Have .Net Core 2.2 MVC application and integrated with Azure AD for userAzure AD. User authentication and sign out is working as expected.
But if we copy the cookies AspNetCore.AzureADCookie, .AspNetCore.AzureADCookieC1, .AspNetCore.AzureADCookieC2 from the authenticated browser session using the EditThisCookie extension and logout then if we import again those copied cookies back into browsers and we are able to access the application. Application trusting the application and login automatically.
I'm using NuGet Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package
Is this behavior expected?
This depends on the permissions and authentication configurations that you have set for the users within your Azure AD tenant and within the application. If the users are members of your Azure AD tenant or of your application and you've set up SSO using an MSAL library like OpenID Connect, then their credentials might be stored and they can log in by default.
Are you trying to say that you do not want your users to be able to one-click SSO with their pre-authenticated credentials?
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?view=azurermps-5.7.0
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
Related
One of my customers wanted to implement SSO using ADFS. I was thinking to do a POC for the same using ADFS in Azure. But one requirement is only some users have ADFS login and other user needs to use custom authentication using the identity provider.
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
My client just shared the federatedmetadata.xml. (Do we need to give the full URL DNS name + metadata URL when you create the new project?).
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
If you're open to it, you could integrate your application with an identity provider, and that provider does this for you.
For example:
Your application integrates with CAS as the IDP, and CAS presents this screen to the end user for the authn attempt. User can choose either option, and then once completed, they will be redirected back to your application to continue, and your application interacts with CAS to validate the user account/session. CAS itself is connected to your own account store, and is also integrated with ADFS.
What do you mean by "ADFS in Azure". The only way to do this is to run ADFS as a VM in Azure. Otherwise, you would use Azure AD.
Yes, you can federate ADFS with other identity providers so they both are accessible from the same login screen.
What other identity providers are you looking at?
ADFS is not a project, it's a server add-on and it's all done via configuration on the Windows server.
In terms of importing metadata, see this.
The issue that currently we are facing is our users in China have delay in signing into Azure Ad.
I want to create an Asp.net application that acts as an identity service provider for other applications.
I want my users to login to my application using their Microsoft live accounts and my application should be able to cache the identities to avoid delay.
Is it possible to implement such a solution?
I tried to repro in my Lab and successfully tested that my user can login without any delay of time below are the steps:
Deployed my ASP. NET application to Azure> Go to APP service> Authentication >ADD identity Provider
In the identity provider>select Microsoft account >By Default App registration will be created /Or we can create new one. >Support account type Select your account type to login users select Any azure AD directory & Microsoft accounts.
After added successfully you can check or edit the identity provider.
And then tested my app which required Microsoft live accounts to sign-in users .
For further information please refer below links :
.To Enable multi-factor authentication in Azure Active Directory B2C.
. Considerations for using caching.
What is the best way to configure an application startup.cs to use both Azure AD and Azure B2C in .netcore? I see a lot of referencing indictating to use only Azure B2C, but due to the circumstances I need to use both Identity providers separately giving the users the option to choose which service.
But I am not sure how to go about it, and after configuring the startup, how would I use distinct "Authorize" on the actions within the same controller?
You can use the Azure AD B2C custom policy and Azure ad can be set as an identity provider.The end result is as shown below, where users can choose to log in with an ad account.
Found that adding multiple Azure Active Directory authentication providers in the same app using the current release of the Microsoft Identity Web library is not available (https://github.com/AzureAD/microsoft-identity-web/issues/549 ) but will hopefully be added soon.
I have a design requirement for an ASP.NET MVC 4 (.NET 4.6.1) app hosted on the company server (Not Azure) to do the following:
Check is user is authenticated via Windows Authentication
a)Yes - designate user as "authenticated"
b)No - use OpenIdConnect (OWIN) to authentication using Azure Active Directory.
Once authenticated use the standard [Authorize] attributes on controller methods etc. I have implemented Windows and Azure AD authentication alone is individual MVC apps but never together.
I have found several sources describing how to mix Windows and Forms authentication, but none for this combination.
Does anyone have insights on how this might be achieved?
I had a similar requirement a year ago and my approach was :
The users are redirected to input their AD credentials (https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/)
Once they are sucessfully logged in on the AD you will get a token.
Then I call the Azure AD API on their behalf using the token I just got. I woulds just call the /me endpoint that will return me the user personal details.
With the above response I just need to check if the email address matches the email address that was initially requested.
If it matches it means the user was successfully validated against the AD.
Then you can proceed and issue that user a token or cookie to access your application.
I've been assigned to find a way of implementing SSO in our products. We have several Winform applications and one asp.net 4.0 web app (not MVC).
All the products are built using .Net 4.0, the web app is ASP.NET 4.0.
Some of the Winforms are commmunicating with our API via web services (asmx) and some uses our API directly. The web app is using the same API as well. We offer a set of web services (asmx) that uses the same API to external clients.
Currently we have our own authentication implementation (user, password, roles) in our systems and we would like to replace that with SSO. Or can these two authentication regimes co-exist somehow? The Winforms are used in intranets and the web app is used both in intranets and we also hosts the web apps for clients (accesible from the Internet).
The users are created in our system, but at the same time we import users from Active Directory using our own tool. Active Directory is really the primary user source.
I have read about Windows Identity Foundation and I wonder if I can use that to implement SSO. But what I don't understand is how to use WIF in the winform applications when they use the API directly.
What I would like to achieve is to remove all user administration from our system and use Active Directory as the user source. I guess that means using ADFS 2.0 to create claims, etc.
I can use .Net Framework 4.5 in this implementation (I know that WIF is now a first class citizen in .Net Framework 4.5).
Do you have any advices how to do this? Is WIF the best alternative to achieve SSO across winforms applications and web apps?
There is a way to get the WIF authentication cookie from within the WinForms application.
To do it, you just host the WebBrowser control and point it to the login page of your web application. Assuming the web application is federated with the ADFS2, the web browser control will automatically follow the flow - it will redirect to ADFS and stop there to show the prompt for user credentials (ADFS2 in Forms Authentication mode) or just authenticate using NTLM/Kerberos (ADFS2 in Windows authentication mode). Then the web browser will redirect back to your application.
This is where you hook your code. You just add a handler to the web browser's navigation event and you check when it comes back to your application AFTER ADFS2.0 authenticates the user. You can then call the InternetGetCookie method in the WinForms app to get all the authentication cookies issued by your application and you can close the window which hosts the web browser.
At this point, you have all authentication cookies issued by WIF (the SessionAuthenticationModule) for your application. You can now call your application web services and inject cookies into http calls. The web server will correctly recognize users as authenticated which means that all you have to do is to add proper authorization to your web services (the PrincipalPermission on your web methods should do).
An alternative approach would be to expose WCF services from your web application and guard them with WS-Federation active authentication. The downside of this approach is (in my opinion) that if your identity provider (ADFS) is further federated with yet another identity provider which DOES NOT necessarily implement WS-Trust/WS-Federation then the active authentication will probably fail (because the other identity provider does not implement it) while the passive scenario will still work (a bunch of redirects will sooner ot later end with a page which requires user to provide the credentials but the flow of authentication protocols between consecutive identity providers does not matter).