WSO2 IS ASP.Net - user authentication and SAML response decoding/validation - asp.net

We are using WSO2 IS 5.2.0 for user authentication and SSO across our applications. We have multiple web applications built on java technology.
All the apps are registered in WSO2 service provider and we are able to successfully authenticate user and able to do SSO.
User is prompted for login when he tries to access one of the apps for the first time. Once user logs in, he is able to access any application.
We are using HTTP redirect to achieve this. On the applications side we are using WSO2 java API (org.wso2.carbon.identity.sso.* package) to get the authenticated user details and claims information.
Now we have one more application in .Net (ASP) which we want to integrate into our application suite which should also use the existing SSO infrastructure.
Can someone please let us know how to integrate WSO2 and .Net application for user authentication and SSO. If it is HTTP redirect, then how do we decrypt user information from the SAML Response in .Net application?
Is there any webservice interface available which we can directly call from .Net application which can provide function to get user information by passing samltokenId?

There is a sample written using .NET in here [1] but it seems it is still undergoing development. I have asked the question in WSO2 Architecture mailing list[2] about the state of it (You can follow for more information) but still you can use it to get some understanding (Or as a full working solution maybe).
[1] https://github.com/wso2/samples-is/tree/master/dotnet-agent-saml-sso
[2] [Architecture] [IS] SAML SSO Agent for .NET

Related

MSAL.NET acquire access token using windows credentials

We have a hybrid Active Directory scenario - an on premises Active Directory server synced with an Azure AD tenant.
We are in the process of migrating our on premise Exchange email accounts to 365.
We have a SPA (JavaScript) that displays calendar events retrieved from a dotnet core web API.
The web API only allows access to users in a specific AD group.
The SPA uses the Fetch API to call the web API with credentials.
The web API currently uses EWS to connect to our on premise Exchange server to read calendar events, using its app pool identity.
The above systems have been developed in-house and run on our internal servers.
We want to update the Web API to read calendar events using the MS Graph API, on behalf of the user. We would like to use the simplest available solution.
We have tried to use the AcquireTokenByIntegratedWindowsAuth method but receive the following error: 'Integrated Windows Auth is not supported for managed users'. My limited understanding of why this doesn't work is because we do not have an ADFS on premise.
One of the Microsoft samples shows a SPA acquiring an access token and passing the token in the header as part of the web API call. This would require us to update the SPA and web API code. We're willing to do that if it's the only solution, but I am hoping someone might offer an alternative where we only need to update the web API.

Can't get domain user inside API - (AngularJs + ASP.NET Framework with Windows authentication)

I have this legacy intranet app using an AngularJS SPA consuming an an ASP.NET Web API (on .NET 4.6.1) and I can't manage to get the user authenticated on the domain inside the API, when calls are made by AngularJs.
Inside the API I have situations where I need to get the domain authenticated user. I have tried several combinations inside IIS to set both the AngularJS app and the API with Windows authentication, Impersonation, Authorization Rules. I've read several questions in Stackoverflow and other forums and also searched through several articles but I can't manage to find a solution, I'm feeling helpless in this one.
When I make a direct call to the API using a tool like Postman or through Swagger, System.Web.HttpContext.Current.Request.LogonUserIdentity.Name shows the correct authenticated user.
When I make the very same call to the API but through the client, like loading a page that requests data from the API, the user shown in LogonUserIdentity, is the one set on the app pool.
The authentication between the client and the API uses bearer token.
Here's my current scenario:
IIS:
Windows authentication enabled for both the client and the API, Impersonation enabled for both the client and the API
Authorization rules for ASP.NET and IIS set with allow all users for both Client and API
Session state in-proc, using cookies and with UseHostingIdentity set to false on both Client and API
Both the client and the API are using the same AppPool, with integrated Pipeline, .NET CLR v4.0,
If there's more info to supply please let me know, I'll update the question with the required info.

What is the difference between identity server 4 open id connect and Azure AD?

What I know about IdentityServer and OpenID connect is:
The IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. That incorporates all the protocol implementations and extensibility points needed to integrate token-based authentication, single-sign-on and API access control in your applications.
Further more OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol. OAuth 2.0 defines mechanisms to obtain and use access tokens to access protected resources, but they do not define standard methods to provide identity information. OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. It provides information about the end user in the form of an id_token that verifies the identity of the user and provides basic profile information about the user.
What I want to know is what is Azure Active Directory and How it is works? Did we use Azure AD with openid connect? or it is optional with openid connect? and If I've an webapi which is based on ASP.Net core 2.0 with identityserver 4. Did we deploy on azure without implement Azure AD? I m confused because I've an webapi project and a client project based on angular. when I deploy my client project as a new web app on azure its running fine. But when I deploy my web api on azure its not working. Means after deploying my web api when I do post request to get a token or when I want to register a user through my azure web api link it shows me 500 error in postman.
After facing this problem I post it on Here Stackoverflow but didn't find any helpful answers. So I again start searching and found that if we want to use openid connect with azure we must implement Azure AD. Here is the Reference. So in this question I want to know the difference between openid connect and Azure AD? and second question is. Is this possible to use openid connect without using Azure AD? Please explain your answer briefly. Thanks

SSO Integration Using SAML 2.0

I am working on integrating our application with client's Identity management system using SAML 2.0. Below is the requirement
The login screen of our application will have an option for Single Sign On. when clicked user will be directed to the login screen of Identity management system
The Identity provider will validate user's credentials and send us the information back to our application
based on the input from Identity provider the application has to be provide access to the user.
Now, the client has asked us to provide them SAML meta data files. Our application is developed in dot net.
I had a look at component space and ATC Inc components that can be used for SAML generation however I need help to start this.
Can someone help me on this? This is something new which I haven't worked.
Thanks,
Abhilash
If you are looking for a simpler integration than coding support directly into your application, check out the PingOne Application Provider Service (APS) "SAML as a Service" from Ping Identity. A handful of lines of .NET code (or Java or Ruby or Perl, etc) to integrate via a RESTful API and you're done. No need to embed complicated SAML SP code and the security overhead that comes with it [Disclaimer: I do work for Ping].
HTH
Ian

ASP.NET and WCF Authentication Options

What are the authentication options for having a ASP.NET web application communicating with a WCF service?
The scenario:
User enters their username and password in an ASP.NET form.
ASP.NET needs to pass this to WCF to authenticate the user.
If authenticated, the user can perform actions on the website. Each action would require sending data to different WCF operations. WCF needs to know who the user is on each call.
The easiest solution would be to store the username/password in the ASP.NET session state. However, this is insecure because the password is stored in memory on the server.
I would rather not use a certificate to authenticate the ASP.NET "client" to the service because there's a possibility that this WCF could be consumed by another client in addition to ASP.NET.
The best suggestion I've seen so far is to use Windows Identity Foundation (WIF). It appears that this requires an STS. According to MSDN, Microsoft does not seem to recommend setting up an STS through Visual Studio. There's no guarantee that an STS would be available in the deployment environment as some environments may use Active Directory and other environments may have a custom user store. Is it possible to setup a custom STS to authenticate against a custom user store? I'm having trouble finding documentation on doing this.
Are there any other options besides using WIF? What about a custom WCF authentication service that returns a token that can be used for authenticating against a primary WCF service?
The standard way of doing this is by using WIF with Microsoft's STS viz. Active Directory Federation Services v2.0 (ADFS).
There are a number of custom STS available e.g. Identity Server. This use a SQL DB as an attribute store. It's open source so could be adapted to whatever you require.
You can create your own custom attribute store: AD FS 2.0 Attribute Store Overview.
TechNet WIF / WCF: WIF and WCF.

Resources