I'm trying to utilize Microsoft Identity Platform for some users of web application. I'm using this example:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp
The problem is the example shows how to turn on Microsoft Identity "globally", for the whole app, and all the roles are populated from the platform. But in my case users are stored in DB, and sign in using Azure AD should be optional. The ideal flow will be to login the user with Microsoft Identity Platform, get the email after successful login and then authenticate user using existing asp.net core identity mechanism with populating users from DB (using UserStore and etc.). But I can't find the way, how to do it, ho to handle "event" after successful login with the platform?
It is even possible with Microsoft Identity Platform?
The answer is outdated.
With the release of 1.4.0, Microsoft Identity supports AzureAD as external login provider.
From the release notes:
Microsoft Identity Web now supports individual auth with AAD external providers. To enable this, you can now specify a null cookie scheme in AddMicrosoftIdentityWebApp. See issue #133 and issue #809.
Apparently MSAL library can't act as external login provider for ASP.NET Identity, so it's not possible.
Source: https://github.com/MicrosoftDocs/azure-docs/issues/53695
If someone needs to utilize Azure AD login with ASP.NET identity, it could be done in several ways:
Using Microsoft.AspNetCore.Authentication.AzureAD.UI
https://austincooper.dev/2020/02/02/azure-active-directory-authentication-in-asp.net-core-3.1/
Azure AD as an "external provider"?
Using WsFederation
https://cmatskas.com/asp-net-core-saml-authentication-with-azure-ad/
Using SAML directly using some 3rd party library or inhouse SAML stack implementation:
https://matthijs.hoekstraonline.net/2020/04/14/authenticate-an-azure-ad-user-with-saml-for-asp-net-core/
Related
We have a legacy .NET WebForm Saas application that uses .NET Framework 4.7.2 and authentication logic via the legacy web form authentication against local SQL database. It tracks the authenticated session via cookie which is the standard for form authentication.
We recently have a customer who requests SSO using their Azure AD to authenticate into our application. Upon doing research around I've come up with SAML and OpenId Connect and I'm leaning toward OpenId Connect.
The challenge is while this customer uses Azure AD, another customer may use AWS AD or some still wants to use the standard login form on our login page.
Is this possible to have form authentication work along side with SSO? I'm still educating myself in SSO and it is confusing to say the least but I generally see people use an identity provider with multiple applications whereas we seems to go down the road of a single application using multiple identity providers while still support its own authentication method.
yes, that's doable. We have built a no-code/low-code solution for people to implement this. Here is a demo website. https://demo.datawiza.net/login
Click SSO at the bottom. Inputting company-a brings you an Okta login page; inputting company-b brings you to an azure ad login page.
I'm using AspNet Core identity for the authentication of my users. I want to connect to remote identity providers (Microsoft and Google). For Google, I think I'm fine with using Microsoft.AspNetCore.Authentication.Google (https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.google).
For Micorosft I have a couple of options, though:
Microsoft.AspNetCore.Authentication.AzureAD
Microsoft.AspNetCore.Authentication.MicrosoftAccount
Microsoft.AspNetCore.Authentication.OpenIdConnect
I was first using Microsoft.AspNetCore.Authentication.AzureAD. Then I switched to Microsoft.AspNetCore.Authentication.MicrosoftAccount. I was assuming that this would not have much impact but it turned out that now all name-identifiers of my users have changed. So, appearantly there are differences.
I find it not very clear what the pros and cons of the different options are. Can someone help me make a good choice?
Microsoft.AspNetCore.Authentication.MicrosoftAccount
This namespace contains types that enable support for Microsoft Account OAuth based authentication.
It Enables users to sign in with their existing credentials:
1)Is convenient for the users.
2)Shifts many of the complexities of managing the sign-in process onto a third party.
For more details refer this document
Microsoft.AspNetCore.Authentication.OpenIdConnect
This namespace contains types that enable support for OpenIdConnect based authentication.And OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows clients to request and receive information about authenticated sessions and end-users.
If you need to add authentication to an application and you want to use a third party as the authentication provider, then the recommended way to achieve this is using OpenId Connect.
Like Google or Facebook, OneLogin is also an OpenId Connect provider, which means that if you use OneLogin to store and manage the identities of your users, you can also use OneLogin to authenticate those users on your custom built apps.
For more details refer this document
Microsoft.AspNetCore.Authentication.AzureAD
The libraries Microsoft.AspNetCore.Authentication.AzureAD packages. As Per the document, since ASP.NET core 5.0, users should use the Microsoft.Identity.Web package to integrate with Azure AD and Azure ADB2C.
To migrate from Microsoft.AspNetCore.Authentication.AzureAD to Microsoft.Identity.Web refer this document
i am using jwt token authentication by sql using entity framework in my project which is working perfectly fine.
now we have to add Microsoft azureAD login in the project?
QUESTION 1:
we have two type of user 1st one is stored in sql and other are stored in azure and they are not same.
now we have to provide username and password login for sql user(This part completed using jwt token based login) and microsoft login for azure use?
when i use openidconnect to login with microsoft its not working in my project?
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
its not working.
what i actually want is to add both authentication like this.
services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));
services.AddJwtAuthentication(Configuration);
If you are having new non-Azure users, you will have to use B2C. Refer to An ASP.NET Core web app with Azure AD B2C
The above sample shows how to build an MVC web application that performs identity management with Azure AD B2C using the ASP.Net Core OpenID Connect middleware. It assumes you have some familiarity with Azure AD B2C. If you'd like to learn all that B2C has to offer, start with it's documentation at aka.ms/aadb2c.
The app is a basic web application that performs three functions: sign-in, sign-up, and sign-out. It is intended to help get you started with Azure AD B2C in a ASP.NET Core application, giving you the necessary tools to execute Azure AD B2C policies & securely identify uses in your application.
If you also want to integrate Identity (SQL) in your code, refer Introduction to Identity on ASP.NET Core.
We built OAuth identity server using .net core with IdentityServer4 nuget package. We added support for facebook token support. So identity server will exchange facebook token with internal token using facebook graph API (https://graph.facebook.com/v2.8/me). Now we have requirement to merge two user if both have same email address.
Can you please suggest how to integrate this feature in our identity server?
Is there any built in support or best practice to implement this?
As per the identityserver documentation:
Our quickstart UI funnels all external authentication calls through a single callback (see ExternalLoginCallback on the AccountController class). This allows for a single point for post-processing.
Federation Gateway Docs on Identityserver.io
So even if you're not using the QuickstartUI you can download it an inspect how are they configuring things to make the external authentication flow end on that controller and from there do all your checks (if there's a local user with same email) and associate the user with this "External Auth Record"
We currently have an Asp .Net web application (Framework 4.5) using Forms based authentication. A few of our clients are asking for integration with their applications and does not want to have separate login accounts.
What would be the best way to implement this? The solution should be able to validate against different identity providers.
A consultant has suggested to convert the current web app to be claims-aware but not sure how to proceed with it or where to start .
Thanks for all your help.
Making an application claims-aware implies adding support for one of:
WS-Federation
SAML 2.0
OpenID Connect / OAuth
This then enables the application to talk to an IDP for SSO e.g. ADFS, Azure AD, identityserver, Auth0.
In the Microsoft world, web apps use the OWIN NuGet packages for WS-Fed (WIF) or OIDC. For SAML, look here.
Desktop apps use ADAL or the later version MSAL.
ADFS e.g. only authenticates against AD. If you want to authenticate against a DB as well, you federate ADFS with e.g. identityserver or Auth0 both of which have that ability.