C# ASP.NET Single Sign-On Implementation - c#

I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?

There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!

I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.

There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.

[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app

UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here

Related

How to choose the right Microsoft.AspNetCore.Authentication alternative

I'm using AspNet Core identity for the authentication of my users. I want to connect to remote identity providers (Microsoft and Google). For Google, I think I'm fine with using Microsoft.AspNetCore.Authentication.Google (https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.google).
For Micorosft I have a couple of options, though:
Microsoft.AspNetCore.Authentication.AzureAD
Microsoft.AspNetCore.Authentication.MicrosoftAccount
Microsoft.AspNetCore.Authentication.OpenIdConnect
I was first using Microsoft.AspNetCore.Authentication.AzureAD. Then I switched to Microsoft.AspNetCore.Authentication.MicrosoftAccount. I was assuming that this would not have much impact but it turned out that now all name-identifiers of my users have changed. So, appearantly there are differences.
I find it not very clear what the pros and cons of the different options are. Can someone help me make a good choice?
Microsoft.AspNetCore.Authentication.MicrosoftAccount
This namespace contains types that enable support for Microsoft Account OAuth based authentication.
It Enables users to sign in with their existing credentials:
1)Is convenient for the users.
2)Shifts many of the complexities of managing the sign-in process onto a third party.
For more details refer this document
Microsoft.AspNetCore.Authentication.OpenIdConnect
This namespace contains types that enable support for OpenIdConnect based authentication.And OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows clients to request and receive information about authenticated sessions and end-users.
If you need to add authentication to an application and you want to use a third party as the authentication provider, then the recommended way to achieve this is using OpenId Connect.
Like Google or Facebook, OneLogin is also an OpenId Connect provider, which means that if you use OneLogin to store and manage the identities of your users, you can also use OneLogin to authenticate those users on your custom built apps.
For more details refer this document
Microsoft.AspNetCore.Authentication.AzureAD
 The libraries Microsoft.AspNetCore.Authentication.AzureAD packages. As Per the document, since ASP.NET core 5.0, users should use the Microsoft.Identity.Web package to integrate with Azure AD and Azure ADB2C.
To migrate from Microsoft.AspNetCore.Authentication.AzureAD to Microsoft.Identity.Web refer this document

using TOTP Microsoft authenticator for ASP.NET MVC

We already have a single authentication process using Active Directory for our home made web sites (simple login and password). Our AD is also on Azure (everything is synchronized).
Now we want 2 factors authentification using this: (Microsoft Authenticator) https://www.microsoft.com/en-us/account/authenticator
I've been searching for an exemple for a while, but most of the tutorials I found are about MVC CORE; I'm not using core, just regular MVC .Net Framework. Furthermore, the only tutorials I found using .Net framework were for Google authenticator, not Microsoft's one.
The intended behavior would be the same as when I connect to office 365, first I enter my password in the web site, then I receive a notification on my cell phone (for exemple), by approving the connection, I can have access to web content.
I'm still trying to figure out if this is even allowed, is Microsoft Authenticator only meant to be used for Microsoft developers or can we random developers use this app for our 2FA needs? Or is there a way to trigger the office 365 authentication windows?
If yes, they don't seem eager to share any code or tutorial for MVC .net Framework. (I'm still searching)
EDIT for comments:
Microsoft auth .Net Core documentation:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-5.0
Google auth with .Net framework documentation:
https://medium.com/#henryhdelgado/2fa-with-google-authenticator-in-asp-mvc-4788c79c47
EDIT / Solution :
In case someone didn't borther reading the answer's comments, here's what I was actually looking for : https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp
In short: you don't need to do anything (provided that your application authenticates users using OIDC, which it will do if you're using Azure Active Directory or Office 365 with your application). Just flip the switch in your organization's O365 or AAD settings to require TOTP/2FA.
However, if your application is actually authenticating against on-prem AD (whether using Kerberos via the browser shell, or with "Forms authentication") and you can't make your web-application authenticate against AAD/O365 (not on-prem AD) and you don't have AD Federation working, then you're in for a world of pain because getting on-prem 2FA working is a massive undertaking that requires just as much work from your sysadmins as it does from you (and then your question would be closed for being "too broad", sorry!)
Authenticating against AAD/O365 can be done using any OIDC client library, though Microsoft does make a purpose-built library available on NuGet which works in .NET Framework applications in addition to .NET Core: https://www.nuget.org/packages/Microsoft.Identity.Client/ (formerly https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/ )
"Azure Active Directory" (AAD) is a misnomer btw, as it has very little to do with on-prem Active Directory. That said, if you're using Office 365 within your enterprise then you will already have AAD up-and-running - just be aware that it's still completely unrelated to Active Directory (as far as technology is concerned).
Using AAD/O365 for SSO basically means using OIDC (whereas on-prem AD is Kerberos, not OIDC) - so any OIDC library can be used with AAD/O365. The TOTP/2FA part is handled entirely by AAD/O365 so you don't actually need to do anything in your own application to handle TOTP/2FA.

Implement single sign on ASP .Net Web Application current using forms based authentication

We currently have an Asp .Net web application (Framework 4.5) using Forms based authentication. A few of our clients are asking for integration with their applications and does not want to have separate login accounts.
What would be the best way to implement this? The solution should be able to validate against different identity providers.
A consultant has suggested to convert the current web app to be claims-aware but not sure how to proceed with it or where to start .
Thanks for all your help.
Making an application claims-aware implies adding support for one of:
WS-Federation
SAML 2.0
OpenID Connect / OAuth
This then enables the application to talk to an IDP for SSO e.g. ADFS, Azure AD, identityserver, Auth0.
In the Microsoft world, web apps use the OWIN NuGet packages for WS-Fed (WIF) or OIDC. For SAML, look here.
Desktop apps use ADAL or the later version MSAL.
ADFS e.g. only authenticates against AD. If you want to authenticate against a DB as well, you federate ADFS with e.g. identityserver or Auth0 both of which have that ability.

Architecture to use .Net Core and SAML2 external IDP for Authorisation

We are starting a new project, the year is 2016, however we need to use an external SAML2 IDP for authentication (existing client accounts), no OpenId Connect. It will be predominantly an API written in C#.
I'm struggling to work out the best way to turn with the available technologies I know about. We'd really prefer to use .Net Core, but there seem to be no SAML functionality available. Which leaves us going back to Owin/MVC5/etc.
I believe Identity Server 3 has the functionality, but not Identity Server 4 yet.
There is also mention of JWT, with Aurelia.
Without stepping too far back down the older technology route, what would be the best modern solution to use SAML2 authenication in a 2016 c# web api application? I assume also using Claim based for authorisation.
EDIT: Due to people proposing closure of the question.
What I want to know, the ideal answer to the question would be... What is the way for me to be able to work with .Net Core, but have functionality to generate SAML2 tokens to pass to the external IDP.
The best way is to use a bridge using OpenID Connect / OAuth into the bridge and SAML out.
You could use IdentityServer 3 for this or ADFS 4.0 (Server 2016).
Update
.NET Core currently has no SAML support. It does support OpenID Connect / OAuth. So you could go:
RP --> OIDC --> RP IDP --> SAML --> IDP
where the RP IDP is the bridge.
If you don't want to use .NET Core, then there are SAML OWIN libraries available. Note that these are all open source - not supplied by Microsoft.
One of these is Kentor.

Single login across multiple domain asp.net [duplicate]

I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?
There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!
I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.
There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.
[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app
UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here

Categories

Resources