I have an Dotnet Core API application which uses IdentityServer4 as IDP. The frontend is built in Angular.
Now, I need to connect to Successfactors of one of my client. I understand SAML is the best federation protocol there.
Please suggest what should be my approach here and relevant tutorials that I can follow. I am not getting good google results.
You need a SAML stack.
Microsoft does not have one. So you need to integrate a third-party product.
There are a number of examples here.
Related
We have a classic ASP.NET web application and a SOAP based API built on it. We are planning to implement oAuth2 authorization into it to implement a service provider that can create tokens, persist them and do evaluation.
I found few examples using DotNetOpenAuth , Azure access control service but all of them are based on MVC. Any pointers on how we can implement on oAuth2 on classic ASP.NET web API?
There are quite a few examples of using DotNetOpenAuth with asp.net applications. For instance:
http://www.nuget.org/packages/DotNetOpenAuth.AspNet
http://blogs.msdn.com/b/webdev/archive/2012/09/12/integrate-openauth-openid-with-your-existing-asp-net-application-using-universal-providers.aspx
Edit
So unfortunately I don't know a direct example with asp.net.
The OAuth1 sample might help in giving the basic idea of how to integrate DotNetOpenAuth as a service provider into an ASP.NET application -
https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples/OAuthServiceProvider
And I think that using that as a base, and combining with working with the OAuth2.AuthorizationServer (as the oauth2 samples show, like https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples/OAuth2ProtectedWebApi), is a good reference point.
We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian
I need a bit of help implementing an OAuth 2 provider for a rest service built on the new ASP.NET Web API. I'm aware there are some similar questions on Stack Overflow but they're more or less links to OAuth libraries. What I'd really like is some sample code or a sample project to get my started. Can anyone point me in the right direction?
I'm looking at DotNotOpenAuth and I believe the 4.0 beta supports OAuth 2 providers. Unfortunately I can't seem to find any code demonstrating how to implement it.
What I need some assistance with is actually getting a 2.0 provider up and running. Once I have that it should be easy enough to integrate it via a HTTP Module or a filter.
I'm interested in 2 legged authentication for API to API communication.
Until DotNetOpenAuth ships a distribution that includes OAuth 2 and the samples together, the best you can do is install the DNOA 4.0 resource server and authorization server roles via NuGet, and then check out the resource server and authorization server samples on GitHub.
But there are currently no samples for the "client secret" grant type, which is the one that best fits your "2 legged" concept for API-to-API communication. In fact the library itself doesn't (yet) support it, but the next NuGet release will and should be available in the next week or so.
I have been researching for a while now about how to implement an OAuth provider to secure my web api, but without good results.
For what I've seen so far, apparently there are only three libraries to develop an OAuth provider in .net:
1- DotNetOpenAuth
2- DevDefined
3- OAuth.net from madgex
madgex doesn't have any documentation for providers at all, at leats I haven't found anything, same with DevDefined, well, the last one has some documentation, but it lacks samples.
DotnetOpenAuth I think is the one most developers use, but I'm having a hard time to understand its samples, and documentation is terrible.
Has anybody implemented any of these libraries to write an Oauth PROVIDER, NOT CONSUMER, or anyone knows where I can find a decent documentation fro any of these.
For the record im trying to develop a 3-legged oauth provider.
Can anybody help me out here??
Have you checked out this project template, which although it's MVC 2 should provide some useful ideas for doing it in MVC 3:
http://visualstudiogallery.msdn.microsoft.com/81153747-70d7-477b-b85a-0374e7edabef
Then there is the OAuthServiceProvider sample that comes with DotNetOpenAuth, which is WebForms but the principles are mostly the same.
A good sample of DotNetOpenAuth implementation could be found here Releasing an ASP.NET MVC 3 OpenId StarterKit under Open Source License
Project url: http://mvcopenid.codeplex.com/
It should be good for you to start with.
UPDATE
By the way in ASP.NET MVC 4 third party auth providers it is out of the box.
I have followed the steps mentioned at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios to implement an OAuth 2.0 authorization service.
I have used the below link to create security certificates:
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
Don't forget to change your solution to use the thumbprints from the certificates created by you.
This is the best place to understand the OAuth 2 protocol:
https://www.rfc-editor.org/rfc/rfc6749
We have clients who have RSA securid deployed within their premises and we want to sell our product to them. We need to integrate with their 2 factor authentication setup for authentication into our product.
We have an asp.net (C#) web based application that is exposed to the clients and which needs to support authentication using their own securid setup.
Can someone please help me in getting this support implemented? Pointers to existing documentation are also welcome.
I searched through the queries on this forum and found that most are talking about giving token generation mechanism on your web application itself but I don't think that is the approach that is required for our use case.
have you checked out the web sdk from RSA?
http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/web-sdk.htm