ADFS role when not member of AD group - adfs

Can anyone help me with the following - i need to set up some ADFS based on AD groups.
I can setup so i send af role/group based on AD group and that works fine, but i also need to check if a user is in some specific AD groups, and send a general role in my ADFS output, but only for people who are not member of specific groups.
Thanks in advance,
Mikael

Not entirely sure of your use case but you can have a number of menberOf rules all producing the same temporary claim.
Then use NOT EXISTS on that temporary claim to produce the claim you want.
So this claim will only apply to people who are not members of these groups.
Refer this.

Related

ASP.NET Active Directory authorization for each web page

I am new to ASP.NET and have been asked to do the following. I have tried looking at a large number of Stack overflow articles in this topic but wasn't quite able to find a specific answer to my situation.
The scenario is the following: the web application is internal to the company. Within the application, there are many pages that should have varying levels of access based on AD groups. So for example, for one page, if a user is in any of the AD groups A, B, C or D, they will have access. Another page may provide access to a user who belongs to any of AD groups E, F, or G.
Not sure if I read the other Stack Overflow articles incorrectly, but it seemed like they answered the question of providing access to a user who is part of a particular group (single group). For a given web page, I want to provide access to the user if they are part of any of the groups that I specify as permitted to visit that page.
Furthermore, is there an easy way to store the AD group names that I want to have access to each page in a file, and authorize against this file without writing much code? This way if I need to change the groups allowed to visit a particular page, I can just change the list of group names in the file.
If you want users to be automatically logged in, then hosting in IIS is by far the easiest way. Instructions on setting that up are here: Configure Windows Authentication in ASP.NET Core
Locking down certain parts of the site by AD group is pretty easy too. You simply use AuthorizeAttribute above either a whole controller, or just an action, and specify the Roles:
[Authorize(Roles = "DOMAIN\\GroupName")]
If you want the group name to be configurable, then you can create a policy for each group that reads the group name from your appsettings.json (or anywhere else, really) and you set the Policy property of the AuthorizeAttribute instead of Roles.
Details on how to set that up are in this answer: https://stackoverflow.com/a/48148149/1202807

How to set User Role with Identity in MVC application

I have this project which is school management system, i have created Roles(Teacher,Admin,Staff) now i can assign what role is allowed to be viewed in each page and i want the Teacher Role to be more specific cos i have this page where the teacher can see all the list of subject that she/he teaches.
Now my problem is when the teacher login, i want all the subject of the current teacher who login can see her subjects only, right now with my role as (Teacher) they can see all the list of subject from other teachers too. Any idea on how to solve this? or what are the things i should add or learn to achieve my goal? i heard about MVC identity is it the one responsible for fixing this issue. appreciate if u guys could give me idea on how to deal with this. thanks!
If I did understand your problem correctly.what you are looking for is Resource Based Authorization (Authorization depends upon the resource being accessed). As far as I know, this can not be done with declarative security.
In order to gain such flexibility, you have to call an authorization function inside the action method.
Depending on the result of that authorization function, you can return 403 or the required resource.
Speaking of your requirement, extract the user id inside your action method and filter out other teachers' subjects.
If you are using ASP.Net Identity this link may help you to get started.

Can I do this with Drupal and Organic Groups?

Basically I have a site in which I want my clients to be owners of a group, and then anonymous users can add nodes through their group and my clients will receive notification if someone adds a node in their group.
Basically the service is a lead generation service so in effect the content type is a landing page and when anonymous users go to put their details in, dependent on which group they do it through, the client will receive the notification.
i.e. My clients group is www.example.com/group1 and they send out a link with their URL to generate some leads.
example.com/group1/node/add/landing-page
Once this node has been created, will it be possible to notify the group1 owner (I assume if I set the correct Rules)?
On top of this, I want the group1 owner to be able to login and see a Views display of all the nodes that have been created in their group.
I assume Organic Groups is the wway to go here, but I may be mistaken - any hep would be appreciated.
Unless this has dramatically changed in D7, I don't think you're going to be able to let anonymous users post into Groups. The whole concept and structure of OG relies on users being logged in and identifiable.
In other words, I think you have to be a member of a Group to post in it, and anonymous (user 0) can never belong to a Group.

Counting anonymous votes accurately

I'm building a small application that highly depends on anonymous user voting on some sort of items. It's so small that requiring registration would be tedious and could not be justified.
Anyway, I did some research on this, including a search here on stackoverflow (https://stackoverflow.com/search?q=anonymous+votes), and doesn't seem that there's a satisfying answer.
My question is: are there any security measures that I can apply to prevent gaming anonymous votes?
One thing comes to mind is CAPTCHA, but I'd like to avoid that since users will vote on multiple items in a very short period of time, and CAPTCHAs will just annoy them.
Another thing I thought of is limiting the number of votes per minutes from a single IP (in addition to a cookie), but not sure how this is going to work.
Any thoughts?
There are a few ways I've seen work:
Email registration : you get their email, they need to confirm their vote. The combination of their IP + email makes a unique record that they can't then use to vote again (for the same poll).
Captcha : without having additional checks (IP, etc), it's easy enough for a team of monkeys to successfully enter a lot of captchas.
Site Registration : without account creation level limits (e.g. a non-free email account required for signing up) people can just create multiple accounts.
Depending on how you weigh up the cost of getting users to vote vs making sure their votes are for them and them alone, you can use a different level of vote-spam-protection.
You can use the CAPTCHA once to both confirm the vote and create a session with the IP and cookie.
Any time you are dealing with anonymous voting you are going to have an imperfect solution but you can shoot for "pretty good". Consider dropping a cookie on the client computer to prevent multiple/frequent voting and back this up by performing server side IP tracking to do the same. Do not allow anyone to vote that has cookies blocked.
Of course, if you require complete accuracy or if the voting involves awarding of something of monetary value, registration is really the way to go.

ASP.NET, how to manage users with different types of roles

I want to create a website with various users. The users can have different roles, admin and user, which is a very well documented situation. But I would like to also group the users on their location, so at each location I can have both admins and users. - A multi dimensional role system?
The reason is, that users in Germany should have access to a certain set of documents, while the Italian users shouldn't.
Where should I look for documentation on this specific topic? I need some way to limit my search, maybe some keywords.
A different approach would be to add another set of roles, corresponding with the different locations available, for example Germany and Italy. You then make all German users members of the Germany role, and the German admins members of both Germany and Admin. When checking permissions, you then check both for Admin and for the current locale.
Remember, one user can have many roles.
First of all, please see the very excellent tutorial series on 4GuysFromRolla: https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx
Secondly, the built in Role Provider is extremely rudimentary. You associate a user with a string (role) and that's pretty much it. There's no heirarchy or additional properties that you associate with the role, unless you pack in into the string (role name).
You might want to look at custom profile properties. MSDN

Resources