How to get all users of a group in ADFS claim, what is configuration steps in ADFS and how to get all users of a group
Related
I am using ASPNETZERO multi-tenancy solution and I want to achieve following solution in that.
My need is like One user share all details among all Tenants.
Let's say there is user1 registered in Tenant1 with email id, password and all fields.
Now what I want is this User1 can logged in any tenant using the same login details, I mean to say user1 can login in tenant2, tenant3 etc.. But without registering again and also with same login details.
Also user can edit details in any tenant and that need to updated in all tenants.
Here is what I have planned :
I am planning to put multiple entries of same user with different
tenant id in default Usertables. I mean to say, when user1 registere
in tenant1 then I will copy all details of that user to all tenants.
So I will create same user entry with tenant2 id, tenant3 id and so
on..
I got it working by editing user-service file.
Thanks
In case of allowing a user to login to multiple tenants, the following approach can be used
The user details should be generic and not under a tenant
After adding user, you will assign the user roles for every tenant
When the user logs-in, the data will be validated and then the user will be given a page to choose tenant for which he can work
(OR), the user can provide the tenant name during login so that you can directly validate the user and allow to use the application
Tenant level access will be based on the tenant and roles, if I have access to Tenant1, it means that i have a role for Tenant1 and if I pass Tenant2 to access, the system does not find any roles associated with my user for the Tenant2, denying access (401).
I would like to know if there is way to configure Microsoft ADFS to assgined more than one roles user. Can I get the corresponding SAMLResponse XML for this ?
There are a number of ADFS claims rules "Token Groups as xxx".
Map one of these to Role - depending on what you want.
ADFS will then send all the security groups that the user is memberOf as Role.
I am trying to learn ASP.net MVC -
I have successfully implemented the basic authentication and authorisation.
My application is multi tenant (One DB one Schema) and multi Users.
Each user can be added to any tenant by admin.
A user will be given a list of tenants he can use upon logging in.
Then the user clicks on one tenant and enter in to the tenant's application data and can update, create etc. (invoices for example).
I am using cookie authentication, should I be adding each tenant the user is authorized to use as a claim or check on server side for authorisation when user switch between tenants.
Using cookie claim will save DB queries if I have tenant list for user as claim. But Cookie has 4k limit what if a user can access thousands of tenants such as admin.
You can save user-tanent relation in a table , and put row id in cookie , so you can check that row when user logged in.
I have followed this article to build demo app with on-premise ADFS federation.
http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/
I am able to get needed information for user using simple code
Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.Email).Value
But how I can get user groups where the username belongs and check if user account is member of Windows group in Active Directory?
I have tried to use System.Security.Claims.ClaimsPrincipal.Current.IsInRole to check if user is in group, but it won't work
In ADFS claims rules, you need to configure a rule "Send LDAP Attributes as Claims" / "Token Groups - Unqualified Names" and map to "Role" as the "Outgoing Claim Type".
ADFS then provides all the security groups the user is memberOf in Role format and WIF maps them to the IsInRole construct.
With this is enough.
ClaimsPrincipal.Current.AddIdentity(new ClaimsIdentity());
ViewBag.Name = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
:)
We have a website, which our users access by getting an STS from ADFS. ADFS issues claims by checking the user's groups memberships in Active Directory. The website uses WIF to access claims and handle authentication.
Is there a way, when a user's AD data changes (e.g. they have all their group memberships removed), to have those changes reflected immediately (same session, at least from the user's PoV) in their claims for the RP? Currently, if we revoke membership in AD, that user's claims for the RP (in their current session) aren't affected. They have the same claims, and access, that they had before the revocation, until the user's ADFS session expires (which could be hours away).
e.g. user U1 logs in to our website W1 via ADFS, browses round a bit, and then has his memberships cancelled in AD. We need U1 to be logged out of W1 automatically within a short time period (minutes). If not logged out, having their claimset in WIF reset to reflect their now-empty AD group memberships would also be acceptable.
Is this possible? All the documentation I can find seems to assume that the website itself (W1) knows when the user should have their session terminated - in our case W1 doesn't know, the "trigger" for session expiry (or at least claims amendment) will be from AD.
Out the box - no.
Claims aren't dynamic - they are only created at logon.
The only way I can think of is for your app. to poll AD every now and then and if the membership is removed, then do an application logout "under the hood".
The next time the user tries to do something, WIF will see that they don't have a session, will go to ADFS to login, ADFS will see that they are still logged in and access will be granted automatically i.e. the whole process will be transparent.
Because the use was logged in again, the claims will be updated and the membership will no longer be a claim.