Can Windows Identity Foundation allow us to connect to services and read contact information?
Here is a idea of how WIF advantages:
WIF externalizes authentication,
passing it over to security token
services (STS) and reducing the
demands on individual developers
WIF
also supports trust relationships
where a service trusts anyone
authenticated by the application
accessing it.
WIF provides support
for a single sign-on (SSO) for users
by sharing STS among applications.
Developers can also, at run time,
support both by creating a trust
relationship between the application
and service or bypassing the user's
credentials from the application to
the service.
Depending on what you want to do, the answer is Yes.
Using Azure ACS federated to WIF e.g., you can connect to Facebook and get all the Facebook user attributes that you have asked for (provided that the user agrees during login to provide them). You can also connect to Google.
Or you can write your own custom STS federated to WIF that has some kind of interface on the other side that invokes a service and passes the details through e.g. using DotNetOpenAuth to handle the OpenID protocol. See StarterSTS as an example.
Watch this video as a starting point. There is a link for the source code and documentation, so you can see if the direction fulfils your needs.
Related
I am trying to capture a SAML token that my ADFS login gives me. I need to capture the SAML by browsing to the ADFS login page, Let the user login and then when login is successful return the SAML back to the application. The application tehn calls a WCF service passing the SAML token in the header. I have a Url like :
https://adfs.mydomain/adfs/ls/IdpInitiatedSignOn.aspx?RedirectToIdentityProvider=http://adfs.mydomain/adfs/services/trust&loginToRP=https://bcjbsj.com/client-api/api/saml
I need to get this working wither in a windows application or console application. If this is not possible I can create a ASP .NET application also for testing. I have gone though many links but not able to find anything that helps.
I may be missing something here. Quite new to authentication. Any help or pointers would be helpful.
This is easily accomplished using a technique (occasionally) called JavascriptNotify. The basic idea is to display a WebBrowser control that you extend via javascript to allow callbacks to your app code once authentication is complete. You need to provide either centrally or packaged with your app an SP-STS that presents the home realm discovery page and the final jsnotify page. The rest of the UI is handled by the trusted STS's. You can optionally use Azure ACS to fill this role.
See Authenticating Users from Passive IPs in Rich Client Apps – via ACS or Access Control Service: Transitioning between Active and Passive Scenarios for what the call sequence looks like.
To understand how to add the required window.external methods, see Invoke C# code from JavaScript in a Document in a WebBrowser. Thinktecture has an example client in WPF implementing javascriptnotify with JST.
As #Thuan mentions, the other option would be to abandon WS-Federation passive authentication in favor of WS-Trust active authentication. The downside in this approach is that it is far less flexible, and you must implement the client-side UI yourself. Having written apps that implemented both WS-Trust and WS-Fed RP's, I highly recommend WS-Fed passive authentication even for desktop apps.
That endpoint is used for passive login (aka via browser) scenarios. For Windows application or console, WS-Trust is a more appropriate approach. In short, your application uses WS-Trust protocol to call ADFS to get a token that can be used to access a WCF service. Such a WCF service is called claim-based service or claim-aware service. This question has a bunch of good links: WCF, Claims, ADFS 3.0
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/
I've got a Windows service where clients should be able to authenticate and authorize via different interfaces, but now I'm not sure what providers/classes/framework I should use.
Requirements on the security context:
Users
Groups
Roles
Requirements on the authentication methods:
Basic (username/password)
Windows Login (current)
Domain login
Certificate
The interfaces my service provides:
WCF host (WS-* conform)
OWIN based Web API (for e.g. mobile devices)
Now Microsoft provides like a thousand ways to accomplish such a task with numerous classes, frameworks... from the new ASP.Net Identity Model to Forms Authentication to Security Context (WCF) or Principals (Windows) - what I'm looking for is a set of tools that can be used preferably everywhere (persisting in database, passing to WCF client proxies, using with view models in WPF..) What could I use so I don't have to spent the rest of my life mapping classes and data and doing heavy complex domain logic instead of taking advantage of a certain framework?
ThinkTecture's excellent IdentityServer is probably the way to go. More information and downloads are here. Both build on the concept of federated authentication as provided by the Windows Identity Foundation (WIF) and Active Directory Federation Services (AD FS).
For blog posts on IdentityServer check out Dominick Baier's blog at leastprivilege.com.
For more info on WIF and AD FS, Vittorio Bertocci has a great book. You can also download a copy of Microsoft's Guide to Claims-Based Identity and Access Control.
I have a SaaS web application that caters to multiple education institutions. All clients are hosted in the same application/database. The application is currently written in C# for ASP.Net 4 Web Forms.
Currently my application uses a local/native database for user authentication/authorization.
Our clients are asking us to support single-sign-on where the client is the authentication provider and my application the consumer.
The problem is that the clients are asking for SSO via different protocols/mechanisms like Shibboleth and OpenID Connect. This means I need-to/should create a solution that works with all of these or that is at least extensible.
I came across Thinktecture's IdentityServer, which I think can abstract the various SSO mechanisms used by my clients and return to my app a claims based identity token that my app understands.
I'm struggling a lot with this concept though. Does this mean that my app redirects all authentication requests to the IdentityServer, lets IdentityServer handle the back and forth of say OpenID Connect, and then receives a token back from IdentityServer with the information I need about the user? How does the identity server know the realm of the user (i.e. so it knows which client auth provider to send the user to)? Does the IdentityServer need to validate the existence of the user in my app's local/native database? Can the IdentityServer handle both SSO and local logins?
Is a separate identity server the way to go? It seems like it would be, allowing my app to integrate with one point (the identity server). But, there's not a lot of documentation out there on Thinktecture's IdentityServer other than how to configure it. ADFS may provide a similar solution, but most examples out there speak to ADFS and Azure.
Lastly, I'm assuming that I'll still maintain local/native authorization data about each user as the 3rd party authentication provider can't possibly know the specific authorization needs of my application.
Any thoughts or suggestions out there?
Does this mean that my app redirects all authentication requests to the IdentityServer, lets IdentityServer handle the back and forth of say OpenID Connect, and then receives a token back from IdentityServer with the information I need about the user?
Basically YES. But it depends on how you set it up. Your page could call Authentication provider of the client if you have only one client or one authentication provider. Or you could set up your local IdentityServer (more extensible IMHO) and configure authentication provider of your client as another IdP (identity provider).
How does the identity server know the realm of the user (i.e. so it knows which client auth provider to send the user to)?
If you go with the second option then your app will redirect to IdentityServer and based on home realm it will be automatically redirected to IdP. If no home realm is specified by your application then IdentityServer will show all configured IdPs and user chooses what IdP to authenticate at.
Does the IdentityServer need to validate the existence of the user in my app's local/native database?
It depends on you. If you wish to verify the existence of the user in your local database then you may do so by extending IdentityServer.
Can the IdentityServer handle both SSO and local logins?
Yes, it can.
Is a separate identity server the way to go? It seems like it would be, allowing my app to integrate with one point (the identity server).
You can always use IdentityServer and integrate it in your local application. Or you can use Shiboleth as your local authentication provider. Both are implementing standards like WS-Federation, WS-Trust or OpenId and both are open source so you can extend/modify it to your liking.
But, there's not a lot of documentation out there on Thinktecture's IdentityServer other than how to configure it.
I can't really say how much documentation is there. But if you wish, NDC Oslo 2014 will feature 2 days of Pre-Conference Workshops where Dominick Baier and Brock Allen (authors of IdentityServer) will teach you everything you want to know.
How the sites like stackoverrflow using the third parthy login id(gmail,blogspot), to login the site?
How to do this in asp.net? Give me a idea to implement this in to my application.
i don't have idea from where. I have to start this.
OpenID is a decentralized system for authenticating users via third-party OpenID providers, Google and AOL among them.
http://openid.net/
http://en.wikipedia.org/wiki/OpenID
http://weblogs.asp.net/plip/archive/2008/02/02/openid-in-asp-net.aspx
Its called OpenID, something specifically for asp.net you'll find here
It's OPEN ID. You have a .NET client here. This client will allow you to create open id-enabled applications more easily.
From Wikipedia
OpenID is an open, decentralized standard for authenticating users that can be used for access control, allowing users to log on to different services with the same digital identity where these services trust the authentication body. OpenID replaces the common log on process that uses a login-name and a password, by allowing a user to log in once and gain access to the resources of multiple software systems. The term OpenID can also refer to an ID used in the standard.