I need to implement Single Sign On for two different C# Windows Forms apps
Do you know a good framework that does this ?
When a user logs in, you can also store in the Users table some unique ID of the PC (e.g. PC name, IP address, ...), on which the user is working. Every time an SSO-capable C# app starts on some PC, it can check in DB first whether the ID of the PC is present in the Users table (in the record of a logged-in user). If yes, then it can skip the login form, and e.g. show the name of the user it found as the current one.
You can set the granularity of the SSO to any level you want. For example, if a subnet address is stored in the Users table, then the users of the PCs in this subnet have to log-in only once. If the GUID of the current Windows user is stored, then logging out of Windows and logging in as a different user will require another log-in to the system.
I don't know of a framework. Here's a guidance page from Microsoft that outlines the overall strategy to use: http://msdn.microsoft.com/en-us/library/ms972971.aspx. Hopefully it can help get you started.
Related
I am using office 365 credentials to login to windows 10 machine. I have written a desktop winform application in c# where I just want to get email address and ad group assigned to that login user.
I don't want to relaunch login from desktop app. Just want to use existing user info to get email address and user groups. I am only able to get local groups assigned to that user but required AD groups too.
You must throw login challenge from your desktop app at least once to get the auth token to be able to query graph api (details in the next para) and keep the token cache so that it does not prompt the user again next time onwards. There is no other way I am aware of. You need to create a native client app in AD (or if you want to reuse some existing one, that will do too) and grant Graph API user.read permission to it. Here is an end-to-end guide for that. https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop (well, the example is for WPF, but Winforms would be very similar except the XAML part). If you follow this example, the login screen which will show for the first time will automatically have O365 Windows logged-in user populated (because of .WithPrompt(Prompt.SelectAccount) part in the bootstrapping) if that gives a bit of relief to you app users.
Once you get the access token, you need to query Graph API for that. Here is the programmatic way (C# based on your tag in the question) to get the user details for a logged in user (me) and to get the user groups for the user (me).
I need unique id to save user purchases to my database. i dont need device id because if user change microsoft store account then device id will be same to previus.
I want to a leaderboard to most users purchases but i dont know him id if user change own device .
The best you could do would be to have their app call StoreContext.GetUserCollectionsAsync from the UWP app on the user machine, then forward these results to your services. This isn’t really all the purchase, but is all the things the user currently owns.
Or, using your UWP app again, just keep track of it immediately after the purchase succeeded. But I don’t think there is any way to look up their purchase history directly.
A more complicated solution would be to use the B2B APIs. This would allow them to query the collections service directly from their service. This is probably the closest to what you are wanting. The token that get back would be unique to the user (not device).
I'm pretty sure it does not get it from AD, although we are using AD internally. THe issue I am having is with an app that gets the current users name with user.identity.name, and tacks on the #mycompany.com then uses it to send emails from within the app. The problem is some folks with over 20 char names are failing to send email because their name gets cut off. So I am assuming user.identity.name is grabbing the SAMAccountName. I am going to fix it by grabbing the userPrincipalName from AD, but I am hoping to verify whether or not user.identity.name gets its value from the samaccountname.
EDIT to add more info. In this particular case, it is a WinForms app running on an internal server. We use Forms Authentication to authenticate against AD (at least that is how it was explained to me ). So if user.identity.name is in fact pulling from AD in this case, is there a way to specify the UPN instead of sam account name?
Depend on where you are using it. In a standard (WinForms) application, it come from the OS based on who's logging in. That may have come from AD if the user is part of a domain. Or it may be just from the OS's internal list of defined users.
For a Web application, it comes from the AuthenticationProvider, which may also get it from AD, or from a database, et al.
The users of my application run the application on Laptops and I need the app settings to change based on the location of the currently logged in user. I want the app to use one group of settings when they are plugged into their HQ domain and different settings when they are out roaming away from the office.
How can I programmatically detect this?
You can send query into ActiveDirectory, as described here, with current user name
IPrincipal threadPrincipal = Thread.CurrentPrincipal;
threadPrincipal.Identity.Name
my c#.net winforms application which uses sql server 2005 express , would be run by three users, & i want to give different user id & passwords to each of them, so in this case which security feature of SQL SERVER should i use?
application roles --can application
roles be used for this, or do
application roles provide only one
credential for the whole
application?
create a table for userids &
passwords
create new logins for each user to
connect to sql server and grant
permissions to each login
my application would be installed on 3 machines, server-SVR , Clients-c-1,c-2. all on LAN with windows xp.
can i create multiple application roles for a single application? i mean that if i have 3 forms in the application. can all 3 forms use different application roles ?
You could create roles in SQL Server, let's say YourAppSuperRole, YourAppNormalRole, YourAppReadOnlyRole, and then grant object permissions to each of those roles, e.g. grant insert on sometable to YourAppSuperRole. or grant select on sometable to YourAppReadOnlyRole. Then, however you create users in your database, whether they be SQL Server users or domain users, you add the user to the appropriate role. That's how you'd implement security on the database objects. How you handle the GUI/presentation-layer experience can be disconnected from the back-end. You could identify the Windows domain user, or create application users and require logon using those users, and then govern the GUI behavior accordingly. E.g. you might remove the SAVE RECORD button from the user who you've placed in the Readonly role.
EDIT: I think the simplest way would be to use the Windows domain user. Grant db access to the domain users in the back-end, and add those users to the appropriate back-end roles (to determine what they can see/change in the back-end). Then, in the GUI, adapt the graphical behavior to the domain user who is using your app. If you didn't remove the Save button from the form, the readonly role user could click it but the update would fail. So you'd typically not offer that user the apparent capability to do things they lack permission to do.
My guess is you want to have different users run the application with different roles (permissions and abilities and access to features in your app).
I wouldn't use SQL Server security to give them different "application roles". Just define one server user for your application. Then use some way of identifying the user (NTID, or login using some username/password table you have in your database) and use that to configure their experience in your application.