For a .net based web application what are all the options available for authorization?
I can use .NET Membership Provider or Windows Identity Framework. Is there any other solution from Microsoft? Any other solutions from third party?
Thank you,
Smith
You might consider using something like the "Windows Azure Access Control Service" (ACS). ACS brokers out authentication to various providers (like Live ID, Google, Yahoo, etc) and allows your users to use their existing identities to authenticate with your site.
Related
I'm using AspNet Core identity for the authentication of my users. I want to connect to remote identity providers (Microsoft and Google). For Google, I think I'm fine with using Microsoft.AspNetCore.Authentication.Google (https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.google).
For Micorosft I have a couple of options, though:
Microsoft.AspNetCore.Authentication.AzureAD
Microsoft.AspNetCore.Authentication.MicrosoftAccount
Microsoft.AspNetCore.Authentication.OpenIdConnect
I was first using Microsoft.AspNetCore.Authentication.AzureAD. Then I switched to Microsoft.AspNetCore.Authentication.MicrosoftAccount. I was assuming that this would not have much impact but it turned out that now all name-identifiers of my users have changed. So, appearantly there are differences.
I find it not very clear what the pros and cons of the different options are. Can someone help me make a good choice?
Microsoft.AspNetCore.Authentication.MicrosoftAccount
This namespace contains types that enable support for Microsoft Account OAuth based authentication.
It Enables users to sign in with their existing credentials:
1)Is convenient for the users.
2)Shifts many of the complexities of managing the sign-in process onto a third party.
For more details refer this document
Microsoft.AspNetCore.Authentication.OpenIdConnect
This namespace contains types that enable support for OpenIdConnect based authentication.And OpenID Connect is an identity layer on top of the OAuth 2.0 protocol. It allows clients to request and receive information about authenticated sessions and end-users.
If you need to add authentication to an application and you want to use a third party as the authentication provider, then the recommended way to achieve this is using OpenId Connect.
Like Google or Facebook, OneLogin is also an OpenId Connect provider, which means that if you use OneLogin to store and manage the identities of your users, you can also use OneLogin to authenticate those users on your custom built apps.
For more details refer this document
Microsoft.AspNetCore.Authentication.AzureAD
The libraries Microsoft.AspNetCore.Authentication.AzureAD packages. As Per the document, since ASP.NET core 5.0, users should use the Microsoft.Identity.Web package to integrate with Azure AD and Azure ADB2C.
To migrate from Microsoft.AspNetCore.Authentication.AzureAD to Microsoft.Identity.Web refer this document
I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?
There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!
I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.
There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.
[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app
UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/
I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:
User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.
Thus, there are two mechanisms by which a user can be authenticated into our site:
Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.
If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?
There are multiple options to implement SSO for a .NET application.
Check out the following tutorials online:
Basics of Single Sign on, July 2012
http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO
GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013
http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html
The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.
If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.
For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.
Hope this helps!
I am late to the party, but for option #1, I would go with
IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .
You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.
There are several Identity providers with SSO support out of the box, also some third-party** services.
** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.
Some of the tools available and with APIs for .NET are:
Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin
If you decide to go with your implementation, you could use the frameworks below categorized by programming language.
C#:
IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta
JavaScript:
passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)
Python:
pyoidc
Django OIDC Provider
I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.
Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.
[disclaimer: I'm one of the contributors]
We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml
Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app
UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.
Detailed UltimateSAML SSO review can be found here
Can Windows Identity Foundation allow us to connect to services and read contact information?
Here is a idea of how WIF advantages:
WIF externalizes authentication,
passing it over to security token
services (STS) and reducing the
demands on individual developers
WIF
also supports trust relationships
where a service trusts anyone
authenticated by the application
accessing it.
WIF provides support
for a single sign-on (SSO) for users
by sharing STS among applications.
Developers can also, at run time,
support both by creating a trust
relationship between the application
and service or bypassing the user's
credentials from the application to
the service.
Depending on what you want to do, the answer is Yes.
Using Azure ACS federated to WIF e.g., you can connect to Facebook and get all the Facebook user attributes that you have asked for (provided that the user agrees during login to provide them). You can also connect to Google.
Or you can write your own custom STS federated to WIF that has some kind of interface on the other side that invokes a service and passes the details through e.g. using DotNetOpenAuth to handle the OpenID protocol. See StarterSTS as an example.
Watch this video as a starting point. There is a link for the source code and documentation, so you can see if the direction fulfils your needs.