I see in UseWsFederationAuthentication that multiple Claims Providers can be specified.
My question is at Challenge time how do I specify which provider to use?
This is a winforms website.
Thanks for any help.
By default, With single claim provider , ADFS will proceed with available claim provider without prompting the selection page.
If you have more than one claim provider, ADFS will show the claim providers in the home realm page. You can select the right provider based on the user identity.
You will be able to customize the Home Realm Page, please look at the document for more scenario.
Related
I need a good advise and wanted to know whether a solution is feasible or not. Right now one of my customer has a common login application which is based on Forms authentication(ASP.NET) using membership provider. All internal users use their AD credentials to logon and external users use custom username and password. Both are wrapped via Forms authentication. Now the new proposal is to replace this Forms authentication with ADFS. I have gone through various articles over internet and not able to come to a conclusion. Let me list my findings so far with ADFS extension points.
1) It is possible to add a custom attribute to ADFS claims by the approach mentioned in https://blogs.technet.microsoft.com/cloudpfe/2013/12/27/how-to-create-a-custom-attribute-store-for-active-directory-federation-services-3-0/.
2) It is possible to add a second level of authentication( or multifactor authentication) via the approach https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/. Here I understand that after first level authentication done by AD then only our external provider will come into picture.
So I have a general question that is it really possible to achieve what I am looking for with ADFS. Please let me know.
This is based on where the user accounts are stored. If both internal and external users are in AD, you can just redirect to ADFS.
If internal is in AD and external is in an untrusted or other LDAP source, using ADFS 2016 you can link to both these account stores and still offload authentication to ADFS.
If external is in SQL, you can either use a virtual directory in front to project it as an LDAP store (previous option) or use IdentityServer.
If externs is something else, you'd need IdentityServer.
Thanks //Sam (#MrADFS)
Yes - you can add a custom attribute store.
Yes - you can add a custom authenticator.
A better way might be to use thinktecture's IdentityServer 3.0 for the ASP.NET Identity part and then federate IdentityServer and ADFS.
I have a windows azure application already running.(testing phase). Currently I use ACS authentication. users can log on with their windows live-ID. and this is all. no authorisation for now. I need to authorise users with different roles. plus I need also users to log on with different Identity providers like gmail and facebook. I have the idea to store profile information in a table (eg. Idp as partition key and User ID(which I get from the provider)as RowKey.)
Now I have have no idea how to give different roles and how to start? can any body give me a clear tutorial or just an idea how to begin with?
tnx
I suggest you take a look at the BlobShare application. This isn't a tutorial, but it's a complete application showing a few interesting concepts you could use:
The BlobShare Sample is a simple file sharing application that
demonstrates the storage services of the Windows Azure Platform,
together with the authentication and authorization capabilities of
Access Control Service (ACS).
http://blobshare.codeplex.com/
I am going to setup a custom role provider, but I don't have a very good idea of how it works behind the scenes.
[Questions]
What is the difference between setting roles in a form authentication ticket and using a custom role provider? Which is better to use?
If I create a custom role provider can I user role names in the web.config to allow / block users?
Thx!
1- Not sure that there is a "better" choice, that has to do with the requirements of the project. I created a role provider based on Windows Authentication rather than Forms Authentication for an internal project because I didn't want to create a bunch of AD groups and I wanted Windows Auth to allow users into the site. As far as what does it do, it interacts with authenticated users to define who is allowed in what areas of the site.
2- Yes.
some additional info
All our inhouse projects use Active Directory authentication and impersonation as this is the accepted security policy for the company.
I currently have a scenario where I need to store user profile information, and I would like to use the built-in Profile Providers which is standard in ASP.Net. I've previously used this happily with Forms Authentication, however I can't find any helpful information on how to implement this when using Windows Authentication.
Is there any way I can get just the Profile Provider working with Windows Authentication out of the box?
Will I be forced to create a custom profile provider?
The data will be stored in the database, not in Active Directory. However if the latter is possible some guidance would be appreciated.
Notes
I don't need to use the Role provider, this is handled by AD.
I am not sure if I need to implemented the AD Membership provider to get the Profile Provider to work.
you can just use the standard SqlProfileProvider. As username, use the Context.User.Identity.Name property. ASP.NET will create a user entry in it's standard tables himself to keep track of it. The role provider also works in combination with windows authentication. See this link for more information: http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
if you enable and configure the profile provider in the web.config, you can use it like this:
ProfileBase profile = ProfileBase.Create(Context.User.Identity.Name, true);
profile.SetPropertyValue("MyProfileProperty", propertyValue);
profile.Save();
Good luck!
Any user who logs in needs to provide username, password and domain. For that user a windows identity shall be created on the server side. In this scenario what is the best way to handle user's session across the pages using his identity in ASP.Net?
Maybe i don't understand the question here but to me it seems like you could just created a custom membership/profile provider that authenticates to AD. If the the account can not be found then create them. this would allow you to act as normal on the asp.net side of things while still allowing you to interact with AD.
MS Howto:
http://msdn.microsoft.com/en-us/library/ms998360.aspx
sorry if this is not what you are looking for, but this seems right based on the question.
I'm guessing the username, password, domain is authenticated against an Active Directory? If so, you'll be interested in this article: How To: Use Forms Authentication with Active Directory in ASP.NET 2.0
If you are just using session to 'remember someone is logged in' this will handle it all for you.
Use session variable to store user details.