I oddly do not find any documentation around how to setup ASP.NET CORE with ADFS 3.0, but enough about other providers. How can I set this up in ASP.NET CORE, as my company only uses ADFS 3.0 as SSO solution.
I've seen a (paid) solution called Auth0, but I first want to try without any 3rd party paid options.
Related
I have a traditional ASP.NET 3.5 Web Forms application. As of now it is using On-Premise ADFS which is working fine. Now we have a requirement to change on-premise ADFS to Azure ADFS.
In the web.config, I have changed the required URL to point to Azure ADFS but it is not working. I checked Stackoverflow and Googled around but I found examples related to ASP.NET MVC and ASP.NET Core where changes are required in Startup.cs file.
I want to know what all changes are required in my traditional Web Forms application. Any example link would help.
You should be able to get it working by using the Azure AD parameters rather than the ADFS ones e.g. metadata. What protocol are you using?
There are some ADFS samples. Look at the LHS under ADAL and MSAL. These generally start with an Azure AD sample and show how to convert to ADFS. So you can then work "backwards".
Update
I had a look at that code. It looks like OIDC? "Redirect_Uri" is not a WS-Fed parameter.
There is a WS-Fed sample here.
I am a bit confused as to why there is no Individual User Accounts authentication option in the latest ASP.NET Core Web API template.
Is it still possible to implement individual user accounts the way that the MVC template does or would it not make sense?
Let's say I am creating a stand-alone web API that is going to have all of my business logic and data layer that accesses the database which has the AspNet Identity tables. I plan on making calls to this API w/ an MVC app.
I know one way of doing this is to create an asp.net MVC app w/ individual user accounts auth and simply build the API right within the MVC app using a controllers/api folder. However, I don't want to do it this way because I want the API to be its own standalone project that can be hosted on a completely different server and accessed by multiple applications, not just an MVC app.
Can someone lead me in the right direction on how authentication typically works in this scenario since there is no template?
Individual User Accounts authentication option for the ASP.NET Core Web API is available in .NET Core 2.0 Preview 1.
Unfortunately .NET Core 2.0 Preview 1 isn't available in VS 2017 release.
But you can install Visual Studio 2017 Preview (you can use it side-by-side with VS 2017 stable version) :
I think you can use IdentityServer4 which allows implementing single sign-on and access control for ASP .NET Core Web APIs using protocols like OpenID Connect and OAuth2. It offers integration with ASP.NET Core Identity and Entity Framework Core.
You will need to install to the following nuget package:
Install-Package IdentityServer4
and add the IdentityServer middleware to the HTTP pipeline:
app.UseIdentityServer();
You can find several quick start samples here or follow this article.
I understand ADFS 3.0 has removed the need for IIS and that it's run directly out of HTTP.SYS now.
So does this mean it's not even possible to add IIS back so one could implement a custom FormsAuth (web forms) type integration as you used to be able to do under ADFS 2.0?
Or is it all Shibboleth these days?
Edit: We've been able to successfully deploy our own custom authentication provider in ADFS 3.0 (adjacent to Active Directory) and use it to SSO into Office 365 so this is no longer required. See Implementing Office 365 single sign-on using custom authentication/claims provider in ADFS 3.0 (RE: AADSTS90019)
You can as long as the SSL bindings and routing for anything under /adfs, /federationmetadata remains the same. We've seen cases where this has not happened and resulted in the most painful of troubleshooting.
Thanks //Sam
If you mean can you install IIS on Server 2012 R2 to run apps., yes you can.
If you mean can you customise ADFS aspx pages as you used to be able to do, the answer is no but you can do some stuff with Javascript.
There seems to be plenty of examples of how to migrate from 3.5 to 4.5 but I'm struggling with a particular scenario.
I have several existing asp.net sites that are using WIF 3.5 to implement federated identity with an adfs 2.0 server.
Single sign in, and passive single sign out (wscleanup1.0) is all working fine.
No we are developing a new asp.net site and seeing as it's a new project we thought we should use WIF 4.5.
Single sign in is still working fine across all these apps. It doesn't matter which one you sign into first all of the others recognise the token and can read the claims.
We are, however, seeing an issue with single sign out.
If I initiate the signout from the site using WIF 4.5 everything works as expected. You're signed out of every app you have used during that session.
If, however, I initiate the signout from one of the sites using WIF 3.5 all of the sites using WIF 3.5 sign out as expected but the site using WIF 4.5 remains logged in.
Is this something that should be possible or are there incompatibilities between the versions which means it will never work?
I read here that the format of the cookie had changed but that's a year old now so I was looking for a more current answer.
Unable to decrypt claims cookie from .NET 4.5 to .NET 3.5
I am developing a single sign on ASP.NET application, and I am trying to decide whether to make use of the WIF SAML 2.0 CTP or instead use ADFS 2.0. I have read several places that the WIF SAML 2.0 CTP enables identity provider initiated SSO, but I can't find any examples or tutorials anywhere. Does anyone know a good resource for becoming familiar with the methods of doing this using WIF CTP?
The SAML2 CTP is pre-release and I am really sceptical that this will ever RTM. So I wouldn't use it.
So you want SSO from your ASP.NET application to a SAML IdP?
It sounds like you've figured out that you can either go direct to the SAML IdP by adding a SAML stack to your application or by going WS-Fed to ADFS and then SAML to the IdP.
As mentioned the SAML CTP has been in CTP for ages and there is little documentation.
Have a look at the OpenSSO Fedlet.
However, you will probably find the ADFS option both quicker and easier.