Currently we are using Asp.Net core Web application (.net core 2.2) and ADFS as an Identity provider using WsFederation protocol. The Token-Life-Time for relying party is 60 mins. Users are automatically signed out and forced to sign-in again after 60 mins to re-authenticate and continue using the application. I assume this is typical scenario.
Is there any better approach where user can re-authenticate or refresh token after 60 mins without user intervention? Any pointers will be of great help.
• Asp .NET Core Web application - .NET Core 2.2
• ADFS on Windows 2012 R2
• ADFS Version: 6.3.9600.16384, WsFederation Protocol
• ADFS Token Lifetime : 60 mins
• .NET core MW: Microsoft.AspNetCore.Authentication.WsFederation
Refresh tokens are not part of the WS-Fed spec.
You could move to OpenID Connect to do this.
Also, ADFS has two timeouts - one for ADFS in general and one for each RP.
If the ADFS timer is greater than the RP one, this will achieve what you want.
But it affects all RP and has security implications.
Related
I am trying to create a login mvc application in .NET through which any identity provider that supports OpenIdConnect for authentication and Oauth2.0 for authorization should be able to communicate. The objective is all my microservices will then call the login service ( which will act as a proxy) to perform single login and single logout and authorization via different identity providers such as Ping Identity or Okta or perhaps Azure AD. I am using the package Microsoft.AspNetCore.Authentication.OpenIdConnect to achieve this.
I don't have much experience setting up ADFS authentication in the .NET stack so forgive my ignorance if I am missing the obvious. But if some one can point me in the direction on how to configure ADFS and write a .NET Core application to request Oauth2.0 supported tokens from it, would help a lot. Please know that I am trying to connect with ADFS 2012 R2 , which supports Oauth2.0 Authorization code flow.
ADFS 2012 R2 does not support OpenID Connect and has no concept of an ID token.
You need to use ADFS 2016 or above.
I've REST services (Web API) and admin panel (MVC) in one project on ASP.NET Core 2.1. I want to secure my API with JWT token, and my MVC pages with cookies. Can I combinate these two authentication ways. How to configure my Startup.cs, Authorize attribute and sign in functionality.
I suppose you should use an OAuth 2.0 framework. please check IdentityServer4 it enables many features in your applications.
IdentityServer is middleware that adds the spec compliant OpenID
Connect and OAuth 2.0 endpoints to an arbitrary ASP.NET Core
application.
Typically, you build (or re-use) an application that contains a login
and logout page (and maybe consent - depending on your needs), and the
IdentityServer middleware adds the necessary protocol heads to it, so
that client applications can talk to it using those standard
protocols.
A new application is being built with an Angular Client and a ASP.Net Web API back end. The back end will be consumed by the Angular Client only in the short term (1 year), but will be consumed externally (mobile and 3rd parties) in the long run.
What are the pros and cons of using ASP.NET Identity vs IdentityServer4 initially in securing the API? How difficult will it be to switch over to IdentityServer from ASP.NET Identity down the road and is it worth the effort of using IdentityServer from the beginning.
ASP.NET Identity is a user store, with some helper libraries that enable cookie authentication on top of it. Using ASP.NET Identity to protect HTTP APIs is not what it was designed for.
IdentityServer 4 is an OAuth & OpenID Connect authorization server. Using IdentityServer to protect HTTP APIs is exactly what it was designed for.
I've been trying to implement the SP initiated SSO with ADFS 2.0 configuration. But I could not find any solution to do that.
Not sure if the ADFS 2.0 supports the SP initiated SSO. I can see there are some third party libraries to do that but I don't want to use any third party libraries. I just need information on posting SAML request to identity provider and getting the SAML assertion back to the survive provider.
Here Service Provider is my application(asp.net) is and ADFS 2.0 is the Identity Provider.
Any idea how I can achieve this.
Thanks.
Your problem isn't ADFS - it's ASP.NET.
.NET has no SAML support. You need a third-party stack.
Refer: SAML : SAML connectivity / toolkit.
ADFS definitely supports the SP initiated SSO flow.
I've been assigned to find a way of implementing SSO in our products. We have several Winform applications and one asp.net 4.0 web app (not MVC).
All the products are built using .Net 4.0, the web app is ASP.NET 4.0.
Some of the Winforms are commmunicating with our API via web services (asmx) and some uses our API directly. The web app is using the same API as well. We offer a set of web services (asmx) that uses the same API to external clients.
Currently we have our own authentication implementation (user, password, roles) in our systems and we would like to replace that with SSO. Or can these two authentication regimes co-exist somehow? The Winforms are used in intranets and the web app is used both in intranets and we also hosts the web apps for clients (accesible from the Internet).
The users are created in our system, but at the same time we import users from Active Directory using our own tool. Active Directory is really the primary user source.
I have read about Windows Identity Foundation and I wonder if I can use that to implement SSO. But what I don't understand is how to use WIF in the winform applications when they use the API directly.
What I would like to achieve is to remove all user administration from our system and use Active Directory as the user source. I guess that means using ADFS 2.0 to create claims, etc.
I can use .Net Framework 4.5 in this implementation (I know that WIF is now a first class citizen in .Net Framework 4.5).
Do you have any advices how to do this? Is WIF the best alternative to achieve SSO across winforms applications and web apps?
There is a way to get the WIF authentication cookie from within the WinForms application.
To do it, you just host the WebBrowser control and point it to the login page of your web application. Assuming the web application is federated with the ADFS2, the web browser control will automatically follow the flow - it will redirect to ADFS and stop there to show the prompt for user credentials (ADFS2 in Forms Authentication mode) or just authenticate using NTLM/Kerberos (ADFS2 in Windows authentication mode). Then the web browser will redirect back to your application.
This is where you hook your code. You just add a handler to the web browser's navigation event and you check when it comes back to your application AFTER ADFS2.0 authenticates the user. You can then call the InternetGetCookie method in the WinForms app to get all the authentication cookies issued by your application and you can close the window which hosts the web browser.
At this point, you have all authentication cookies issued by WIF (the SessionAuthenticationModule) for your application. You can now call your application web services and inject cookies into http calls. The web server will correctly recognize users as authenticated which means that all you have to do is to add proper authorization to your web services (the PrincipalPermission on your web methods should do).
An alternative approach would be to expose WCF services from your web application and guard them with WS-Federation active authentication. The downside of this approach is (in my opinion) that if your identity provider (ADFS) is further federated with yet another identity provider which DOES NOT necessarily implement WS-Trust/WS-Federation then the active authentication will probably fail (because the other identity provider does not implement it) while the passive scenario will still work (a bunch of redirects will sooner ot later end with a page which requires user to provide the credentials but the flow of authentication protocols between consecutive identity providers does not matter).