I'm looking for SSO options for .NET/C# and so far came across OpenID and DotNetOpenAuth. Have yet to look into them in detail but just wanted to ask for some suggestions of what else I should consider.
I'm looking to implement SSO for Google & Facebook, and ideally it would be a single 3rd party library that supports both, trying to avoid manually implemented each one.
If you've dealt with this previously, please share the approach/tools used.
Thanks in advance!
OpenID and DotNetOpenAuth are by far your best options.
Helpful Link for DotNetOpenAuth
http://www.tkglaser.net/2012/03/single-sign-on-using-facebook-in-asp.html
EDIT: DotNetOpenAuth home:
http://www.dotnetopenauth.net/
Helpful Link for OpenID
http://www.hanselman.com/blog/TheWeeklySourceCode25OpenIDEdition.aspx
One other thing you might want to look into is the use of Azure ACS.
Here's an example enabling Windows Live and Facebook.
I've also used it against google credentials.
In this approach, you actually configure your application to interact only with Azure ACS, and configure which identity providers you want to enable through Azure's UI. So your application doesn't need to worry about each provider separately, and you could indeed add more providers without changing a single line of code in your application.
Related
We have a whole bunch of clients that want us to start using their ADFS to allow their users into our web app using Single-Sign-On.
After reading up on WIF (which seemed to be the solution at first but is deprecated in VS 2013...), OWIN, oAuth, OpenID Connect, I'm completely confused as to the simplest way to implement SSO.
What is the best and simplest technology to use to implement SSO on an existing VS 2013 json restful service written in C#?
Ideally the technology would already be part of .NET.
Are there any code samples or tutorials out there for this scenario?
assuming that you want to consume your service from native clients, I would recommend that you protect your service using Web API middleware (which was already supported via OWIN middleware in VS2013) and implement your clients using the ADAL library. For a post specifically on ADAL and ADFS, see this. For more details on the Web API side of the solution, see this. If you want to target a variety of client platforms, you can find a complete collection of samples (for Azure AD, but easy to modify for ADFS) here.
This can be implemented through WSO2 IS as Relying Party in ADFS. When we will implement this setup the outcome/Income claims will be main source for User Profile load to WSO2IS for authentication and pass the SAML Response to SP(End URL of your application).
Refer the below links to configure WSO2 IS as relying party for ADFS and WSO2 IS configuration too.
https://omindu.wordpress.com/2015/06/19/setting-ad-fs-3-0-as-federated-authenticator-in-wso2-identity-server/
SSO would mean its Active Directory driven, or direct to IIS machine.config authentication instead of a web.config, but also considering the "simplest technology" you've mentioned, then this must be a call for something simple yet you can transform into what you really desire.
With this, we can refer to token-based web services authentication.
Here's a sample project from which I started and able to transform into something else. From here I think you can then change all authentications into AD or DB connect, or even both across your web services.
http://www.codeproject.com/Articles/9348/Web-Service-Authentication?fid=145460&df=90&mpp=25&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx
hopefully this would help.
I am trying to set up an IDP-Initiated SSO. I am helping out the IT department at the company I work at and do not have access to Active Directory right now (I am in intern doing IT in another department and they seem to think I can test without it).
The only data I need to get from AD is the user's login id, so in theory I don't think not having access to AD will be a problem...?
(Username should be the same as .NET's:
`Environment.UserName; ')
My task is to basically create a SAML token and send it to our RP (on another domain), who should take care of the rest.
Where can I start? I've not done something like this, so I'm sort of confused. I believe I just need to build a token and then post it, but I'm not sure how to begin. I've looked at some tutorials but they don't seem to fit my situation. If anyone has any tutorials on my specific case it would be much appreciated.
Thank you!
You've tagged this C# and .NET so looks like you live in the Microsoft world.
The normal way to do this is via ADFS and then configure your RP.
But you want to do IDP Initiated which is a SAML feature. What protocol does your RP support? There is no client-side Microsoft SAML support - although there are 3rd party tools.
Update
Suggest using ADFS - good example of how to configure here.
Years ago I wrote a 6 part tutorial on integrating a custom STS with the ADFS. Part 2 of that tutorial is on creating a custom STS.
http://www.wiktorzychla.com/2011/08/quest-for-customizing-adfs-sign-in-web.html
Note that the tutorial aims at WIF 4 that was a separate download at that time. Nowadays, WIF is integrated with .NET 4.5 so that some subtle details (namespaces etc) can vary.
Also note that WIF supports SAML 1.1.
What the the Open source Library available in the C#.NET for the SSO.
Basically I want to connect with Google SSO then will further continue with other providers.
Check out: DotNetOpenAuth
Also, you may want to check the following links:
http://msdn.microsoft.com/en-us/library/ms972971.aspx
http://weblogs.asp.net/hernandl/archive/2004/06/09/ssoformsauth.aspx
The Windows Identity Foundation (WIF) is Microsoft's official library for identity federation.
In your scenario you can also use Access Control Service (ACS) to federate identity with Google, Yahoo!, etc. All of them (and more) are supported out of the box.
Samples, documentation, etc. available here: http://claimsid.codeplex.com
If you have a bit more control over your servers, Shibboleth might be an option as well. It actually simplified a large portion of our application that serves thousands of users and it is well thought out, flexible, and scalable. Basically, define a directory that should be watched for credentials and Shibboleth takes care of the rest.
You should use DotNetOpenAuth, as stated in Kamyar's answer. If you want to see a whole implementation using DotNetOpenAuth and other series of auxiliary libraries, you should have a look at this article:
Integrating OpenID in ASP.NET Web Forms using DotNetOpenAuth
I'd like to implement OpenID in a new application using ASP.NET 2.0 and SQL Server 2005.
I chosen Twitter, Facebook and Google as potential OpenID providers.
I've found the Twitter implementation in .NET and I was studying Google's OpenID implementation, but I want to make sure that my design is (mostly!) flawless.
Is my database schema correct? I've associated a Reader with an ProviderOpenID which contains only a nullable Name column. I store the OauthToken and use that at every request to gain access to his profile and verify the login. Am I missing something?
Can anyone tell me if there is an Open Source Library for the .NET implementation of the OpenID provider for Google? I found the following tutorial on Google but I don't understand how it works. Has anyone tried this? Is this the best way to do this?
Facebook and Twitter are not OpenID Providers. It looks like you've already found solutions to their proprietary mechanisms however. But I just wanted to clarify what it is and isn't.
Yes, Google is an OpenID Provider. And for ASP.NET 2.0 DotNetOpenId, which you linked to, is the way to go IMO. Don't mind the wiki (which was down at the time but is up now). That's to the new DotNetOpenAuth library which targets .NET 3.5. Since you're targeting .NET 2.0 specifically (is this intentional?) you need to go with the DotNetOpenId that is on the Google Code project site (http://dotnetopenid.googlecode.com/) and ignore the "We've Moved" link, since that leads you to the .NET 3.5 library. What you want is DotNetOpenId v2.5.5. It comes with samples that show you how to get OpenID going.
Note that Google has a few peculiarities with how they do OpenID, the most notable of which is that typing "google.com" as the openid identifier doesn't work (currently). You have to type the longer https://www.google.com/accounts/o8/id
I think I was listening to a dotnetrocks podcast about the guy that wrote this tool authentication tool:
https://rpxnow.com/.
I have an Idea for a simple webApp that would cross-link information from Evernote to Google Calendar. I was able to find a good Evernote Quickstart project but I am now searching for something to start with to begins accessing Calendar. Please advise if you know any good resources with code samples that would show me how to do the dirty work (i mean the authetication either via OAuth/AuthSub).
From what I have read about using OAuth with Google, it seems that you have to have a registered domain - I need to be able to access the service from my laptop's development server, so I guess I must stick with AuthSub.
When I 'googled' for this topic I found many questions similar to mine, yet none of them has been answered in satisfactory way.
Thank you in advance for your help.
UPDATE: I'm starting to think that either I am missing something or nobody is using AuthSub in ASP.NET...
I've recently created a sample how to use Google OAuth in ASP.NET and Google using the Dotnet OpenAuth library:
Using Google OAuth in asp.net
I hope this sample helps :)
Dominik
UPDATE March, 2015
By April 20th, Google will no longer support this api - Therefore I needed to migrate to OIDC. See my recent article here:
OIDC lightweight library for asp.net
In order to use OAuth, you must register your domain with Google at the following page: https://www.google.com/accounts/ManageDomains. This registration will give you the credentials you need to sign your OAuth requests. However, you could still specify a different oauth_callback url in the user authorization url. So the registered domain is not related to the oauth_callback.