ADFS server with multiple certificates - adfs

We have working ADFS 2016 server with over 100 clients as claims provider trusts. Now I need to join to a local government SAML2 system, which is common solution for many goverment bodies. It is compatible with our ADFS setup except they require (without any valid reason) us to use special goverment signed certificates as a token signing (and possibly encryption) certificate. With over 100 existing customer, which do not all update from our metadata automatically, I do NOT want to change our current token signing/encryption certificates in our published metadata.
Is there some way to handle this situation in ADFS server?
Can I install this goverment token signing certificate to the ADFS server as a second certificate and make it so that it is NOT published in our metadata?
And this second certificate should be used only with some selected claim provider trusts so that ADFS server by default uses our current certificate but uses the goverment certificate for logins from selected claim provider trusts that are linked to government SAML2 system?
Or is the completely different ADFS server our only option?
Thanks.

No - IDP only use one certificate. Azure AD works exactly the same way.
Your only option is another IDP.
This doesn't have to be ADFS - just another IDP.

Related

How to secure an API using OAuth Certificate Based Authentication

I have an web application made using servlet and I have an seperate API for the web application. I want to secure the API with OAuth so that when we use OAuth, a client certificate is sent instead of credentials to the authorization server for verification and after verification the access should be allowed to the API. Is there any ways to implement this authentication. If possible what are the steps should I do to achieve this?
Client certificate credentials can be used for confidential clients, in either the code flow or the client credentials flow. This type of solution is often used in financial grade setups, where high worth data is involved.
Access tokens issued then contain a cnf claim, so that every API call is bound to the strong credential used at the time of authentication. See the RFC8705 standard for further details.
For a worked end-to-end example that you can run locally, and which covers both the
backend and client behaviours, see this Curity code example. Not all authorization servers support these flows, so check for your provider.

How to implement SAML for SSO using ADFS as identity Provider

After 2 days of research ,now i am at assumption that ADFS can be used as Identity Provider which uses Active Directory as its Repository (this means we can store Username,password... required to identify user) .My confusions are
When a user opens a login Page in SP ,and if there is trust
relationship between SP and ADFS(IP) ,does the IP takes the windows
logged in UserId to check user from active directory ?
If the authentication is successful then does IP sends
UserInformation(as a SAML responce) to SP ,so that i can create
session for logged in user ?
what should i do ,if user logs out from SP ,should i also have to
clear session in IP(now ADFS)
if my assumption are right ,how to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider) ?
When the SP notices that the user is not signed in it sends the user to the IDP. This is where the login page is presented. ADFS can be configured to authenticate the user based on the signed in windows user.
Yes ADFS can be configured to return user information in the SAML response. This is defined as claims in ADFS
When the user is logged out in the SP, the SP should send a SAML LogoutRequest to the IDP to remove the session on the IDP.
Here is a library I have seen others use for .net
Another option is to use a product such as Shibboleth in front of you application
Your question is: "How to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider)"
Then you have tagged it with SAML?
Why do you want to use SAML? (And here I am talking about SAML the protocol NOT SAML the token).
Just use WS-Federation and WIF which is OOTB support. WS-Fed also uses SAML tokens.
If you want to use SAML, refer SAML : SAML connectivity / toolkit and SAML : ASP.NET MVC application talking to SAML IDP .

Verifying Client-Signed X509 Request in Web API without installing to Store

We have Web API 2 application exposed to outside vendors for various integrations. We're adding a new one with DocuSign through their Connect service and they will be signing their requests with their X509 certificate. I would rather not install the certificate on the server itself because we add new servers and deployments often based on load.
Here is my plan, and I'd like to know what the security risks are with it (assuming it will work at all).
DocuSign provides their X509 certificate for download. I want to place that *.cer file in my Web API application's ~/App_Data folder, along with any other certs from any other vendors. I will use a DelegatingHandler to grab the client certificate from the Request. I would then use the X509Chain class as described here to load all certificates from the ~/App_Data folder and to verify the request certificate.
From there I would map the certificate subject to a role and add that to the current thread to provide authentication for specific routes.
I've gathered from my research that this method would be less secure than installing DocuSign's certificate to the server's root store - is that correct? And how much less secure?
At the end of the day I'd like to (1) verify that the request is coming from who it says it's coming from, and (2) add roles based on the verified requester for authentication.

Accessing Smartcards from a Web Site

A number of Countries have implemented electronic id cards, that their citizens can use to securely access online facilities like banking.
I am interested in learning how to support these cards, but tracking down documentation on how to do this from an IIS hosted website is a real PITA: In MSDN for example the bulk of the smartcard documentation covers the end to end scenario of linking smart cards to domain logins in a corporate environment.
I am just trying to authenticate the holder of - for example, a Spanish DNI-e card and perform an OSCP validation of the card via http://ocsp.dnie.es/
Now, its seems that, rather than explicitly detecting the smart card insertion, I need to create a login page on the server with SSL client authentication forced - but how do I configure one request to require ssl client authentication and to pick the correct client certificate?
Indeed, configure your server to require client certificate authentication. You will receive the client authenticator details in the headers.
You can force to only accept specific certificates by configuring the public root certificate of those client certificates on the server and removing all others that you are not interested in. In the authentication request going from your server to the browser, only the root certificates are listed that are trusted on your server system. The client browser will only offer client certificates that are somehow related to that root.
In an Microsoft environment you would configure your IIS to require SSL on your login page. Additionally, require SSL client authentication using a certificate.

ADFS v2.0 : How to federate with Windows Live, OpenID and Facebook

We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.

Resources