We have a legacy .NET WebForm Saas application that uses .NET Framework 4.7.2 and authentication logic via the legacy web form authentication against local SQL database. It tracks the authenticated session via cookie which is the standard for form authentication.
We recently have a customer who requests SSO using their Azure AD to authenticate into our application. Upon doing research around I've come up with SAML and OpenId Connect and I'm leaning toward OpenId Connect.
The challenge is while this customer uses Azure AD, another customer may use AWS AD or some still wants to use the standard login form on our login page.
Is this possible to have form authentication work along side with SSO? I'm still educating myself in SSO and it is confusing to say the least but I generally see people use an identity provider with multiple applications whereas we seems to go down the road of a single application using multiple identity providers while still support its own authentication method.
yes, that's doable. We have built a no-code/low-code solution for people to implement this. Here is a demo website. https://demo.datawiza.net/login
Click SSO at the bottom. Inputting company-a brings you an Okta login page; inputting company-b brings you to an azure ad login page.
Related
I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
We have existing mvc application with episerver cms 10. That application performs well. But we now have requirement to implement adfs in existing application.
I checked different links on internet regarding this. I can see that it is straight forward for new application but can't find clear guide on how to implement it with existing application. We have lot of existing users in website using sql server membership and ad authentication. How it will behave with ADFS?
Please provide me correct guide and links for this?
I'm guessing you want to continue to use both SQL users and AD users(?).
First migrate to AspNetIdentity as described here: https://world.episerver.com/blogs/K-Khan-/Dates/2017/10/migrate-from-sql-membership-to-asp-net-identity/.
Then you can add authentication with ADFS as described here: https://hacksbyme.net/2017/05/07/single-sign-on-to-episerver-with-adfs-using-owin/
Finally add the possibility to login with both AD users, and local SQL users: https://hacksbyme.net/2017/05/11/mixed-mode-owin-authentication-for-episerver-editors/
ADFS will only authenticate against users in AD (or with LDAP in ADFS 4.0).
To integrate this into your application, you need a client side protocol stack.
If you are using ADFS 4.0 refer this and this.
I am developing an application where I have to provide authentication and authorization to users using net id card.
I have installed Net ID from below link:
Download Net Id from here
When, I am injecting that Net Id card to my machine via card reader, say I have hosted a site at any particular domain e.g; www.netidtestdomain.com
whenever a user came across to hit that url it should popup an authentication screen which would authenticate that user via any PIN code.
What I have tried is, I visited this site:
Plugins to login or logout users using Net ID
But nothing work, I have developed an API in asp.net core 2 and for login once I am able to show the plugin or anything else using the user's own Net Id card then I can get further authorization mapping with the rest of my application flow to authenticate users via Net Id and SAML 2.0 in that core application.
Could any one experience this kind of authentication if so please share your feedbacks if that could useful to try for its solution.
If the user is not being prompted to provide their card, then this is because your web server is not configured properly. It has nothing to do with the html or c# code really. You need to accept and/or require client certs. If you are using IIS, you can use the instructions here: https://technet.microsoft.com/en-us/library/cc732116.aspx and https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/clientcertificatemappingauthentication
If you are struggling with auth, I suggest investigating Thinktecture's IdentityServer. That's what we used to implement our authentication via smart card and there's a broad community around it.
My C# .net 4.5 asp.net app currently uses forms authentication. We need to implement SSO on it via an on-premises ADFS 3.0 server that will link to external ADFS servers using Claims Provider Trusts.
The thing is that some users will continue logging in the old Forms Auth way while others will be authenticating using their ADFS credentials.
Can ADFS and Forms Auth be mixed? How can I direct the different users to the different logins?
I read here that I might need to code my own Custom Auth Provider...this seems pretty complicated. Is there another simpler way?
I have a SaaS web application that caters to multiple education institutions. All clients are hosted in the same application/database. The application is currently written in C# for ASP.Net 4 Web Forms.
Currently my application uses a local/native database for user authentication/authorization.
Our clients are asking us to support single-sign-on where the client is the authentication provider and my application the consumer.
The problem is that the clients are asking for SSO via different protocols/mechanisms like Shibboleth and OpenID Connect. This means I need-to/should create a solution that works with all of these or that is at least extensible.
I came across Thinktecture's IdentityServer, which I think can abstract the various SSO mechanisms used by my clients and return to my app a claims based identity token that my app understands.
I'm struggling a lot with this concept though. Does this mean that my app redirects all authentication requests to the IdentityServer, lets IdentityServer handle the back and forth of say OpenID Connect, and then receives a token back from IdentityServer with the information I need about the user? How does the identity server know the realm of the user (i.e. so it knows which client auth provider to send the user to)? Does the IdentityServer need to validate the existence of the user in my app's local/native database? Can the IdentityServer handle both SSO and local logins?
Is a separate identity server the way to go? It seems like it would be, allowing my app to integrate with one point (the identity server). But, there's not a lot of documentation out there on Thinktecture's IdentityServer other than how to configure it. ADFS may provide a similar solution, but most examples out there speak to ADFS and Azure.
Lastly, I'm assuming that I'll still maintain local/native authorization data about each user as the 3rd party authentication provider can't possibly know the specific authorization needs of my application.
Any thoughts or suggestions out there?
Does this mean that my app redirects all authentication requests to the IdentityServer, lets IdentityServer handle the back and forth of say OpenID Connect, and then receives a token back from IdentityServer with the information I need about the user?
Basically YES. But it depends on how you set it up. Your page could call Authentication provider of the client if you have only one client or one authentication provider. Or you could set up your local IdentityServer (more extensible IMHO) and configure authentication provider of your client as another IdP (identity provider).
How does the identity server know the realm of the user (i.e. so it knows which client auth provider to send the user to)?
If you go with the second option then your app will redirect to IdentityServer and based on home realm it will be automatically redirected to IdP. If no home realm is specified by your application then IdentityServer will show all configured IdPs and user chooses what IdP to authenticate at.
Does the IdentityServer need to validate the existence of the user in my app's local/native database?
It depends on you. If you wish to verify the existence of the user in your local database then you may do so by extending IdentityServer.
Can the IdentityServer handle both SSO and local logins?
Yes, it can.
Is a separate identity server the way to go? It seems like it would be, allowing my app to integrate with one point (the identity server).
You can always use IdentityServer and integrate it in your local application. Or you can use Shiboleth as your local authentication provider. Both are implementing standards like WS-Federation, WS-Trust or OpenId and both are open source so you can extend/modify it to your liking.
But, there's not a lot of documentation out there on Thinktecture's IdentityServer other than how to configure it.
I can't really say how much documentation is there. But if you wish, NDC Oslo 2014 will feature 2 days of Pre-Conference Workshops where Dominick Baier and Brock Allen (authors of IdentityServer) will teach you everything you want to know.