I want to implement/enable SSO (Single Sign On) on my Asp.Net MVC applications.
Please consider the points below below for your kind suggestions:
I have 3 Asp.Net MVC applications where I want to enable SSO for them.
I know I can achieve SSO by ADFS (Active directory Federation Services), but I don't want to use it as I want my external users (end-users) to login in all my 3 applications via SSO.
(Correct me If I wrong here because as far as I know, ADFS can be used for Active Directory users (meaning company-wide internal users) and not for external end-users. If we can use ADFS for external users, please do let me know how we should achieve it.
I also don't want to use OpenID.
I want to build SSO own for these 3 applications and want to enable SSO between them.
I want to build SSO that can be used in production environment for
these 3 applications.
Could you please give me your suggestions on it about how would I achieve SSO by considering all above points?
Thanks in advance and all suggestions are welcome!
Are your applications in the same domain? If so, can you use Forms Authentication Across Applications?
The suggestion would be to use the IdentityServer (http://thinktecture.github.com/Thinktecture.IdentityServer.v2/), a replacement for ADFS, which uses the same authentication protocol (WS-Federation) but allows you to plugin your custom membership provider.
In addition, the IdentityServer supports some features ADFS lacks and is quite extensible.
Related
I am trying to make use to IdentityServer4 for authentication and authorization. We have set of new and existing applications.
At this moment in time we have:
- 1 ReactJs application - (there is no authentication as it's a new application) but it will use Implicit Flow using oidc-client
- 1 quite old Web Form application - which will possibly use Hybrid flow (I still need to figure it out)
- 2 .NetCore MVC web applications - they both will use Hybrid Flow
There are Few apis project that we want to protect using IDS4.
WebForm and MVC Applications both uses their own Web Services to talk to the some database to verify user credentials and let the user login to the application.
Eventually we want to migrate users from that existing database to a seperate User database. IdentityServer will also make use of this new User Database for SSO + Api Authrization.
I am thinking of creating a seperate api just for User Authentication (possibly AspNetIdentity as a webapi) and IdentityServer4 to communicate with this api to validate username/password? Does that seems right?
Also How do I configure IDServer4 to use Api for authentication rather than using services.AddIdentityServer().AddAspNetIdentity() which will directly talk to my AspNewIdentity database? and How to sure this api? Any samples I can find?
I had to do something like this, I found these useful
http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html
http://docs.identityserver.io/en/release/quickstarts/2_resource_owner_passwords.html
I used it to protect an api via users that came from Asp Identity.
Hope that helps.
IdentityServer4 doesn't really do users out of the box. The ASP.Net Identity integration just exists to get you up and running quickly. If you want to implement your own user store and sign in/out/up flows then you're totally free to do that however you want.
That said, I'm a fan of having the IDP own its own data - i.e. the users and their credentials. This helps keep you on the straight and narrow when it comes to not mixing authentication and authorization. The Auth in OAuth is client authorization don't forget.
I have created a Web API application, an MVC application, and a mobile application.
The Web API should be decoupled from the other two applications as much as possible. I'm using the Password Grant flow here: clients using the Web API needs to send a POST to /Token with username and password. The returned access token is then used for further calls to the API using standard Authorization: Bearer <access_token>.
The MVC application is only accessible for a select few users, and it has its own database which contains the information and roles of these users. Some parts of the MVC application should be restricted to only one or two users (for example), while other parts should be accessible for all registered users. This can be done by using Authorize attributes on the specific controllers within the MVC application - all good. Furthermore, the MVC application should be able to interact with the Web API.
Secondly, I want to have a mobile application to be able to interact with the Web API. A key point here is that I won't require users to register in the app. So essentially, (how it's in my head right now) the only thing the API would see is "this token belongs to the "AndroidApp" user and has password X - sure thing, you're known to me, I'll grant you access". This seems to me a bit 'insecure', meaning that all users of the mobile app will share the same auth credentials.
Questions:
User A is one of the users who are allowed to access the MVC application - I want him to be recognized by both the MVC app, and thereafter the Web API. Is there an easy way to synchronize data between two databases, or should I just register him in both databases (one for MVC, one for API)? There is probably a better third option I haven't thought about.
User B is a user of the mobile application, and he should not be able to access the MVC application. How can this be ensured? Obviously, the MVC user database won't have any info about mobile app users. I'm just wondering about the security aspect of just having one single pair of auth credentials embedded in the app - doesn't sound good to me.
I stumbled upon this question, which basically is the same as mine. But I don't really see the need for Authorization Code Grant flow for the web app (MVC application in my case) as the accepted answer suggests.
I hope my questions make sense, otherwise please let me know :)
My answer doesn't directly answer your question but rather offers an alternative.
In the past when developing similar solutions I've used a specialist third party identity service Auth0.
With Auth0 you can have different application keys, profiles and also create rules (webhooks) which are executed as part of the authentication pipeline. They offer a range of social login as well as AD integration. They offer free and paid pricing.
I am not affiliated with Auth0 in any way, but will use their service as the starting point for any projects going forward - Yes it's a really impressive service!
I'm somewhat new to ASP.NET MVC and I hoped you can help me with authentication for my app.
I have a MVC application that needs to be authenticated using SQL Server Log Ins. This means I have to create roles and users in SQL Server, and all security permissions are managed at Database level. Roles, users, and permissions aren't constant and we should be able to manage them.
Any suggestion? Is there anyway to override default behaviors of Identity to achieve this goal? What do you think is the best way to implement this need? Should I Use AD or DB Logins are fine?
Thanks in advance
Based on my working experience with diverse login mechanisms, I would like to suggest you the following route
Choose AD as your identity provider[IDP]
Register your application as an Relying Party [RP]
Get the federation metadata from AD to set up your application
In case you have your AD Server with ADFS 3.0, refer this link for a sample
In case of going through the OWIN Federation Middleware, it should be very easy for you with little development effort as given in this link
With ASP.Net MVC5 & Owin this task of yours should be a piece of cake
For Azure AD based samples, refer here or for first hand information, read this article
I want to authenticate a user using a third-party system when they hit a Controller or ApiController with the [Authorize] attribute, but I really don't want to have to create associated users and logins that OWIN requires in order to create the cookie that keeps the user session authorized, because our third-party system is already tracking that.
Normally, you'd map OWIN logins to external logins, but our system, as-is, is so tightly integrated with this third-party system that there are a bunch of reasons (that I won't go into) that we don't want to do that.
Is there a simple way to use ASP.NET MVC5 out of the box that allows you to authenticate to another system, and then mark the session as Authenticated without having to find/register them in OWIN?
Sorry if this isn't a lot to go on. I've not seen any way to go about this without perhaps implementing our own IAuthenticationManager, but I'm not even sure where I'd start to do that.
Thanks for any help you can offer.
I believe OAuth is the only ASP.NET SSO support you get out of the box. It would help if you elaborate on the nature of the third party authentication system, since you'll need to integrate with it in order to provide the SSO experience.
Here are a couple of blog posts explaining how to create custom OWIN authentication middleware, which seems to be what you'll need to do to set ASP.NET Identity based on some information from an external system (header, cookie, token, etc). I used the second approach to integrate with CA SiteMinder (commercial web authentication product).
Owin Auth 1
Owin Auth 2
I ended up solving this by creating my own implementation of IUserStore and its associated classes that wraps the third-party system.
I want to log in for 1 application and use the same login token to authenticate the second application. I have used the same application name so both applications use the same membership provider.....
I have 2 web applications, using asp.net 3.5, c#, hosted in IIS 7.0. I use the aspnet_membership provider for authentication/authorization
They are hosted side by side as 2 seperate applications . The question is can I log in for 1 application and be authenticated for the other by using the same log in....
Thanks in advance
Stuart
The technology behind Single Sign-On solutions cannot be explained in a few lines of code, it requires some reading/studying to look at the alternatives and how to implement them.
For instance you could take a look at this article about Single Sign-On using Active Directory Federation Services.
UPDATE:
Here is a blogpost about Single sign-on with Forms Authentication.
Its called Single Sign On - SSO and its fairly simple to do if your applications are hosted on the same domain (app1.domain.com and app2.domain.com - or - domain.com/app1 and domain.com/app2), its fairly straightforward to do so.
When you create a cookie using the Forms Authentication, set the domain as ".domain.com".
Also, both the Applications would have to use the same Machine Key within web.config.
Check out http://www.codeproject.com/KB/web-security/aspnetsinglesignon.aspx and http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx