I am building a Xamarin app which will authenticate with Identity Server. I have this working with ASP.NET Identity Core. However, I'd like to be able to use AD as well. The documentation states this is possible but gives no examples. My biggest issue is that I'm using IdentityModel to manage my login calls, and I don't see any calls that seem to relate to AD.
I've discovered IExtensionGrantValidator, but I don't see any way, in that code, to work out the AD user logged in, in the client application. I could obviously make the user my payload, but at that stage it doesn't seem secure enough to me. I could make it work that way easily, but I'm hoping for a way that IdentityServer validates against the AD user, hopefully including that they are associated with a specific role.
I am hoping someone can point me to sample code for using AD (not Azure AD) with Identity Server.
Thanks
Here is the documentation about the Windows Authentication. Also in the AcountOptions.cs set public static bool WindowsAuthenticationEnabled = true;, and have in mind:
to enable windows authentication, the host (IIS or IIS Express) also must have windows auth enabled.
Then in the AccountController.cs you have a method "ExternalLogin" and there you have a check for Windows Authentication, where you can follow what happens, but the important work is the above.
Related
I am not quite sure how to properly phrase this question so I will do my best to explain my issue.
I have a .Net website that works using Active Directory. It works great. No issues. However I have a need to stand-up a new copy of the website for an office that won't have access to Active Directory.
I am trying to come up with any possible solutions that will allow me to accomplish this without having to rewrite large portions of our user code base.
I might have to accept the fact this might take a lot of work but I figured I would try to explore any possible options before I jump into that.
Depending how the site is built, you might be able to set up an AD LDS instance on the web server that would mimic some of the services AD provides. OpenLDAP might do something similar.
You still probably need to change some things on the site, but this might let you get by with changing a lot less.
Does the user :
-Access an IIS hosted site via windows authentication (like on an Intranet) ?
-Access an IIS hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
-Access an azure hosted site using Azure AD (user signs into azure ad or office 365 via browser)?
You might consider some refactoring your application to use Microsoft's Identity framework which will allow you to easily plug and play how your application authenticates.
For .NET framework
Take a look at using ASP.NET Identity
https://learn.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity
For .NET Core
Take a look at using Identity on ASP.NET Core
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?view=aspnetcore-2.1&tabs=aspnetcore2x
By using these frameworks, you can keep your login code the same and change the way the user is authenticated.
Hope this helps! Cheers!
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/
I have an Azure account and currently a Mobile Service setup with a SQL Database so that my Windows Store app can communicate with the database.
I have developed sites using ASP.NET WebPages authentication. And I need something similar for my Windows Store app.
I have successfully gone through the documentation and tutorials on the Windows Azure website and implemented ACS (Windows Live ID, Google, Yahoo!, and Facebook) - but the thing is - I don't want Google, Yahoo!, Facebook or even Windows Live ID or Microsoft Account) logins - I want my OWN login but it seems that they don't give you this option (correct me if I am wrong).
I need to allow users to signup from within my application (that means, providing their name, DOB, email, phone, address, etc) and shove it all in my database.
Now, after implementing Microsoft Account login with my Azure service, I found out that you can't even get the most basic information about any user who has logged in to your application - not even an email address.
I have spent hours searching online for something that could possibly help but I am running out of keywords - and have not hit a single related result yet.
Does anyone know if this is possible? How would we go about integrating login and signup with a Windows Store app that set/gets this data into/from a Windows Azure service?
Any code, samples, links, tutorials, documentation, etc would be highly appreciated.
You have gone down the road of hooking up external identity authentication, which in my opinion for an external facing web application is a better approach. Benefits are:
Your application is only responsible for Authorization not Authentication. There is a whole lot of work involved in Authentication and a large number of best practices. Best let those who know best take the burden of this. This doesn't mean you shouldn't try and understand it though.
If your site gets hacked you don't have to tell them that their username / email and password combo has been compromised and they will probably have to change there passwords on other sits.
You are also making sure that your users don't have to remember / manage yet another username / email address password combo
If you really want to do the Authentication then that is fine but you will need to do it yourself. Have a look at examples on Asp.Net Membership. This is not the only way and nor is it the best way but there are lots of examples.
Now if you decide you want to use external authentication I can give you some pointers to help with your current implementation.
First thing to note that the Id you get back from Live, Google, Facebook can only be assumed to be unique for that provider. Therefore if you want to keep a profile in your system for that identity and you want to use more than one provider you will need to implement it in such a way that you can keep the id unique in your system and help you associate it with a provider.
Website Authentication with Social Identity Providers and ACS Part 2 – Integrating ACS with the Universal Profile Provider
As you have found out not all of the Authentication providers return the same "claims". A claim is something that user claims to have, such as an email address, name, date of birth, etc. All the ones you can use by default via the ACS return Uid and some return a name and email address. What you have to do is fill in the gaps. When someone registers you will need to pull the relevant claims and then ask them to fill in the missing ones. You may also want to map the different claims in the ACS to a common name that you can use in your app as one provider might use slightly different names.
Federated Identity with Windows Azure Access Control Service
Just because you do not handle Authentication you still need to be responsible for keeping your application secure. Half of the work has been done for you so your code should be a lot lighter but you will still need to make use of roles.
Windows Azure Role Based authentication (ACS)
The really nice thing about this approach is you can implement your application the same why SO have done with there identity model. You can allow users to associate multiple identities against their profile meaning they can login how they want to.
If you choose not to use the built in providers for ACS you will need to implement your own Identity Provider using SAML, OpenId, etc...
You can look into the Windows Identity Foundation (WIF) for implementing WS-Trust or WS-Federation.
There is also ADFS which has the same set of support but uses Active Directory with WIF and Azure has its own version of AD that can be used.
There is also thinktecture identityserver which can jumpstart your venture into IdP land, but I have not used it myself yet.
If you want to go the OpenId route there is DotNetOpenAuth.
If you're looking to add custom identity to your Mobile Services app, check out Josh's post on custom auth: http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
There is a requirement to implement Single Sign On (SSO) in our website so that users accessing it from the intranet won't have to type in their credentials.
The problem here is that the website is going to be hosted on the internet, on a remote server.
Is there some way this can be done?
--EDIT--
I looked at following link:
http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
And the example scenario that is mentioned in there is exactly what we require.
Here is the detailed explanation on the situation:
There is an Active Directory Domain Controller that is used to authenticate users in the intranet.
Once the user logs into the machine, and opens up the remote website, the website should somehow verify that the user is already logged into the intranet using AD credentials and automatically allow access to the website.
Also, the website is supposed to be getting a Security Token that can be used to authenticate the user.
Of course, for example, Microsoft's way of doing that for connecting Office365 to your Intranet is called Active Directory Federation Services.
It is (as most single sign on solutions) not entirely straight forward, and it assumes a domain on your intranet, but since Office365 uses it, it is and will most likely continue to be well supported in the future.
It's just a matter of integrating your web app with the authentication provider that you are using for SSO. The details are going to vary dramatically if your using OAuth vs. Shibboleth vs. ADFS vs. etc, so there really isn't enough information in your question to give a helpful answer.
We are evaluating Jira and would like to login into it using Integrated Windows Authentication or NTLM (i.e. automatic logon without providing username and password, by using the domain user).
We have Jira 4.1.2 installed on a Tomcat 6.0.29, with Tomcat fronted by IIS 7.
When a user accesses the application, he first goes thorough IIS. Credentials are transmitted at this point and IIS forwards to Tomcat which greets us with the Jira login page. Jira users are setup the same as those from the domain, so the user must retype the user name and password for his domain. This is annoying.
Further more, not all users have passwords as some of them login using security cards + PIN, so there is no password for them to insert.
What we want is that, based on the credentials of the user, to automatically login into the Jira application, and not be greeted by the Login page.
From what we've studied, this seems to revolve arount combining Jira with Crowd, which we don't want to install just for this purpose alone.
Also found something related to writing a custom authenticator but not really sure what to make of it. Performing different developments (dot.NET and/or Java) won't be a problem if it isn't very hacky or some huge workaround.
So, is there a way to login into Jira using Integrated Windows Authentication / NTLM?
Thanks in advance!
Unfortunately in our experience we had to use Crowd, we couldn't find an easy way around it. You could try using an LDAP based approach (if your AD supports LDAP calls and if you have a simple structure etc), but it sounds like your setup is more complicated than that.
It seems Jira 4 does not yet support NTLM authentication: http://forums.atlassian.com/thread.jspa?threadID=43247
Jira 4 + LDAP + Active Directory works, but does not give you SSO.
The following add-on provides Integrated Windows Authentication (Kerberos) for any web app using Atlassian Crowd as its user management system, including Jira, Confluence, Stash and Bamboo: https://marketplace.atlassian.com/plugins/com.cleito.iwaac