I have done some searching around both on here and also the web. I need to have SharePoint 2013 use an IP STS for authentication, but I can't use ADFS because the AD does not have all the users. I need to write my own IP STS but can't find any good examples.
I have found ThinkTecture's Embedded STS. While I can certainly dig in to an open-source project to see if it can do what I need, I just can't believe there aren't any examples of how to do this on the web. All the examples on MSDN assume you want to use ADFS with SharePoint which is more than presumptuous, and frankly annoying.
Does anyone know of any good resources I can use to roll my own IP STS other than wading in an open-source project from the get-go?
Why do you want to write your own? - there are a lot of other STS e.g. OpenAM, PingFederate etc. that you can use in place of ADFS. shibboleth is an widely used open-source STS that sits on top of a variety of identity repositories.
Writing a secure STS is hard.
Not sure what version of VS you have but VS 2010 had the ability to create a STS framework for you (plus templates) that you could build on and I suspect VS 2012 also had if you added the "Identity and Access Tool"?
Also: Building a simple custom STS using VS2012 & ASP.NET MVC among others.
Related
We have a whole bunch of clients that want us to start using their ADFS to allow their users into our web app using Single-Sign-On.
After reading up on WIF (which seemed to be the solution at first but is deprecated in VS 2013...), OWIN, oAuth, OpenID Connect, I'm completely confused as to the simplest way to implement SSO.
What is the best and simplest technology to use to implement SSO on an existing VS 2013 json restful service written in C#?
Ideally the technology would already be part of .NET.
Are there any code samples or tutorials out there for this scenario?
assuming that you want to consume your service from native clients, I would recommend that you protect your service using Web API middleware (which was already supported via OWIN middleware in VS2013) and implement your clients using the ADAL library. For a post specifically on ADAL and ADFS, see this. For more details on the Web API side of the solution, see this. If you want to target a variety of client platforms, you can find a complete collection of samples (for Azure AD, but easy to modify for ADFS) here.
This can be implemented through WSO2 IS as Relying Party in ADFS. When we will implement this setup the outcome/Income claims will be main source for User Profile load to WSO2IS for authentication and pass the SAML Response to SP(End URL of your application).
Refer the below links to configure WSO2 IS as relying party for ADFS and WSO2 IS configuration too.
https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/
SSO would mean its Active Directory driven, or direct to IIS machine.config authentication instead of a web.config, but also considering the "simplest technology" you've mentioned, then this must be a call for something simple yet you can transform into what you really desire.
With this, we can refer to token-based web services authentication.
Here's a sample project from which I started and able to transform into something else. From here I think you can then change all authentications into AD or DB connect, or even both across your web services.
http://www.codeproject.com/Articles/9348/Web-Service-Authentication?fid=145460&df=90&mpp=25&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx
hopefully this would help.
I am trying to set up an IDP-Initiated SSO. I am helping out the IT department at the company I work at and do not have access to Active Directory right now (I am in intern doing IT in another department and they seem to think I can test without it).
The only data I need to get from AD is the user's login id, so in theory I don't think not having access to AD will be a problem...?
(Username should be the same as .NET's:
`Environment.UserName; ')
My task is to basically create a SAML token and send it to our RP (on another domain), who should take care of the rest.
Where can I start? I've not done something like this, so I'm sort of confused. I believe I just need to build a token and then post it, but I'm not sure how to begin. I've looked at some tutorials but they don't seem to fit my situation. If anyone has any tutorials on my specific case it would be much appreciated.
Thank you!
You've tagged this C# and .NET so looks like you live in the Microsoft world.
The normal way to do this is via ADFS and then configure your RP.
But you want to do IDP Initiated which is a SAML feature. What protocol does your RP support? There is no client-side Microsoft SAML support - although there are 3rd party tools.
Update
Suggest using ADFS - good example of how to configure here.
Years ago I wrote a 6 part tutorial on integrating a custom STS with the ADFS. Part 2 of that tutorial is on creating a custom STS.
http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
Note that the tutorial aims at WIF 4 that was a separate download at that time. Nowadays, WIF is integrated with .NET 4.5 so that some subtle details (namespaces etc) can vary.
Also note that WIF supports SAML 1.1.
I am building a set of services based on MVC 4. They should all be a part of the same authentication system. Currently I have got a separate project for all the model handling, including the Forms Authentication you get by default when making a new MVC 4 app.
Now, I would like to make a toolbar for logging in to our cloud services, and this toolbar must be made in such a way that it can be imported into our other services. Logging in with this toolbar should log you in to all our services, that are separated into different MVC apps. Thus logging in when browsing "service1" and then going to "service2", you should still be logged in with the same user.
Can anyone point me in the right direction here? Should I make a separate MVC app for this toolbar, and somehow reference it in all of my other projects? Should I export my controllers into a separate project and use them? I am not sure what the best practice is here, nor where to find the info I need on the matter.
Since you will be hosting your applications on different domains, you could implement some Single Sign On mechanism the way SO does it over the Stack Exchange network: https://meta.stackexchange.com/questions/64260/how-does-sos-new-auto-login-feature-work/64274#64274
Different domains means that you won't be able to share the Forms cookie. You should rather learn how to use one of the enterprise Single Sign-on protocols - using a recognized protocol means that you can easily integrate other applications, even if they are developed in different technologies (standarized protocols are supported by most development environments).
Possible candidates are:
the OAuth2 protocol. It is a respected protocol as Google, LiveID, Facebook, Twitter and others support it. To build an OAuth2 server you will need a framework like the DotNetOpenAuth.
WS-Federation. Got a lot of attention in .NET world as we got the Windows Identity Foundation framework which lets you create WS-Federation servers and clients.
Anyway, my advice is to invest your time now as this will pay off well in future.
I'm looking for SSO options for .NET/C# and so far came across OpenID and DotNetOpenAuth. Have yet to look into them in detail but just wanted to ask for some suggestions of what else I should consider.
I'm looking to implement SSO for Google & Facebook, and ideally it would be a single 3rd party library that supports both, trying to avoid manually implemented each one.
If you've dealt with this previously, please share the approach/tools used.
Thanks in advance!
OpenID and DotNetOpenAuth are by far your best options.
Helpful Link for DotNetOpenAuth
http://www.tkglaser.net/2012/03/single-sign-on-using-facebook-in-asp.html
EDIT: DotNetOpenAuth home:
http://www.dotnetopenauth.net/
Helpful Link for OpenID
http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx
One other thing you might want to look into is the use of Azure ACS.
Here's an example enabling Windows Live and Facebook.
I've also used it against google credentials.
In this approach, you actually configure your application to interact only with Azure ACS, and configure which identity providers you want to enable through Azure's UI. So your application doesn't need to worry about each provider separately, and you could indeed add more providers without changing a single line of code in your application.
What the the Open source Library available in the C#.NET for the SSO.
Basically I want to connect with Google SSO then will further continue with other providers.
Check out: DotNetOpenAuth
Also, you may want to check the following links:
http://msdn.microsoft.com/en-us/library/ms972971.aspx
http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx
The Windows Identity Foundation (WIF) is Microsoft's official library for identity federation.
In your scenario you can also use Access Control Service (ACS) to federate identity with Google, Yahoo!, etc. All of them (and more) are supported out of the box.
Samples, documentation, etc. available here: http://claimsid.codeplex.com
If you have a bit more control over your servers, Shibboleth might be an option as well. It actually simplified a large portion of our application that serves thousands of users and it is well thought out, flexible, and scalable. Basically, define a directory that should be watched for credentials and Shibboleth takes care of the rest.
You should use DotNetOpenAuth, as stated in Kamyar's answer. If you want to see a whole implementation using DotNetOpenAuth and other series of auxiliary libraries, you should have a look at this article:
Integrating OpenID in ASP.NET Web Forms using DotNetOpenAuth