We already have a single authentication process using Active Directory for our home made web sites (simple login and password). Our AD is also on Azure (everything is synchronized).
Now we want 2 factors authentification using this: (Microsoft Authenticator) https://www.microsoft.com/en-us/account/authenticator
I've been searching for an exemple for a while, but most of the tutorials I found are about MVC CORE; I'm not using core, just regular MVC .Net Framework. Furthermore, the only tutorials I found using .Net framework were for Google authenticator, not Microsoft's one.
The intended behavior would be the same as when I connect to office 365, first I enter my password in the web site, then I receive a notification on my cell phone (for exemple), by approving the connection, I can have access to web content.
I'm still trying to figure out if this is even allowed, is Microsoft Authenticator only meant to be used for Microsoft developers or can we random developers use this app for our 2FA needs? Or is there a way to trigger the office 365 authentication windows?
If yes, they don't seem eager to share any code or tutorial for MVC .net Framework. (I'm still searching)
EDIT for comments:
Microsoft auth .Net Core documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-5.0
Google auth with .Net framework documentation:
https://medium.com/#henryhdelgado/2fa-with-google-authenticator-in-asp-mvc-4788c79c47
EDIT / Solution :
In case someone didn't borther reading the answer's comments, here's what I was actually looking for : https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
In short: you don't need to do anything (provided that your application authenticates users using OIDC, which it will do if you're using Azure Active Directory or Office 365 with your application). Just flip the switch in your organization's O365 or AAD settings to require TOTP/2FA.
However, if your application is actually authenticating against on-prem AD (whether using Kerberos via the browser shell, or with "Forms authentication") and you can't make your web-application authenticate against AAD/O365 (not on-prem AD) and you don't have AD Federation working, then you're in for a world of pain because getting on-prem 2FA working is a massive undertaking that requires just as much work from your sysadmins as it does from you (and then your question would be closed for being "too broad", sorry!)
Authenticating against AAD/O365 can be done using any OIDC client library, though Microsoft does make a purpose-built library available on NuGet which works in .NET Framework applications in addition to .NET Core: https://www.nuget.org/packages/Microsoft.Identity.Client/ (formerly https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/ )
"Azure Active Directory" (AAD) is a misnomer btw, as it has very little to do with on-prem Active Directory. That said, if you're using Office 365 within your enterprise then you will already have AAD up-and-running - just be aware that it's still completely unrelated to Active Directory (as far as technology is concerned).
Using AAD/O365 for SSO basically means using OIDC (whereas on-prem AD is Kerberos, not OIDC) - so any OIDC library can be used with AAD/O365. The TOTP/2FA part is handled entirely by AAD/O365 so you don't actually need to do anything in your own application to handle TOTP/2FA.
Related
We develop an Application using .NET Core 3.1.X with Blazor Server to run on Linux.
Our requirement is to authenticate against a local Active Directory server (using LDAP).
Reading the documentation we've learned that a component called ASP.NET Core Identity is responsible for the authentication and that doesn't seem to support non-Azure Active Directory or generic LDAP.
Additionally, it seems as if the DirectoryServices are not yet available on Linux.
I did not find any documentation that lays out all steps needed to get our desired authentication scheme working. So: Which steps do we need to take to reach "feature parity" with the built-in authentication & authorization schemes.
As this seems like a very obvious use-case (Active Directory & LDAP) to me I'm also wondering if we missed anything obvious during our research.
I am not quite sure how to properly phrase this question so I will do my best to explain my issue.
I have a .Net website that works using Active Directory. It works great. No issues. However I have a need to stand-up a new copy of the website for an office that won't have access to Active Directory.
I am trying to come up with any possible solutions that will allow me to accomplish this without having to rewrite large portions of our user code base.
I might have to accept the fact this might take a lot of work but I figured I would try to explore any possible options before I jump into that.
Depending how the site is built, you might be able to set up an AD LDS instance on the web server that would mimic some of the services AD provides. OpenLDAP might do something similar.
You still probably need to change some things on the site, but this might let you get by with changing a lot less.
Does the user :
-Access an IIS hosted site via windows authentication (like on an Intranet) ?
-Access an IIS hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
-Access an azure hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
You might consider some refactoring your application to use Microsoft's Identity framework which will allow you to easily plug and play how your application authenticates.
For .NET framework
Take a look at using ASP.NET Identity
https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity
For .NET Core
Take a look at using Identity on ASP.NET Core
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-2.1&tabs=aspnetcore2x
By using these frameworks, you can keep your login code the same and change the way the user is authenticated.
Hope this helps! Cheers!
I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?
There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!
I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.
There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.
[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app
UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here
I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?
There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!
I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.
There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.
[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app
UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here
As an organisation, we use Google Apps. We have the paid version (mapped to our domain) etc...
We are developing a web based application to manage orders, and other business functionality.
I want to be able to use federated login with our google apps accounts-
For example, if a user is logged in to their email (gMail) - they should automatically be logged in to our ASP.net application
If they're not logged in - the log in form should auth. against our google apps account.
How can this be done?
Is it possible to be able to "get" the user who is currently logged in using this method etc...?
Sure, use dotNetOpenAuth. It's recommended by OpenId library and it should be easy in use. As far as google provides OpenId interface there should be no problem with using it in your application.
Stackoverflow is successfully using it and I'm logged here always when I'm logged on my google account.
Just doing a quick search through Google's API documentation, it sounds like you need to use Google's implementation of OAuth protocol.
If you have not yet started developing, you could even considering developing for Appengine - using python or Java (though I would prefer Python myself).
Advantage is that it has a much closer integration with Google Apps services and it will be much easier to build further functionality that works with Google apps (docs/mail etc). Besides this, there arent too many hassles for hosting the app.