The normal scenario that I can access my application URL and then my request redirected to the login page of keycloak. what I need is accessing keycloak login page direct and then after login, the redirection happened to my application.
Related
BACKGROUND: My company recently set up an Identity Provider (IdP). I am using the Kentor AuthServices library, OWIN, and ASP.NET Identity to allow users to log into a web site through this IdP. This works.
Right now a user requests a page on our site, and they are redirected to the login page where there is a button to log in through our IdP. They click it, log in, and are redirected back. This is like a standard VS2015 ASP.NET Web Application project with external (e.g., Twitter, Facebook) authentication providers - just with some custom code in /App_Start/Startup.Auth.cs for my company's IdP.
Since we only offer one login provider, and the entire site requires login (except the login page), I'd like to simply redirect users to our IdP without the intermediate login page and manual button click. Is there a method I can call or a POST/redirect I can make programmatically to mimic what happens when a user clicks the login button?
Unfortunately I am new to OWIN and ASP.NET Identity.
Google is failing me
Debugging and breakpoints aren't catching how the redirect to the provider works
It should be as simple as replacing your login controller that would show your login button with a hardcoded HttpContext.GetOwinContext().Authentication.Challenge("MyIdpAuthType");
We are having one web site which is developed in ASP.NET and VB code base and It has the normal forms authentication with username and password.
One of our client whats to setup the Single Sign On with our web site and they set up ADFS and gave us the Metadata xml file and We have created STS reference to that url and shared our website Metadata for them to add Relying party Trust.
when I access our website it redirecting to customer page and once they enter the login credentials and it's coming back with the Claims which is good.
Problem :
1).Now who ever access our website all user is automatically redirect to client ADFS login page which should not happen.Users should be Prompt with Our login page and it shouldn't automatically re-direct to client ADFS. If user Wants to use the SSO then it should be re-directed to client page ? How to handle that in programmatic ?
2).If one more client also wants to use the SSO with their IDp then how to configure more than one IDP for One web site?
Thanks.
WIF or OWIN?
WIF by default protects all pages.
You could un-protect your login page (location tag) and then if SSO redirect to a dummy protected page which will cause WIF to kick in.
Beware: for older apps. WIF and FBA in the same app. can cause problems.
The classic way to handle 2) is to federate the two ADFS. Then a user will see a Home Realm Discovery screen and get to chose which IDP.
I have configured SAML 2.0 application on OKTA.
For SAML 2.0, Okta (acting as the IDP) supports 2 methods of authentication:
In IDP initiated the flow is:
User goes to Okta (assumption is that the user has an existing Okta session)
User clicks on the Chicklet and this sends a SAMLResponse to the configured SP
A session is established with the SP
User is authenticated
This flow is working
In SP initiated the flow is:
User goes to the target SP first. They do not have a session established with the SP
SP redirects the user to the configured Login URL (Okta’s generated app instance url) sending the SAMLRequest.
Okta is sent SAMLRequest (assumption is that the user has an existing Okta session)
Okta sends a SAMLResponse to the configured SP
SP receives the SAMLResponse and verifies that it is correct. A session is established on the SP side.
User is authenticated
This flow isn't working: I got 401 Unauthorized "You do not have permission to view this directory or page."
The SP won't redirect to Okta (IDP)
I have tried changing the permissions of the site for 'Everyone' to Full Control, but without success.
Make sure that you have configured your SAML 2.0 application to use the correct Single Sign On service URL.
In Okta, you can determine which Single Sign On URL you should use for SAML SP requests as follows:
Visit the Admin section of your Okta organization page
Click on Applications
Select the application that you are configuring
Click on the Sign On tab for that application
You should see a page similar to the one below:
From this page, either click on the "View Setup Instructions" button or on the "Identity Provider metadata" link to get the URL your SAML SP should be redirecting users to. This URL will be called either the "Identity Provider Single Sign-On URL" or can be found in the SAML metadata file as the "Location" attribute in the "SingleSignOnService" tag.
I have a website created with ASP.NET and a web service, both using FormsAuthentication (which validates the user's credentials against Active Directory - LDAP).
When I call an action method of this web service for the first time I am redirected to the site's web page that actually logs the users into the system. When I'm logged in I will be redirected to the web service (ReturnUrl), but I'm guessing something gets lost in the way, because I'm getting an InvalidOperationException (in the client), containing the .asmx definition.
This happens on the first call only, the next calls work fine (since I'm going to the right place).
What am I missing here?
How should I redirect from the web site to the web service? Can this be done?
Thanks in advance.
Your web service call is doing a Post, then redirecting via a Get request after authentication. The default response from an ASMX is the .wsdl definition. You can't do web service authentication like this programmatically.
If you are using Active Directory, why not use Windows Authentication and suppress the login?
I have a web application (say app1) which is hosted in a IIS server virtual directory.
This web application needs Integrated Windows Authentication for its functioning.
I need to integrate this web application with another product which does not use supply me windows credentials.
This application sends me an http request in a specific format.
I need to validate the request and redirect it to app1 with valid windows credentials so that it logs in smoothly.
I have created another application for this purpose
This is hosted on a separate virtual directory.
It has IIS anonymous and asp.net anonymous authentication enabled.
the pseudo code is as follows :
app2
parse request
if request sucessful
get windows credentials
get identity using credentials
reponse.redirect(app1.aspx)
But app1 authentication fails, IE asks me for credentials again.
Ideally IE should not ask me for credentials.
What would be the security context sent in the request to app1.
How can I trace the authentication failure at iis and asp.net?
To do this you need a trust relationship between the domains.
The response.redirect just sends a response back to the browser which then makes a request for the page in the redirect. So the identity is the identity of the browser.