We implement a web application and host in Azure. Then we want to use the SSO feature which is supported by Microsoft Azure ACS. The Condition to view our Website is that users just need to provide the email address throughout login to IdP. When we implement and configure Web application, we do follow all the instructions on the website as below
http://blog.2mas.xyz/configuring-windows-azure-active-directory-access-control/
For now, we can configure and use Window LiveID, Azure AD to login into our Website.
We have a further requirement that our site should support to login SSO from custom IdP which supports SAML 2.0 such as Okta.
Our current issues: When import the SAML 2.0 XML file to ACS, it does not understand this XML file
Please give us some suggestion to use Azure ACS and okta in this situation?
You might find the following helpful: https://www.okta.com/identity-101/integrating-sso-for-azure-ad
Related
I have a traditional ASP.NET 3.5 Web Forms application. As of now it is using On-Premise ADFS which is working fine. Now we have a requirement to change on-premise ADFS to Azure ADFS.
In the web.config, I have changed the required URL to point to Azure ADFS but it is not working. I checked Stackoverflow and Googled around but I found examples related to ASP.NET MVC and ASP.NET Core where changes are required in Startup.cs file.
I want to know what all changes are required in my traditional Web Forms application. Any example link would help.
You should be able to get it working by using the Azure AD parameters rather than the ADFS ones e.g. metadata. What protocol are you using?
There are some ADFS samples. Look at the LHS under ADAL and MSAL. These generally start with an Azure AD sample and show how to convert to ADFS. So you can then work "backwards".
Update
I had a look at that code. It looks like OIDC? "Redirect_Uri" is not a WS-Fed parameter.
There is a WS-Fed sample here.
I already have more than 10 applications developed using ASP.NET. There are different versions for frameworks 2.0, 3.5 and 4. Currently I need to apply single sign on on all of my applications using Windows Azure Active Directory SSO. But I do not know what the code or library should be added to my application to be configured with the Azure SSO. Do I need to re-develop my application or recreate it with different versions? Does anyone know what I should do?
Different .NET frameworks should not be a problem. You should be able to implement SSO for all of these applications, but you will need to add it individually to each one. You will need to add it in the code of the application itself and then register each application to your tenant.
Here is a very good tutorial that shows you step by step how to add SSO to a published web application in Azure using OpenID Connect. You can follow the steps exactly and build their demo version to test it out, or follow their steps at the bottom that show how to implement SSO in your own application.
https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect
Here is the official Microsoft documentation, which also describes how to implement SSO: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps
Alternatively, if you want to use a library that is already integrated with Visual Studio, you can go to Project > Add Connected Service > Authentication with Azure Active Directory.
The "SSO" in this case refers to SAML. To do SAML in C#, look into Windows Identity Foundation (WIF), which includes some SAML support.
Note that doing SAML SSO involves more than just dropping in the right kind of username/password field. You need to have additional special pages to handle certain redirects, and have a way to store exchange saml metadata with your Azure AD identity provider. It can be painful.
I need a way to authenticate users to a DNN site from an external desktop application, in my case a OS X MAC Application.
The Desktop app needs access to Web API service methods on the DNN Site. I think the JSON Web Token (JWT) would work for this, however, we are using DNN 7 and are unable to upgrade at this time. Is there another option to authenticate from outside of the framework? There does not appear to be a DNN API call to even check if a username and password are valid, as everything is strongly tied into .NET Identity. Is there a way to do this?
I want users to login to DNN directly from within a desktop app on MAC.
You could use basic auth with SSL. Here is an answer I gave on how to implement by authorizing web services with basic auth restricted by role.
Basic auth in DNN Web API service
Good evening, I want to create a RESTful API with ASP.NET Web API 2 and host it in Windows Azure. For this API I will need to have registered users and I want them to register via Facebook or Twitter. The question is, which would be the easiest way to have OAUTH2 integrated with the API in Azure? I saw that it has the ASP.NET Identity integrated with it but I don't know how nicely it works in azure, are there any other options?
Thanks in advance!
Your best bet is to leverage Access Control Services (ACS) and OAuth2. This article has a great description of how to set it up: http://www.developerfusion.com/article/147914/protecting-your-aspnet-web-api-using-oauth2-and-the-windows-azure-access-control-service/
I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.
I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.
I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.
If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:
http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/
You could use Thinktecture.IdentityServer v2 as a light-weight security token service.
https://github.com/thinktecture/Thinktecture.IdentityServer.v2
You will need to create a WOPI host, which is basically a software solution that can take advantage of the browser-based Office(office web).
Create a custom WOPI host and configure it to use Office Web Apps Server to provide the browser-based file viewing and editing for Office files.
Nice sample on Microsoft MSDN