Hey I have given a task to setup shibboleth to authenticate my web application ( .net core application (SP) ) using saml 2.0 with azure ad. My web application will act as SP and will manipulate the claims/attributes returned from IDP which is azure ad in my case. I have made a research but could not find any relevant documentation or implementation example of configuring shibboleth as a SP for saml authentication using azure ad as (IDP). Can we setup shibboleth to support saml 2.0 with azure ad? Also I am wondering after successful authentication how claims/attributes will pass from shibboleth to my application so that I can further use them for processing?
Please check if this blog> Azure AD SAML federation using Shibboleth SP | by Rohan Islam | Medium can be worked around in your case.
Configure the SAML SSO in azure ad portal for the application by selecting Single sign on and Copy the identities to use later.
Try to do Shibboleth SP configuration by updating shibboleth2.xml file under /etc/shibboleth directory.
Update the applications’s entity ID , session lifetime configuration .Also change sso entity ID with the azure AD generated
entity ID.
Generate SP Metadata by accessing the metatdata url and by making the required changes .This SP metadata xml file is to be uploaded in
sso page of azure ad under mange identity section.
All the mapped attributes will be stored in the session so that you can access them in your application.
SP makes attribute and other session information available to applications is by "exporting" the data to a set of environment variables or HTTP request headers using HTTP_ PREFIX
References:
NativeSPAttributeAccess (atlassian.net)
How to read attributes? - Stack Overflow or NativeSPAddAttribute - Shibboleth 2 - Confluence (atlassian.net)
c# - asp.net MVC authentication with Shibboleth - Stack Overflow
Related
What is the best way to configure an application startup.cs to use both Azure AD and Azure B2C in .netcore? I see a lot of referencing indictating to use only Azure B2C, but due to the circumstances I need to use both Identity providers separately giving the users the option to choose which service.
But I am not sure how to go about it, and after configuring the startup, how would I use distinct "Authorize" on the actions within the same controller?
You can use the Azure AD B2C custom policy and Azure ad can be set as an identity provider.The end result is as shown below, where users can choose to log in with an ad account.
Found that adding multiple Azure Active Directory authentication providers in the same app using the current release of the Microsoft Identity Web library is not available (https://github.com/AzureAD/microsoft-identity-web/issues/549 ) but will hopefully be added soon.
Have .Net Core 2.2 MVC application and integrated with Azure AD for userAzure AD. User authentication and sign out is working as expected.
But if we copy the cookies AspNetCore.AzureADCookie, .AspNetCore.AzureADCookieC1, .AspNetCore.AzureADCookieC2 from the authenticated browser session using the EditThisCookie extension and logout then if we import again those copied cookies back into browsers and we are able to access the application. Application trusting the application and login automatically.
I'm using NuGet Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package
Is this behavior expected?
This depends on the permissions and authentication configurations that you have set for the users within your Azure AD tenant and within the application. If the users are members of your Azure AD tenant or of your application and you've set up SSO using an MSAL library like OpenID Connect, then their credentials might be stored and they can log in by default.
Are you trying to say that you do not want your users to be able to one-click SSO with their pre-authenticated credentials?
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?view=azurermps-5.7.0
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
What I know about IdentityServer and OpenID connect is:
The IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. That incorporates all the protocol implementations and extensibility points needed to integrate token-based authentication, single-sign-on and API access control in your applications.
Further more OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, but they do not define standard methods to provide identity information. OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
What I want to know is what is Azure Active Directory and How it is works? Did we use Azure AD with openid connect? or it is optional with openid connect? and If I've an webapi which is based on ASP.Net core 2.0 with identityserver 4. Did we deploy on azure without implement Azure AD? I m confused because I've an webapi project and a client project based on angular. when I deploy my client project as a new web app on azure its running fine. But when I deploy my web api on azure its not working. Means after deploying my web api when I do post request to get a token or when I want to register a user through my azure web api link it shows me 500 error in postman.
After facing this problem I post it on Here Stackoverflow but didn't find any helpful answers. So I again start searching and found that if we want to use openid connect with azure we must implement Azure AD. Here is the Reference. So in this question I want to know the difference between openid connect and Azure AD? and second question is. Is this possible to use openid connect without using Azure AD? Please explain your answer briefly. Thanks
We have a separate web application secured with Azure Active Directory that exposes some (internal) services.
Now we want to access these services from within our site, but this fails off course because of the authentication that is not yet done.
This site doesn't use Active Directory for authentication.
Is it possible to configure this site as a trusted client (through token, key) in the web.config? So that we don't need any code modifications?
Or has this to be done through code?
Kind regards,
It looks like you have a WebAPI secured using Azure AD (what you refer to as web application) and a WebApp (what you refer to as site) that needs to access the WebAPI. If this is indeed the case, you can register both the WebApp and WebAPI as applications in Azure AD (the WebApi is presumably already registered, as it is secured using Azure AD). Then, your WebApp can access your WebAPI using its own identity (client credential OAuth flow sample code) or on behalf of the signed-in user (auth code grant OAuth flow sample code).
In either case, the WebApp (site) needs to acquire an access token to access the WebApi and send this access token in the Authorization header in every call that it makes to the WebApi - this will require code changes to the WebApp. In theory you can build a proxy application that acquires tokens and injects headers in all outgoing calls - however I doubt it would be worth the effort.
Hope this helps.
What are the authentication options for having a ASP.NET web application communicating with a WCF service?
The scenario:
User enters their username and password in an ASP.NET form.
ASP.NET needs to pass this to WCF to authenticate the user.
If authenticated, the user can perform actions on the website. Each action would require sending data to different WCF operations. WCF needs to know who the user is on each call.
The easiest solution would be to store the username/password in the ASP.NET session state. However, this is insecure because the password is stored in memory on the server.
I would rather not use a certificate to authenticate the ASP.NET "client" to the service because there's a possibility that this WCF could be consumed by another client in addition to ASP.NET.
The best suggestion I've seen so far is to use Windows Identity Foundation (WIF). It appears that this requires an STS. According to MSDN, Microsoft does not seem to recommend setting up an STS through Visual Studio. There's no guarantee that an STS would be available in the deployment environment as some environments may use Active Directory and other environments may have a custom user store. Is it possible to setup a custom STS to authenticate against a custom user store? I'm having trouble finding documentation on doing this.
Are there any other options besides using WIF? What about a custom WCF authentication service that returns a token that can be used for authenticating against a primary WCF service?
The standard way of doing this is by using WIF with Microsoft's STS viz. Active Directory Federation Services v2.0 (ADFS).
There are a number of custom STS available e.g. Identity Server. This use a SQL DB as an attribute store. It's open source so could be adapted to whatever you require.
You can create your own custom attribute store: AD FS 2.0 Attribute Store Overview.
TechNet WIF / WCF: WIF and WCF.