I am trying to set up an IDP-Initiated SSO. I am helping out the IT department at the company I work at and do not have access to Active Directory right now (I am in intern doing IT in another department and they seem to think I can test without it).
The only data I need to get from AD is the user's login id, so in theory I don't think not having access to AD will be a problem...?
(Username should be the same as .NET's:
`Environment.UserName; ')
My task is to basically create a SAML token and send it to our RP (on another domain), who should take care of the rest.
Where can I start? I've not done something like this, so I'm sort of confused. I believe I just need to build a token and then post it, but I'm not sure how to begin. I've looked at some tutorials but they don't seem to fit my situation. If anyone has any tutorials on my specific case it would be much appreciated.
Thank you!
You've tagged this C# and .NET so looks like you live in the Microsoft world.
The normal way to do this is via ADFS and then configure your RP.
But you want to do IDP Initiated which is a SAML feature. What protocol does your RP support? There is no client-side Microsoft SAML support - although there are 3rd party tools.
Update
Suggest using ADFS - good example of how to configure here.
Years ago I wrote a 6 part tutorial on integrating a custom STS with the ADFS. Part 2 of that tutorial is on creating a custom STS.
http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
Note that the tutorial aims at WIF 4 that was a separate download at that time. Nowadays, WIF is integrated with .NET 4.5 so that some subtle details (namespaces etc) can vary.
Also note that WIF supports SAML 1.1.
Related
I'm developing some small services that interact with a .net framework application. These services have UI components that require authentication and will be hosted separately, but we have a requirement to use the existing login page. I'm hoping to set up IdentityServer4 as an authorization authority, and set up the legacy application as a OIDC provider.
The problem is that I have yet to find any information on how to do that in .net framework. I can't convert the legacy application to use .net core or owin hosting, which rules out identityserver3/4 as providers. DotNetOpenAuth is not certified as a provider and does not appear to provide a standard openid interface.
What libraries or patterns can I use to solve this problem?
EDIT: after some review, what I'm mostly looking for is a middleware that would let me convert a webforms authentication to an OIDC identity.
Well.. you can start by reading http://openid.net/specs/openid-connect-core-1_0.html..
I faced the same problem a month back..
There are probably 4-6 specification documents that are dependent on this. you would have to read those as well (there is no shortcut) and you might want to start by making sequence diagrams on the get and post requests..
Amongst all this , read and implement a small jwt project which will help clear out your conception on how bearer tokens are used ( this involves how to create and validate bearer tokens)
Once you know jwt and have the sequence diagrams with you.. you can make improvisations and add more parameters..OpenId would seem relatively simpler
Also, do not forget to test your application with a third party client like postman or fiddler.
Hope this helps! All the best.
We have a whole bunch of clients that want us to start using their ADFS to allow their users into our web app using Single-Sign-On.
After reading up on WIF (which seemed to be the solution at first but is deprecated in VS 2013...), OWIN, oAuth, OpenID Connect, I'm completely confused as to the simplest way to implement SSO.
What is the best and simplest technology to use to implement SSO on an existing VS 2013 json restful service written in C#?
Ideally the technology would already be part of .NET.
Are there any code samples or tutorials out there for this scenario?
assuming that you want to consume your service from native clients, I would recommend that you protect your service using Web API middleware (which was already supported via OWIN middleware in VS2013) and implement your clients using the ADAL library. For a post specifically on ADAL and ADFS, see this. For more details on the Web API side of the solution, see this. If you want to target a variety of client platforms, you can find a complete collection of samples (for Azure AD, but easy to modify for ADFS) here.
This can be implemented through WSO2 IS as Relying Party in ADFS. When we will implement this setup the outcome/Income claims will be main source for User Profile load to WSO2IS for authentication and pass the SAML Response to SP(End URL of your application).
Refer the below links to configure WSO2 IS as relying party for ADFS and WSO2 IS configuration too.
https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/
SSO would mean its Active Directory driven, or direct to IIS machine.config authentication instead of a web.config, but also considering the "simplest technology" you've mentioned, then this must be a call for something simple yet you can transform into what you really desire.
With this, we can refer to token-based web services authentication.
Here's a sample project from which I started and able to transform into something else. From here I think you can then change all authentications into AD or DB connect, or even both across your web services.
http://www.codeproject.com/Articles/9348/Web-Service-Authentication?fid=145460&df=90&mpp=25&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx
hopefully this would help.
I'm looking for SSO options for .NET/C# and so far came across OpenID and DotNetOpenAuth. Have yet to look into them in detail but just wanted to ask for some suggestions of what else I should consider.
I'm looking to implement SSO for Google & Facebook, and ideally it would be a single 3rd party library that supports both, trying to avoid manually implemented each one.
If you've dealt with this previously, please share the approach/tools used.
Thanks in advance!
OpenID and DotNetOpenAuth are by far your best options.
Helpful Link for DotNetOpenAuth
http://www.tkglaser.net/2012/03/single-sign-on-using-facebook-in-asp.html
EDIT: DotNetOpenAuth home:
http://www.dotnetopenauth.net/
Helpful Link for OpenID
http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx
One other thing you might want to look into is the use of Azure ACS.
Here's an example enabling Windows Live and Facebook.
I've also used it against google credentials.
In this approach, you actually configure your application to interact only with Azure ACS, and configure which identity providers you want to enable through Azure's UI. So your application doesn't need to worry about each provider separately, and you could indeed add more providers without changing a single line of code in your application.
Does anyone have any examples or advice for how to go about using oAuth to provide the authentication mechanism for an API that should be publicly exposed?
Specifically I'm talking about being an oAuth provider for my own API, not integrating or authenticating with anyone else's API.
For example, I wish to be able to issue API keys to developers that they can use to authenticate and access my API, much in the same way Flickr does, and as far as I believe oAuth can support this, but I'm not sure how the solution would be structured?
It appears that DotNetOpenAuth has an example by the way of the OAuthSeviceProvider project in the Samples folder included in the distribution. It's written in WinForms and isn't cleanly written but definitely serves as a good starting point.
I'd like to implement OpenID in a new application using ASP.NET 2.0 and SQL Server 2005.
I chosen Twitter, Facebook and Google as potential OpenID providers.
I've found the Twitter implementation in .NET and I was studying Google's OpenID implementation, but I want to make sure that my design is (mostly!) flawless.
Is my database schema correct? I've associated a Reader with an ProviderOpenID which contains only a nullable Name column. I store the OauthToken and use that at every request to gain access to his profile and verify the login. Am I missing something?
Can anyone tell me if there is an Open Source Library for the .NET implementation of the OpenID provider for Google? I found the following tutorial on Google but I don't understand how it works. Has anyone tried this? Is this the best way to do this?
Facebook and Twitter are not OpenID Providers. It looks like you've already found solutions to their proprietary mechanisms however. But I just wanted to clarify what it is and isn't.
Yes, Google is an OpenID Provider. And for ASP.NET 2.0 DotNetOpenId, which you linked to, is the way to go IMO. Don't mind the wiki (which was down at the time but is up now). That's to the new DotNetOpenAuth library which targets .NET 3.5. Since you're targeting .NET 2.0 specifically (is this intentional?) you need to go with the DotNetOpenId that is on the Google Code project site (http://dotnetopenid.googlecode.com/) and ignore the "We've Moved" link, since that leads you to the .NET 3.5 library. What you want is DotNetOpenId v2.5.5. It comes with samples that show you how to get OpenID going.
Note that Google has a few peculiarities with how they do OpenID, the most notable of which is that typing "google.com" as the openid identifier doesn't work (currently). You have to type the longer https://www.google.com/accounts/o8/id
I think I was listening to a dotnetrocks podcast about the guy that wrote this tool authentication tool:
https://rpxnow.com/.