I have developed an application (asp.net web application) that authenticates using azure ad and asp.net owin. It is a multi-tenant app, so I have registered my app in azure ad as a multi-tenant app. That means that everyone with a microsoft work/school account can sign in to my application. That is fine, but I need to check if the user signing in has a valid license for using my application. How can I do that? Can I interupt the owin login process somehow and check for a valid license, or how is this normally done?
What is normally done is to separate AUTHENTICATION (who is the user) from AUTHORIZATION (what can the user do).
I.e. you do NOT interfere with the authentication - the user comes and sends a token. Your app then reacts by redirecting the user to a "create account" page when he is new. That creates in your app the db entry for this user. You can also send him to a "sorry, you have no rights on this application" page.
This allows you to use the same authentication for multiple applications with separate rights and fully separates authentication and authorization.
Related
We are using Azure B2C to manage authentication in our c# .net web app through Open Web Interface for .NET (OWIN) middleware components.
We also have a SPA on react and here we are using MSAL.js to authenticate the user
the SPA is gonna be open from the #.net web and we want to maintain the user session between these 2 apps.
currently, the user has to login when he goes from the .net app to the SPA or vice-versa, even if the user was already login
if somebody can point me out in the correct direction I'll appreciate
Configure session behavior in Azure Active Directory B2C (includes 'User Flow' and 'Custom Policy' in separate tabs)
Single sign-on session management in Azure Active Directory B2C
How to configure SSO for Azure AD B2C?
For example, below is in signin user flow.
I have a button on dynamic CRM. On click of this button I need to navigate to a .net core Web App showing the other details. Currently I have implemented AD Authentication and every time it navigates from CRM to web app, it will ask me for login with my AD credentials.
Instead I need to implement Single Signon mechanism where web app is to be automatically authenticated with same credentials I logged into my CRM. (CRM and web app is already under same tenant of Azure Active Directory).
Can someone help me in achieving this or provide me any sample application.
Ensure prompt=none is appended to your auhorization request URL. E.G:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
&prompt=none
I have a local intranet facing DNN library portal site hosted in Windows Server. I have also configured Windows AD in the server and There's one more system connected to the server domain.
Basically, We have 2 tier access. 1 is Logging into DNN as Admin or Super User to manage the DNN and other one is, Logging into Portal as User to manage his account in the library. So, the former login process is handled by DNN itself and the later one handled by us using our DB validation.
Now, we are trying allow library users to login using Windows Authentication. For that, we enabled Windows Authentication and disabled Anonymous Authentication.
The problem is, When I launch the DNN I can login into Portal as User but NOT login into DNN as Admin. Even, accessing IPAddress/Login is just refreshing and stays on the Home page but not redirecting to Login page.
NOTE: I have already created domain\windows user name in the DNN admin user. but still I cannot login into the DNN as Admin.
I have MVC application where I'm authenticating user through the ADFS and send that details to the windows application to authentication.
The steps i followed are:
Sending username and password to ADFS.
Receiving token from ADFS once user authenticated.
Validating Token
I want to transfer the token and user details to Desktop Application to authenticate Windows Application.
The MVC application and the desktop application are two different applications.
So you need two Relying Parties (RP) in ADFS.
Then with SSO, once you are logged into one you are logged into the other.
If you are using ADFS 4.0, the desktop application can use ADAL.
Similar to this for Azure AD.
I inherited an existing .net web application. It is an external website that is used by external users and internal users. To login/authenticate internal users, it uses LDAP authentication. External users goes to a different DB.
My IT department wants to change the way internal users login. They do not want to allow an external server to be able to access the AD using LDAP. Is there a more secure method to access the AD from an external server? Or is that not recommended at all?
Also, is the design of the login flawed? Should internal and external users be logging in the same way? What is considered best practice for logging in users?
You could use ADFS (Active Directory Federation Services) for this.
This will require you to install an ADFS server inside of your network (so it can contact the AD).
The ADFS Server contains a web based STS (Security Token Service) to allow web pages to login using an AD account.
Basicly in a nutshell it will work as following:
Your user navigates to the external Web Application
The Web Application will redirect the user to the ADFS STS server.
ADFS STS Server will verify your credentials (either by using integrated security or a web based login box)
If the ADFS STS Server is happy abou the credentials it will then redirect the user back to the external Web Application with a login token as extra information. This token contains information about the user (can be configured). It is signed by the ADFS server (to ensure the information is authentic) and can optionally be encrypted.
The external web application extracts the token and tests the signature. If it is all correct the Web Application will grand the permissions that the user should have.
For information to set this up in an ASP.NET application you could refer to the following url:
http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx