I have two services written in asp.net core 6. Service A calls service B.
Both services are in public internet.
I want to use an x509 self-signed certificate to authenticate service A calls.
Which field (claim?) of the certificate should I use for authorization? or should I be using thumbprint?
Related
We have a requirement to integrate our spring mvc web application with ping federate authorization server. Ping federate server is in secured intranet domain which spring mvc web application can't access.
We are looking into get JWKS public keys from ping fed offline and store in spring web application for validating identity token received from ping fed.
We would like to understand below:
Best way to make JWKS public keys from ping federate authorization server available to spring web app (not sure if ping fed can post these public keys to an API opened on spring web app)
Is there any set default timeline that ping fed rotates the keys if it does rotate?
I wish to secure an API with OAuth 2.0 Mutual TLS Client Authentication. Here the client will send its certificate to the OAuth server(servlet). I want to generate a certificate bounded access token with the client certificate. I referred to this documentation: https://www.rfc-editor.org/rfc/rfc8705.html. I have understood how this authentication works but I practically don't know how to store the client certificate hash in the JSON Web Key.
Can anyone tell what the contents should the client certificate contain and how to make a certificate hash and create JSON Web Keys to store the hash and how can I validate the client with both client certificate and certificate bounded access token in the return request to the resource server(API).
If there any methods or ways of doing this please suggest them.
We have working ADFS 2016 server with over 100 clients as claims provider trusts. Now I need to join to a local government SAML2 system, which is common solution for many goverment bodies. It is compatible with our ADFS setup except they require (without any valid reason) us to use special goverment signed certificates as a token signing (and possibly encryption) certificate. With over 100 existing customer, which do not all update from our metadata automatically, I do NOT want to change our current token signing/encryption certificates in our published metadata.
Is there some way to handle this situation in ADFS server?
Can I install this goverment token signing certificate to the ADFS server as a second certificate and make it so that it is NOT published in our metadata?
And this second certificate should be used only with some selected claim provider trusts so that ADFS server by default uses our current certificate but uses the goverment certificate for logins from selected claim provider trusts that are linked to government SAML2 system?
Or is the completely different ADFS server our only option?
Thanks.
No - IDP only use one certificate. Azure AD works exactly the same way.
Your only option is another IDP.
This doesn't have to be ADFS - just another IDP.
I am trying to configure a web application using ASP.NET Identity 2.0 for Single-SignOn with ADFS.
To configure their ADFS, my client asked me to provide a SAML Service Provider metadata file matching the following format:
In my application, I am setting up authentication in my OWIN pipeline as so:
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
{
MetadataAddress = ConfigurationManager.AppSettings["SsoAdfsMetadataEndpoint"],
Wtrealm = ConfigurationManager.AppSettings["SsoWtrealm"]
});
I have 2 questions:
I can generate an X509 certificate to include in the metadata, but how can I add it to my configuration in the web app?
Where can I get the URLs for all the AssertionConsumerService bindings?
SAML2P (P is for protocol) and WS-FED are two completely different protocols. To confuse things, SAML2 tokens (or assertions in SAML2 lingo) can be carried in WS-FED protocol messages.
You won't get any SAML2P functionality out of a WS-FED middleware. You need a SAML2P middleware. The open source Kentor.AuthServices.Owin package contains such a middleware, that will automatically generate the needed metadata and that has been tested with ADFS.
Disclaimer: I'm the author of Kentor.AuthServices
I'm going to use MembershipReboot
for my asp.net web api authentication and I'm supposed to implement X509 Certificate.
There is an article in msdn about How to: Secure a Service with an X.509 Certificate, which is for WCF services that uses ServiceHost class. So the question is how to achieve this in asp.net web api services? Is it possible?
There are some "prerequisites" to work with SSL that is:
Setting up IIS to work with the SSL
You may also want to take a look at:
Custom Authentication Methods with Web Api
Here is a full Article on:
How to secure web api using SSL Certificate: