Seems like SignalR only accepts Bearer/JWT tokens. Is there support for SAML?
If you implement SAML in your webapp, the webapp will issue a cookie based on successful authentication. SignalR will piggyback on that:
In a browser-based app, cookie authentication allows your existing
user credentials to automatically flow to SignalR connections. When
using the browser client, no additional configuration is needed. If
the user is logged in to your app, the SignalR connection
automatically inherits this authentication.
Related
Our project is using SignalR over ASP.NET OWIN (full framework), and clients are mobile apps based on Xamarin. Authentication is done based on JWT. It is needed that we protect SignalR hubs against anonymous access, then find out user name of the connection.
Is it possible to SignalR to work with JWT? If yes, how?
SignalR's own protection is based on cookies not JWT. Also we can't afford to use query strings to pass the token due to deployment that is not HTTPS.
I have a web SPA that currently connects to a Rails backend, authentication handled via auth0. We have a new server that has some endpoints that the SPA needs to connect to. What is an elegant way of authenticating against both servers considering I have auth0 implemented in the SPA and the legacy server already? Is there some way to pass the authenticated token back to the new server from the legacy server? Or do I just authenticate against both servers when logging in as a user on the SPA? The user db sits in a separate db, shared by both servers.
If the credentials are stored in your database, then use an Auth0 Custom DB Connection to authenticate against Auth0 from your SPA. Auth0 has quickstart samples for all the popular SPA frameworks / libraries (angular 1.x, 2+, React.js etc). You authenticate against Auth0 (not the legacy or new server). As a result, you receive a (JWT) ID Token and a (JWT) Access Token. It is the Access Token you send from your SPA to each of of your Servers for the purpose of making Authorized requests. Your Server (legacy and new) should be secured to verify the JWT Access Token as valid and optionally check the scope attributes match the request endpoint. That's all that is required. The Auth0 documentation covers all this, and there are samples too that demonstrate how to set this up.
We want to build one spring MVC based application which will support below use case:
User access the application URL to login into application.
Once the valid credentials are entered to login into application, the user can access any of the service provider application for performing SSO.
On the access of any service provider application the SAML response should be generated and post to the Service provider ACS(Assertion consumer service) URL.
Also in addition to IDP initiated SSO, it should also support SP initiated SSO where the authentication request will we posted to the application login page, after valid credentials are entered by user, the application should redirect to service provider(which have posted the authentication request).
The application should have its own login page and authentication mechanism, it should not redirect to any other identity provider for authentication.
Should we use normal Spring MVC based application which will generated the SAML response using open SAML library, or any other SAML builder can be used for satisfying the above use case.
This basically means
- your app bundles a SAMLv2 compliant IdP (please don't try to build one yourself based on some SAML lib)
- your app calls an API of the IdP for authentication and issues a session token the IdP will recognize later on (otherwise authentication will always happen again when another application (acting as SAMLv2 SP) wants to perform SSO
Issue with the latter: The "token" will most likely be a cookie and then the restrictions of the cookie spec apply. This means you can only use host-based cookies (which security mandates) if your app and the IdP are deployed behind the same 'FQDN' (e.g. by using an HTTP reverse-proxy)
Another issue: How does your app know when the show the 'login screen' if the user actually has a valid session with the IdP because SSO was started at a different SP?
SAML way: You would first have to do a 'passive AuthnRequest' to check this.
Conclusion: Your use case can be achieved, but the effort seems quite high. I'm not aware that there is some lib/framework, which would offers this at the moment OOTB.
I've got an self-hosted SignalR instance, using OWIN. I'd like to implement authorization. My users will already have logged into an ASP.NET MVC application, using Forms Authentication.
Since the two applications will be available at the same URL, the cookies will be shared between the two. How do I accept a Forms Authentication cookie in a self-hosted SignalR application?
Clarification: I'm talking about a browser accessing a self-hosted SignalR hub using the same credentials that were used to log into a separate (but related, and installed on the same host) IIS application.
So, the question is: how do I hook into the SignalR server pipeline to capture the .ASPXAUTH cookie and use it to set the current principal before calling the hub?
If it helps, I can throw some Nancy into the mix.
If your user is already authenticated and logged in, you can check the following within your SignalR hub:
Context.User.Identity.IsAuthenticated
Assure this property is set to true. You can place this check within the constructor of your hub to block/remove their connection. If false, you can redirect them to another page.
I have gone through wiki on SignalR and still can't figure out how to do Forms authentication with SignalR. I'd like to invoke a call to a hub (or persistent connection) with username/password and be able to return a redirect to an authenticated page, along with setting forms authentication cookie.
Don't do forms auth through SignalR. Do it outside of SignalR (as you would normally) and then you can check to make sure incoming calls, and subscribers to your hub are authenticated.