions.
Open Visual Studio and create a new web based project.
Choose in authentication the "Organization Accounts".
Specify your WAAD URL (e.g. "foo#onmicrosoft.com").
When you're required to insert your user and password, use the local account username and password. for example ("oz#foo.onmicrosoft.com").
This will allow you to pass the error.
Edit:
Microsoft published a post that referred to this problem and show the solution (the one I described above). http://www.cloudidentity.com/blog/2013/12/11/setting-up-an-asp-net-project-with-organizational-authentication-requires-an-organizational-account/
I would check for two things:
The account used to login to Windows Azure while has Global Admin role in AAD
App ID URI specified in the project creation dialog is valid. Valid App ID URI for domain mydomain.onmicrosoft.com has format https://mydomain.onmicrosoft.com/uniqueUri. Note that you can leave this field blank and the tool will automatically pick the correct App ID URI for you.
If these two things don't help, I would encourage you to run DebugView (http://technet.microsoft.com/en-us/sysinternals/bb896647.aspx) in the background while trying to create a similar project and you can see the actual error message in the trace in DebugView.
In follow up to OzB:
Once you've setup the user in AAD as per OzB's account,
note that you must also then go to "Settings" in Azure and add that account as an administrator of the Azure subscription, otherwise you can't upload the website itself.
I'm using the sample provider and relying party applications that come in the DotNetOpenAuth v4.0.0.12084 zip download and getting a protocol exception within the provider.
The web.config files provided in the samples don't appear to be valid as they try to use ASP.NET MVC 3 with .NET framework 3.5 (2). So I've updated them to use .NET framework 4.
These test URLs are unfortunately on my desktop and not available over the internet.
The provider is running on:
http://login.puffin.mediaburst.co.uk/
Relying party on:
http://testlogin.puffin.mediaburst.co.uk/
OpenID url used when logging in to the relying party:
http://login.puffin.mediaburst.co.uk/user/bob
I get the following error when submitting the OpenId using the relying party:
Error while reading message 'DotNetOpenAuth.OpenId.Messages.CheckIdRequest'
parameter 'openid.claimed_id' with value
'http://login.puffin.mediaburst.co.uk/user/bob'.
Invalid cast from 'System.String' to 'DotNetOpenAuth.OpenId.Identifier'.
(Contact: , Reference: )
I've enabled log4net and have put the provider logfile on pastebin
To test the relying party I've authenticated against google and it works fine, suggesting the request format is correct.
Does anybody have any suggestions on stopping this invalid cast exception?
Yours is the second report for this bug. I've filed issue #109 to track this.
Incidentally, I believe the samples are correct, since MVC 3 works fine on .NET 3.5, as far as I can tell. Although a known bug was that if MVC 4 is also installed on your machine that you build the samples on, they incorrectly bind to MVC 4 DLLs and result in a runtime failure.