I’m developing OutlookWebAddIn. In my flow I use iframes. I want to authenticate client and my application uses custom authentication provider based on ADFS. Our authentication page has redirect to ADFS and by default ADFS pages have X-Frame-Options set to sameorigin.
IFrame screen
Console screeen
Is there any workaround for displaying such pages as a iframes ?
Most Authentication providers have X-Frame-Options set to same-origin or deny and hence can't be shown on an iframe. Please use the Office dialog API in your web add-in to let users authenticate.
Related
I have a basic authentication in the developer portal of my APIM in azure.
If I go directly (without authenticating) to https://...apimanagementdev.developer.azure-api.net/apis, the page loads.
How can I force pages to load only for authenticated users?
You have to go to identities => settings and then check Redirect anonymous users to sign-in page
We have implemented SSO on our web app and it's working fine. Users are redirected to the ADFS login before accessing our app and we accept the ADFS token and authenticate accordingly. We're happy.
The question is for some of the aspx pages, we don't require authentication. Is there a place to list those exceptions in the web.config (or other)?
Yes - you can use the location tag with allow / deny.
Refer: Setting authorization rules for a particular page or folder in web.config.
We are having one web site which is developed in ASP.NET and VB code base and It has the normal forms authentication with username and password.
One of our client whats to setup the Single Sign On with our web site and they set up ADFS and gave us the Metadata xml file and We have created STS reference to that url and shared our website Metadata for them to add Relying party Trust.
when I access our website it redirecting to customer page and once they enter the login credentials and it's coming back with the Claims which is good.
Problem :
1).Now who ever access our website all user is automatically redirect to client ADFS login page which should not happen.Users should be Prompt with Our login page and it shouldn't automatically re-direct to client ADFS. If user Wants to use the SSO then it should be re-directed to client page ? How to handle that in programmatic ?
2).If one more client also wants to use the SSO with their IDp then how to configure more than one IDP for One web site?
Thanks.
WIF or OWIN?
WIF by default protects all pages.
You could un-protect your login page (location tag) and then if SSO redirect to a dummy protected page which will cause WIF to kick in.
Beware: for older apps. WIF and FBA in the same app. can cause problems.
The classic way to handle 2) is to federate the two ADFS. Then a user will see a Home Realm Discovery screen and get to chose which IDP.
I have forms authentication setup through a Web API project. The forms auth works fine to login the user to the web site (note: API server is not the same server as web server). However, the API services I have restricted to logged in users are returning a 401, because Request.IsAuthenticated = false when I send back the very same forms auth cookie the API server just set, back to itself.
I have no idea why this is happening. I verified the .ASPXAUTH cookie is being sent with the request. Forms Auth is setup consistently across API and Website; and the website picks up the forms auth cookie just fine. Why is my API server not recognizing my user as logged in, even though the API server itself set the cookie?
Figured it out. The issue was a browser conflict with one of my Chrome add-ons. Once I opened the site up in a incognito window sans add-ons, it worked as expected.
I have an iOS app that uses a UIWebView to display pages from a ASP.Net Site. The user logs into the site through the UIWebView, which creates the forms authentication cookie and authenticates any further page loads in the UIWebView.
I'm attempting to use this same cookie to authenticate some http requests that are done with a ASIHttpRequest.
Supposedly this should happens automatically, but it wasn't working. I'm now explicitly setting the cookie for ASP.NET_SessionId on the ASIHttpRequest, and the request is still not authenticated, it ends up redirected to a login page.
Is there something in the forms authentication cookie that would make it specific to the UIWebView where it wouldn't also work with an ASIHttpRequest?
Ah, apparently this was related to ASP.Net not recognizing that the UIWebView browser supported cookies. (even though the authentication mostly worked in the UIWebView)
I added the generic.browser file as seen in this other question -
Asp.Net Forms Authentication when using iPhone UIWebView