after several days of searching, reading and trial and error i definitely need some help.
The Situation:
I need to create a Web-Application using MVC where users are authenticated against an AD using ADFS. But they do not want to store the Roles and further Informations into the AD. So i need to read and store those informations somewhere else. My first thougt was to use the same infrastructure which VS sets up when i created a new Web-Application and choose "Individual User Accounts".
What i've done so far:
I created a new Projekt in VS and implemented the authentication against the AD using the ADFS (using this really helpful link(http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/). Works fantastic.
Start eating my Keyboard because i can't get the next step done.
My Question/s:
Is this possible to authenticate users using the ADFS and retrieve further informations (like Roles, other properties (e.g. Department)) about the logged in user by using / extending the ASP.NET Identity Framework? Does someone have a nice link?
I'd be glad for any help.
No need to do the work in your web app...
You can simply have ADFS source the claim info from a SQL database.
Do Add Attribute Store..
Set Attribute store type to SQL
Enter a Display name and your Connection string
Then when adding the claim to the relying party choose a Claim type
of "... Custom Rule" and have the query you enter fetch the attributes from your DB.
There's a pretty good walkthru with more details in TechNet
The problem you have is that you have to map the AD claims to the ASP.NET Identity via some kind of primary key.
Good link here : Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on (C#).
(With ADFS 4.0 (Server 2016) you will be able to use a SQL DB for authentication and authorization).
Related
We have existing mvc application with episerver cms 10. That application performs well. But we now have requirement to implement adfs in existing application.
I checked different links on internet regarding this. I can see that it is straight forward for new application but can't find clear guide on how to implement it with existing application. We have lot of existing users in website using sql server membership and ad authentication. How it will behave with ADFS?
Please provide me correct guide and links for this?
I'm guessing you want to continue to use both SQL users and AD users(?).
First migrate to AspNetIdentity as described here: https://world.episerver.com/blogs/K-Khan-/Dates/2017/10/migrate-from-sql-membership-to-asp-net-identity/.
Then you can add authentication with ADFS as described here: https://hacksbyme.net/2017/05/07/single-sign-on-to-episerver-with-adfs-using-owin/
Finally add the possibility to login with both AD users, and local SQL users: https://hacksbyme.net/2017/05/11/mixed-mode-owin-authentication-for-episerver-editors/
ADFS will only authenticate against users in AD (or with LDAP in ADFS 4.0).
To integrate this into your application, you need a client side protocol stack.
If you are using ADFS 4.0 refer this and this.
I have a very simple implementation of the AspNet.Identity apiservice using Entity Framework that hands out tokens that cam be used to authorize requests through out all the services and web sites. Users have claims to identify what they are authorized to do within our system. Some of these users (internal users) will have also have AD accounts and rather than have them have to remember different passwords I would like to authenticate through AD for these users then use the AspNet.Identity.EntityFramework to add claims. Ideally if a user is already logged into the domain on there PC they would not even have to enter their password.
How can i get our AspNet.Identity implementation to validate with AD?
I have already seen this question Use ActiveDirectory authorization with ASP.NET Identity but I am not using the ThinkTecture Identity Server and it seems to be using something other than AspNet.Identity and I do not want to replace our current implementation.
Can anyone give me a course of action or point me towards a tutorial that accomplishes something similar?
It depends. VM, Cloud, Local Machine? If a machine on the network, could be different. Either way you will have to modify your web.config to gain access to your membership provider in order to achieve the seamless route presented in the link below.
This link,
https://www.iis.net/configreference/system.webserver/security/authentication/windowsauthentication, should help you get in the right direction as to setting up IIS*. Hope this helps.
I'm somewhat new to ASP.NET MVC and I hoped you can help me with authentication for my app.
I have a MVC application that needs to be authenticated using SQL Server Log Ins. This means I have to create roles and users in SQL Server, and all security permissions are managed at Database level. Roles, users, and permissions aren't constant and we should be able to manage them.
Any suggestion? Is there anyway to override default behaviors of Identity to achieve this goal? What do you think is the best way to implement this need? Should I Use AD or DB Logins are fine?
Thanks in advance
Based on my working experience with diverse login mechanisms, I would like to suggest you the following route
Choose AD as your identity provider[IDP]
Register your application as an Relying Party [RP]
Get the federation metadata from AD to set up your application
In case you have your AD Server with ADFS 3.0, refer this link for a sample
In case of going through the OWIN Federation Middleware, it should be very easy for you with little development effort as given in this link
With ASP.Net MVC5 & Owin this task of yours should be a piece of cake
For Azure AD based samples, refer here or for first hand information, read this article
I have an Azure account and currently a Mobile Service setup with a SQL Database so that my Windows Store app can communicate with the database.
I have developed sites using ASP.NET WebPages authentication. And I need something similar for my Windows Store app.
I have successfully gone through the documentation and tutorials on the Windows Azure website and implemented ACS (Windows Live ID, Google, Yahoo!, and Facebook) - but the thing is - I don't want Google, Yahoo!, Facebook or even Windows Live ID or Microsoft Account) logins - I want my OWN login but it seems that they don't give you this option (correct me if I am wrong).
I need to allow users to signup from within my application (that means, providing their name, DOB, email, phone, address, etc) and shove it all in my database.
Now, after implementing Microsoft Account login with my Azure service, I found out that you can't even get the most basic information about any user who has logged in to your application - not even an email address.
I have spent hours searching online for something that could possibly help but I am running out of keywords - and have not hit a single related result yet.
Does anyone know if this is possible? How would we go about integrating login and signup with a Windows Store app that set/gets this data into/from a Windows Azure service?
Any code, samples, links, tutorials, documentation, etc would be highly appreciated.
You have gone down the road of hooking up external identity authentication, which in my opinion for an external facing web application is a better approach. Benefits are:
Your application is only responsible for Authorization not Authentication. There is a whole lot of work involved in Authentication and a large number of best practices. Best let those who know best take the burden of this. This doesn't mean you shouldn't try and understand it though.
If your site gets hacked you don't have to tell them that their username / email and password combo has been compromised and they will probably have to change there passwords on other sits.
You are also making sure that your users don't have to remember / manage yet another username / email address password combo
If you really want to do the Authentication then that is fine but you will need to do it yourself. Have a look at examples on Asp.Net Membership. This is not the only way and nor is it the best way but there are lots of examples.
Now if you decide you want to use external authentication I can give you some pointers to help with your current implementation.
First thing to note that the Id you get back from Live, Google, Facebook can only be assumed to be unique for that provider. Therefore if you want to keep a profile in your system for that identity and you want to use more than one provider you will need to implement it in such a way that you can keep the id unique in your system and help you associate it with a provider.
Website Authentication with Social Identity Providers and ACS Part 2 – Integrating ACS with the Universal Profile Provider
As you have found out not all of the Authentication providers return the same "claims". A claim is something that user claims to have, such as an email address, name, date of birth, etc. All the ones you can use by default via the ACS return Uid and some return a name and email address. What you have to do is fill in the gaps. When someone registers you will need to pull the relevant claims and then ask them to fill in the missing ones. You may also want to map the different claims in the ACS to a common name that you can use in your app as one provider might use slightly different names.
Federated Identity with Windows Azure Access Control Service
Just because you do not handle Authentication you still need to be responsible for keeping your application secure. Half of the work has been done for you so your code should be a lot lighter but you will still need to make use of roles.
Windows Azure Role Based authentication (ACS)
The really nice thing about this approach is you can implement your application the same why SO have done with there identity model. You can allow users to associate multiple identities against their profile meaning they can login how they want to.
If you choose not to use the built in providers for ACS you will need to implement your own Identity Provider using SAML, OpenId, etc...
You can look into the Windows Identity Foundation (WIF) for implementing WS-Trust or WS-Federation.
There is also ADFS which has the same set of support but uses Active Directory with WIF and Azure has its own version of AD that can be used.
There is also thinktecture identityserver which can jumpstart your venture into IdP land, but I have not used it myself yet.
If you want to go the OpenId route there is DotNetOpenAuth.
If you're looking to add custom identity to your Mobile Services app, check out Josh's post on custom auth: http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.
Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.
Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.
We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.
I'm just a little confused at the moment, I am hoping someone can give me some more clarity.
You can very well use ASP.Net MembershipProvider and RoleProvider for this
For tutorials on how to use them you should look at Videos at asp.net.
Here's a walk-through at MSDN
This blog post by Scott Guthrie might help:
Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application
For Intranet web applications, the most common authentication scenario to use is called Windows Authentication. Windows Authentication avoids the need to create a login form within an application, and does not require end-users to manually enter their username/password credentials to login to the application. Instead, ASP.NET and IIS can automatically retrieve and validate the Windows username of the end-user visiting the site in a secure way