You might heard about shibboleth and their great solutions as for Identity Provider (https://shibboleth.net/products/identity-provider.html) so is for Service Provider (e.g. nginx https://github.com/nginx-shib/nginx-http-shibboleth).
It's known that Google offers its own SAML2 IDP and we want to use it:
nginx needs to know what user from google is in order to proceed with website. Was possible to do that on that tier with shibboleth, but I have quite hard times finding solutions with Google.
Anybody has some ideas? Thank you!
Have you seen this project on github?
Looks like it is a SAML Auth provider for Google Apps.
Related
I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server
I've been looking around for information on this for a little while and keep seeing what appears to be how to set up a OAuth2 server in ASP.NET.
What I want is like the "app.UseMicrosoftAccountAuthentication" where I can use an external login service but that service is standard OAuth2 and not one of the built in providers. I'm not finding a lot of documentation on that subject and would like it if someone could point me in the right direction!
There isn't really such a thing as a standard oauth2 provider when you are looking for authentication. See http://www.cloudidentity.com/blog/2013/01/02/oauth-2-0-and-sign-in-4/ for a discussion about it.
Which providers were you looking to support?
I have been tasked to implement a SSO process for one our internet sites. I have been reading as much as I can to fully understand SSO and SAML so here goes:
I need to forward to a 3rd party's Service Provider (SP-3rd_party) the credentials a user used to login to our site (SP1). Then SP-3rd_party will authenticate those credentials against their own Identity Provider. Then that 3rd party IdP will redirect back to our service with either success or failure.
Our sites are all written in .NET 4.5. It seems that we as SP1 should just authenticate against their IdP and not go thru their Service Provider (SP-3rd_party). Does that make sense? I feel we are making an additional hop that shouldn't be needed but I am fairly new to all this. If anyone can provide guidance that would be great. Thank you!
This use case is commonly referred to as Service Provider Initiated SSO (SP-Init SSO) in SAML 2.0 and is fairly common. You can find a number of resources that outline the flow a little more succinctly -
http://documentation.pingidentity.com/display/PF70/SP-Initiated+SSO--Redirect-POST#SP-InitiatedSSO--Redirect-POST-1070862
https://developers.google.com/google-apps/sso/saml_reference_implementation
Also, see Section 4.1.2 of the SAML 2.0 Tech Overview document - https://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
HTH -
Ian
I will soon need to add SSO to an ASP.NET app using SAML. The client will not provide access to their Shibboleth identity provider for testing, so I'll need to verify that SSO works myself.
What would be the easiest method to use/setup a SAML identity provider for testing? I'm not keen on having to setup an infrastructure myself if I don't have to.
I'm planning on using a SAML component from http://www.componentspace.com/
If you are a SaaS Provider - Check out "Getting Ping Certified"
http://www.pingidentity.com/partners/becomeapartner.cfm
All your suggestions look quite helpful.
For others who may find this page, the ComponentSpace SAML 2.0 component comes with an Identity Provider that appears to mimic Shibboleth. This appears to be the easiest way to test adding SSO to your own application.
Does anyone know of an ASP.NET guide to implementing OpenID and what information can be returned by the OpenID provider? I understand you can get the email address but if someone logs in with their Google OpenID can you get access to their addresses?
Yes, OpenID Providers can and often do offer 'claims' or 'attributes' about the people logging in if the OpenID relying party requests them and the user consents to these data being shared.
If you use DotNetOpenAuth for your ASP.NET OpenID library, it has built-in support for several ways of getting these attributes but keeps it simple on your side to get at them regardless of which way the Provider offers them. If you download the library it comes with a sample of how to do this.
As far as work address, and some other attributes specific to certain domains (domains of data--not Internet domains) very few Providers offer them. The best you can do is get "full address" and ask the user if that's the one they want to use.
This should help: http://www.eggheadcafe.com/tutorials/aspnet/4b3c7c9b-fe80-4e6e-a34e-0e9efed5c575/integrate-openid-authenti.aspx
Or a "simpler" one: http://madskristensen.net/post/OpenID-implementation-in-Csharp-and-ASPNET.aspx
Document describes how to implement Google login into your web application
and Third-party web sites and let you aware how OpenID authentication works.
Here is the step-by-step process to implement OpenID on your ASP.NET application using DotNetOpenOAuth libraray.
Tutorial demonstrates how to add OpenID support to an existing site that already has traditional membership without breaking anything in AspDotNetMVC.
I just blogged about this here. this shows how you can get extra information from these providers
http://blogs.msdn.com/b/webdev/archive/2012/08/22/extra-information-from-oauth-openid-provider.aspx