I am working on an ASP.NET MVC application that uses Azure AD auth out-of-the-box.
What I want to do is define custom roles for certain users. For example, mark JohnDoe#contoso as a "Portal Admin" or SarahJones#contoso as a "Site Manager" - I want to do that without messing with AD roles, since I don't have full access to the AD internals.
I am fine deploying a custom DB to contain the roles. Is there a generic solution for this or do I have to implement my custom verification layer?
Update 1: I can deploy a custom role provider and connect it to a different DB, but am wondering if there is a more straightforward way to do this.
If you use Azure Web Apps, which supports ASP.NET MVC then you can use the Azure Active Directory authentication mechanism. Here is a blog post describing how to set it up:
https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
Once you have that, auth will be enabled for your app and you can configure the AAD app in the portal. See this blog post for more details:
http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
To modify the permission levels, you should be able to use role claims. See this example for guidance:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
Accessing the manifest:
Related
I am creating a web application which will make use of the single sign on organisation login feature on .net mvc project.
If the user is on the network I want to allow them to use the application without signing in as i wold be able to get their username with windows authentication.
If external i want to redirect them to the single sign on so they can be authenticated.
However my issue is that even if they are on the network, the application prompts them to sign in. How can i avoid this?
Based on the MICROSOFT DOCUMENTATION:-
Tenant administrators and developers often have requirements where an
application must be restricted to a certain set of users. There are
two ways to restrict an application to a certain set of users or
security groups:
Developers can use popular authorization patterns like Azure role-based access control (Azure RBAC).
Tenant administrators and developers can use built-in feature of Azure
AD.
To implement authentication in your application please refer this Microsoft Documentation:- Configure authentication in a sample web app by using Azure AD B2C.
I am trying to create a full stack app (with React.js on frontend and ASP .NET Core Web API on the backend). The login process needs to be done using Active directory, as users are employees within a single organization. Frontend must get a token (using a MSAL library) and then send it to backend, where it has to decode it and, basing on it recognize user and register every session in the database, and let users perform actions set with their roles. Those roles, need to be assigned in database.
Does anyone know how to do that? Even an example project like that would help me immensely, because everything I have found so far is very basic.
For implementing the authentication in Asp.net core follow this doc here.
Authorization in Azure AD can also be done with Application Roles. Application Roles in Azure AD are by no means mutually exclusive. They can be used in tandem to provide even finer grained access control.
In your react-app (client) you can get the token, then access webAPI with the token. You can then take a look to this source code.The only different will be that you will call your own webAPI instead of Microsoft graph.
For controlling the authentication session read more here link.
I am developing a ASP.Net Core Web app with an AAD-B2C as LogIn-Provider. So users have to log in first to access the site --> Authentication.
Then, I want to evaluate what the user actually is allowed to access --> Authorization
I have a requirement that RBAC is used and the roles are handled NOT in any kind of AD, but in our own database which again is behind a REST API. So I went with my custom implementation of Microsoft.AspNetCore.Identity.IUserRoleStore<MyUser> to retrieve my users and roles from my REST API and registered that in Startup.ConfigureServices
services.AddIdentity<MyUser, MyRole>();
services.AddTransient<IUserStore<MyUser>, MyUserStore>();
services.AddTransient<IUserRoleStore<MyUser>, MyUserStore>();
But now the default Authentication does not seem to work anymore (as MyUser is totally different from the ASP.Net default User, e.g. MyUser does not have User.Identity.IsAuthenticated). Also I can't see the site ever calling MyUserStore.IsInRoleAsync when I added a Razor directive like User.IsInRole("Admin").
Am I missing something ? Is is not possible to "split" ASP.Net Core Identity to handle Authentication one way (AAD-B2C) and Authorization another way (custom Store) at the same time? Or am I just calling it in a wrong way?
If you are using Azure AD B2C you need to have custom roles defined within your Azure AD and I am fairly certain that the situation you are describing is not supported. B2C does not include group claims in the token it sends to the application but some workarounds are suggested here. Azure AD B2C - Role management
I'm developing an app using ASP.NET WebAPI 2.2 that requires login via Azure AD for which I'm using ADAL/OWIN, but the app must have app specific permissions and roles that can be assigned to users who log in to it (a bit like SharePoint groups). The client can't use Azure AD groups, claims or Azure app permissions to assign rights/create groups as it is set up/maintained by a third party.
So, if the app is authenticating users against Azure AD, am I able to use the SQLRoleProvider to create/maintain a permission set and assign them to users within the app? I've searched for a while and not found anything that exactly fits my use scenario. Currently I'm thinking I may have to roll my own role provider.
EDITED for clarity.
You can use the custom role provider in Azure AD. When used, each user is given a role (or rather, place in a role) at the time the user is granted access to the application. I used this blog post to get started when creating a simple role-based mvc app for a customer:
Azure Active Directory, now with Group Claims and Application Roles.
We used this to separate between regular and admin users of an application we built.
I am building an intranet website. And I am still unsure of how to implement the security of the website. I am using ASP.NET MVC 3.
Anyone in the company can access the website. It is a recognition system where you can nominate an employee for an award. Currently I am not using any type of authentication. I have a roles table that contains roles and an association table that specifies which user contain what roles, these roles are mainly administrator-type roles. If a user does belong in these roles then he/she can still access various parts of the website.
Would I need to use the built-in membership for this? Or would I need to create a custom membership for this? We don't use a login page. If the user does not have roles to access a view then he/she is redirected to another page.
We use IIS to do our authentication. Is this the same as Windows authentication? I have the roles table used for authorisation.
I'm just a little confused at the moment, I am hoping someone can give me some more clarity.
You can very well use ASP.Net MembershipProvider and RoleProvider for this
For tutorials on how to use them you should look at Videos at asp.net.
Here's a walk-through at MSDN
This blog post by Scott Guthrie might help:
Recipe: Enabling Windows Authentication within an Intranet ASP.NET Web application
For Intranet web applications, the most common authentication scenario to use is called Windows Authentication. Windows Authentication avoids the need to create a login form within an application, and does not require end-users to manually enter their username/password credentials to login to the application. Instead, ASP.NET and IIS can automatically retrieve and validate the Windows username of the end-user visiting the site in a secure way