I am trying to configure a web application using ASP.NET Identity 2.0 for Single-SignOn with ADFS.
To configure their ADFS, my client asked me to provide a SAML Service Provider metadata file matching the following format:
In my application, I am setting up authentication in my OWIN pipeline as so:
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
{
MetadataAddress = ConfigurationManager.AppSettings["SsoAdfsMetadataEndpoint"],
Wtrealm = ConfigurationManager.AppSettings["SsoWtrealm"]
});
I have 2 questions:
I can generate an X509 certificate to include in the metadata, but how can I add it to my configuration in the web app?
Where can I get the URLs for all the AssertionConsumerService bindings?
SAML2P (P is for protocol) and WS-FED are two completely different protocols. To confuse things, SAML2 tokens (or assertions in SAML2 lingo) can be carried in WS-FED protocol messages.
You won't get any SAML2P functionality out of a WS-FED middleware. You need a SAML2P middleware. The open source Kentor.AuthServices.Owin package contains such a middleware, that will automatically generate the needed metadata and that has been tested with ADFS.
Disclaimer: I'm the author of Kentor.AuthServices
Related
Hello all and thanks first,
I have a project that has .NET Core 2 API and Angular 8 Client application. I have implemented token based authentication between app and the api (without using IdentityUser or IdentityRole).
Now, I have to do authentication over SSO. I have a saml2 identity provider metadata and configured my api using this metadata using Sustainsys.Saml2.AspNetCore2 package.
Now I can create my own metadata and registered this metadata to IdentityProvider. Everything seems okay
up to this point but when I try to login from IdentityProvider login page there is no change on my api.
Crazy questions in my mind
In Identity Provider's metadata there are only SSO and SLO redirect urls. There is no other method for authnrequests.(HTTP POST etc.) How will I login this Idp?
Idp has its own login page. If I will be have to redirect user to this login page, will I get any authentication token or cookie. Will my API be recognized about this login?
There should be an authentication data in any case(token, cooke, sessionid etc.). Where will I get this data to set Authorization header while sending requests to my API?
I have been trying for a while but my last attempt also does not work.
Can anybody help please?
Thanks a lot.
You need to redirect to the identity provider, and it will then redirect back to your service provider api, from which you can set whatever security mechanisms you are using, and then redirect again to your local front-end (wherever you need to send your user).
Here are some resources I found helpful:
1) https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-3.1 (how authentication schemes work in .Net Core)
2) ASP.Net Core SAML authentication
1. https://github.com/Sustainsys/Saml2 (SAML 2.0 authentication package)
2. https://stubidp.sustainsys.com/ (Free IdP – can be used instead of local implementation, if desired. A local implementation would require deployment of the “Sustainsys.Saml2.StubIdp” project).
3) Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity
4) https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample (super useful sample implementation)
5) Not able to SignOut using Saml2 from Sustainsys (help in getting the logout to work with https://stubidp.sustainsys.com)
6) https://www.nuget.org/packages/Sustainsys.Saml2.AspNetCore2/
One question I’ve had recently about how the JWT middleware in asp.net core works is related to the Authority URL you can set if you want to verify tokens using an identity providers asymmetric keys (JWKS based presumably). All examples I’ve seen completely fail to explain what this authority URL should be. Some auth0 examples say it’s just your auth0 domain - but if that’s the case then how does the middleware locate the public key from this base URL? Every provider has a different convention for the endpoint where a JWKS can be found - so how does this work?
My requirement is that I need to use a home grown identity provider where the JWKS endpoint is totally different to auth0, okla, identity 4 or whatever other providers are using.
Is there some standard discovery mechanism that all these providers use that I’m not aware of? Do I need to have this same discovery mechanism in place I’m the in house identity web app for this middleware to work?
Thanks!
Generally, OpenID connects provider follows the standard and provides a discovery endpoint which includes all necessary endpoints and public key location information.
OpenID connect specification: https://openid.net/specs/openid-connect-discovery-1_0.html
Auth0 exposes OIDC discovery documents (https://YOUR_DOMAIN/.well-known/openid-configuration). These can be used to automatically configure applications.
https://auth0.com/docs/protocols/oidc/openid-connect-discovery
IdentityServer 4 allows to include extra endpoint to the discovery document. http://docs.identityserver.io/en/latest/topics/discovery.html
I found this in my Startup.cs file in ConfigureServices in a default Visual Studio 2015 ASP.NET 5 project:
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<AuthorizationDbContext>()
.AddDefaultTokenProviders();
What does it exactly do, and how to use those "default providers"? Does it configure all token-based authentication for me? Where can I read more about it?
Despite their name, the token providers have nothing to do with token authentication: they are exclusively used to generate opaque tokens for account operations (like password reset or email change) and two-factor authentication.
There are currently 3 built-in providers:
DataProtectorTokenProvider: as the name suggests, it uses the data protection block (machine keys' equivalent in ASP.NET Core 1.0) to serialize encrypted tokens that can later be deserialized by the server.
EmailTokenProvider and PhoneNumberTokenProvider: these providers are derived from TotpSecurityStampBasedTokenProvider, which implements the Time-based One-time Password Algorithm (TOTP), a protocol designed to produce user-friendly and short tokens that can be sent in a SMS or in an email.
ASP.NET Core 1.0 doesn't offer native token authentication support (only token validation is supported: you can't produce your own tokens). You can read these SO posts for more information:
Simple JWT authentication in ASP.NET Core 1.0 Web API.
Web API Authentication in ASP.NET 5.
Configure the authorization server endpoint.
I need to implement Single SignOn (SSO) in one of our ASP.net web applications for a client. I need to use one of the following protocols for this purpose.
WS-Fed
SAML
The identity provider(client's Domain) is Microsoft Azure Active Directory.
I have searched the internet but could not find any usefull implementation.
Could you please share with me your findings if you have gone through this experience.
The easiest way is to use the Katana middleware. Add an OWIN Startup class to your project and add this to the Configuration method:
var tenant = "yourdirectory.onmicrosoft.com";
var directory = "https://login.microsoftonline.com";
var metadataAddress = string.Format(
"{0}/{1}/FederationMetadata/2007-06/FederationMetadata.xml",
directory, tenant);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = metadataAddress
});
You can find a complete working example on Github.
If you're after a commercial product, our ComponentSpace SAML v2.0 library enables your ASP.NET application to act as either the identity provider or service provider in SAML SSO. Simply reference our DLL and call our API to enable SAML SSO. More information including a free evaluation download may be found http://www.componentspace.com.
If your ASP.NET application is the service provider (SP). Then an option would be to leverage Windows Identity Foundation (WIF) libraries. Depending on the version of .NET your ASP.NET web application is using there are some slight differences in how the tags are added to the web.config. For .NET 4.5, you will bring in the system.identity.model and then configure WS-Federation via the <system.identityModel> configuration, as well as you will need to setup the <system.identityModel.services> configuration with the <wsfederation> passive redirect. The configuration requires you to setup the issuer as Microsoft Azure IdP. The WIF libraries handle all the communication and protocol with the IdP, such that the attributes of the embedded SAML v1.1 token as returned via WS-Federation are available to your application via the ClaimsIdentity object.
I am developing an application using ASP.Net MVC6 and I would like to implement OAuth 2 auth using bearer tokens. I can't find any solid information on whether or not this is possible. Would anyone be able to point me in the right direction?
TL;DR: the official packages developed by Microsoft for ASP.NET Core only support OAuth2 bearer token validation.
This means that...
... you'll be able to authenticate your users using bearer tokens issued by an external identity provider (like Azure Active Directory) with the Microsoft.AspNetCore.Authentication.JwtBearer package:
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
AutomaticAuthentication = true,
Audience = "http://localhost:50000/",
// Authority is only useful if your JWT tokens
// are issued by an OpenID Connect server.
Authority = "[OpenID Connect provider address]",
// If you don't use an OpenID Connect server, you have to manually update the
// token validation parameters with the issuer's signing key.
TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = new X509SecurityKey(certificate)
}
});
That said, only JWT tokens are now supported OTB: the OAuth2 bearer middleware shipped with Katana 3 used to natively support opaque tokens produced by the OAuth2 authorization server, but this support has been removed.
... you won't be able produce your own tokens anymore. The OAuth2 authorization server has been removed and won't be ported to ASP.NET Core: OAuth Authorization Service in ASP.NET Core.
Luckily, alternatives exist. I'm personally developing an OpenID Connect server middleware based on the OAuth2 server shipped with Katana, that offers the same low-level experience: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
For more information, you can take a look at this SO answer: Configure the authorization server endpoint