We have a whole bunch of clients that want us to start using their ADFS to allow their users into our web app using Single-Sign-On.
After reading up on WIF (which seemed to be the solution at first but is deprecated in VS 2013...), OWIN, oAuth, OpenID Connect, I'm completely confused as to the simplest way to implement SSO.
What is the best and simplest technology to use to implement SSO on an existing VS 2013 json restful service written in C#?
Ideally the technology would already be part of .NET.
Are there any code samples or tutorials out there for this scenario?
assuming that you want to consume your service from native clients, I would recommend that you protect your service using Web API middleware (which was already supported via OWIN middleware in VS2013) and implement your clients using the ADAL library. For a post specifically on ADAL and ADFS, see this. For more details on the Web API side of the solution, see this. If you want to target a variety of client platforms, you can find a complete collection of samples (for Azure AD, but easy to modify for ADFS) here.
This can be implemented through WSO2 IS as Relying Party in ADFS. When we will implement this setup the outcome/Income claims will be main source for User Profile load to WSO2IS for authentication and pass the SAML Response to SP(End URL of your application).
Refer the below links to configure WSO2 IS as relying party for ADFS and WSO2 IS configuration too.
https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/
SSO would mean its Active Directory driven, or direct to IIS machine.config authentication instead of a web.config, but also considering the "simplest technology" you've mentioned, then this must be a call for something simple yet you can transform into what you really desire.
With this, we can refer to token-based web services authentication.
Here's a sample project from which I started and able to transform into something else. From here I think you can then change all authentications into AD or DB connect, or even both across your web services.
http://www.codeproject.com/Articles/9348/Web-Service-Authentication?fid=145460&df=90&mpp=25&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx
hopefully this would help.
Related
I have two web apps in azure one angular 6 the other one is .net core web api. Angular app consumes the apis to get data. Some of these apis are public apis. It means authentication is not needed for them to be called.
My questions is, what the best approaches are to protect these public apis? By protecting, I mean not letting anonymous users to call these apis and abuse data.
In my mind these are what I can do:
CORS, but the problem is postman and other rest tool still can call my apis
Using azure api management? By rate limiting? Is there a better way?
Use some sort of api key but the angular app will expose them anyway.
In my c# app I get user agent, host, Origin of the call and restrict based on those?
Basically I want to restrict anonymous user from manipulating and calling my post apis and push not relevant or duplicate data to my back-end without using any sort of AD as my apis are going to be public. I want only a few authorized app can call my apis.
Please tell me which one of the above are the right one and please recommend a better approach.
P.S: my backend is .net core 2.2,
Thanks
I can recommend below solution,
Host your APIs on Azure API app and import it to APIM. Then Configure IP restriction on API APP using the IPs of APIM. That mean, only APIM can access your API host. or you can implement client certification authentication between APIM and API host.
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
02.Next enable subscription key/API key on APIM and keep these key on Azure key vault. So you don't need to hard code these keys on frontend. I hope you host this Angular app on Azure. (I am not Angular expert...just check online for docs)
https://learn.microsoft.com/en-us/azure/key-vault/quick-create-node
03.Later based on your scenario, If need you can apply Rate policies.
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/api-management/api-management-sample-flexible-throttling.md
I have a c#-based program that can send messages and files to our SlackWorkspace via my SlackApp (I'm using HttpClient to communicate with Slack).
Now, to distribute this program in my workspace and to make it so that every user will have his own identity, it says that I have to use OAuth and create verification-tokens, specific for each user.
It says in the Slack-documentation I have to use a redirect-URL (as per docs) to my own server.
We have a server that I potentially could use for this. But I have never done anything like this before and I am unclear on what "answer" I have to provide from our server. I thought the verification-process would be handled by Slack.
Anyone has an idea on how to approach this?
And before anyone asks - yes we need to install it for everyone and make them identifiable as themselves. We can't use the "SlackApp" as user. :)
I would be very grateful for code examples(in c#) and explanations on how this whole redirect-thing is working.
Slack uses the standard Oauth 2.0 protocol to authenticate apps, similar to Google and Facebook.
So the "verification-process" is indeed mostly handled by Slack (as outlined here), but your Slack app needs to initiate it and handle the responses properly. Also its a multi-step process and includes the user having to login into Slack with their credentials. This why you need a web app to handle the whole process.
To enable a Slack app to generate tokens via Oauth a web app is needed:
can be reached from the Internet
able to handle HTTP requests like a web server
has persistent storage for the newly generated tokens
This is probably easier to implement with ASP.NET Web Pages, which can utilize many functions from an existing web server.
But for this answer, lets look on an implementation in .NET Core. For that we need to create our own web server and some rudimentary session handling. Main concepts include:
HttpListener class for providing fundamental ability to listen and respond to HTTP requests
Handle multiple requests in parallel
Cookies / Session handling
MD5 hashes
The details go a bit beyond the scope of one answer. But I am happy to share a working example implementation on this GitHubGist.
Btw: For the local development of such a web app its recommend to use a VPN tunnel like ngrok, that allows one to expose a local machine securely to the Internet and Slack.
I'm developing some small services that interact with a .net framework application. These services have UI components that require authentication and will be hosted separately, but we have a requirement to use the existing login page. I'm hoping to set up IdentityServer4 as an authorization authority, and set up the legacy application as a OIDC provider.
The problem is that I have yet to find any information on how to do that in .net framework. I can't convert the legacy application to use .net core or owin hosting, which rules out identityserver3/4 as providers. DotNetOpenAuth is not certified as a provider and does not appear to provide a standard openid interface.
What libraries or patterns can I use to solve this problem?
EDIT: after some review, what I'm mostly looking for is a middleware that would let me convert a webforms authentication to an OIDC identity.
Well.. you can start by reading http://openid.net/specs/openid-connect-core-1_0.html..
I faced the same problem a month back..
There are probably 4-6 specification documents that are dependent on this. you would have to read those as well (there is no shortcut) and you might want to start by making sequence diagrams on the get and post requests..
Amongst all this , read and implement a small jwt project which will help clear out your conception on how bearer tokens are used ( this involves how to create and validate bearer tokens)
Once you know jwt and have the sequence diagrams with you.. you can make improvisations and add more parameters..OpenId would seem relatively simpler
Also, do not forget to test your application with a third party client like postman or fiddler.
Hope this helps! All the best.
I'm looking for SSO options for .NET/C# and so far came across OpenID and DotNetOpenAuth. Have yet to look into them in detail but just wanted to ask for some suggestions of what else I should consider.
I'm looking to implement SSO for Google & Facebook, and ideally it would be a single 3rd party library that supports both, trying to avoid manually implemented each one.
If you've dealt with this previously, please share the approach/tools used.
Thanks in advance!
OpenID and DotNetOpenAuth are by far your best options.
Helpful Link for DotNetOpenAuth
http://www.tkglaser.net/2012/03/single-sign-on-using-facebook-in-asp.html
EDIT: DotNetOpenAuth home:
http://www.dotnetopenauth.net/
Helpful Link for OpenID
http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx
One other thing you might want to look into is the use of Azure ACS.
Here's an example enabling Windows Live and Facebook.
I've also used it against google credentials.
In this approach, you actually configure your application to interact only with Azure ACS, and configure which identity providers you want to enable through Azure's UI. So your application doesn't need to worry about each provider separately, and you could indeed add more providers without changing a single line of code in your application.
Does anyone have any examples or advice for how to go about using oAuth to provide the authentication mechanism for an API that should be publicly exposed?
Specifically I'm talking about being an oAuth provider for my own API, not integrating or authenticating with anyone else's API.
For example, I wish to be able to issue API keys to developers that they can use to authenticate and access my API, much in the same way Flickr does, and as far as I believe oAuth can support this, but I'm not sure how the solution would be structured?
It appears that DotNetOpenAuth has an example by the way of the OAuthSeviceProvider project in the Samples folder included in the distribution. It's written in WinForms and isn't cleanly written but definitely serves as a good starting point.