We have implemented SSO on our web app and it's working fine. Users are redirected to the ADFS login before accessing our app and we accept the ADFS token and authenticate accordingly. We're happy.
The question is for some of the aspx pages, we don't require authentication. Is there a place to list those exceptions in the web.config (or other)?
Yes - you can use the location tag with allow / deny.
Refer: Setting authorization rules for a particular page or folder in web.config.
Related
We are having one web site which is developed in ASP.NET and VB code base and It has the normal forms authentication with username and password.
One of our client whats to setup the Single Sign On with our web site and they set up ADFS and gave us the Metadata xml file and We have created STS reference to that url and shared our website Metadata for them to add Relying party Trust.
when I access our website it redirecting to customer page and once they enter the login credentials and it's coming back with the Claims which is good.
Problem :
1).Now who ever access our website all user is automatically redirect to client ADFS login page which should not happen.Users should be Prompt with Our login page and it shouldn't automatically re-direct to client ADFS. If user Wants to use the SSO then it should be re-directed to client page ? How to handle that in programmatic ?
2).If one more client also wants to use the SSO with their IDp then how to configure more than one IDP for One web site?
Thanks.
WIF or OWIN?
WIF by default protects all pages.
You could un-protect your login page (location tag) and then if SSO redirect to a dummy protected page which will cause WIF to kick in.
Beware: for older apps. WIF and FBA in the same app. can cause problems.
The classic way to handle 2) is to federate the two ADFS. Then a user will see a Home Realm Discovery screen and get to chose which IDP.
Asp.net site deployed to IIS7; the site is protected by ADFS. I have the need to allow anonymous access to a single folder on the site. How can I do this?
As usual.
If this is a WebForms application, you create a local web.config and add an authorization section configured for anonymous access.
If this is a MVC app, you put the AllowAnonymous on your controller.
The WS Federation Authentication module shouldn't redirect to ADFS.
Btw. The site is not "protected by ADFS". The ADFS is just an external authentication source, the Security Token Service, in wsfed terms. The site is most probably protected by the WSFederationAuthenticationModule module that is commonly used for initializing wsfed handshake and consuming SAML tokens.
We have an ASP.NET application using Forms authentication (ASP.NET Membership). Now we would want to make it to be claim-aware ASP.NET application in below scenario:
ADFS acts as an IP-STS for intranet (AD) users
If AD User is not mapped to ASP.NET Membership User or mapped ASP.NET Membership User does not have permission to access application --> Fallbacks to form authentication (an external IP-STS)
If end-user accesses the application from outside the domain, we don't want ADFS to prompt for Windows Credentials. We would like redirect end-user to out external IP-STS using form authentication.
Is this scenario achievable? Or is there any other possible solution? And how should I setup/configure my application?
Thanks
The classic solution to this problem is to have two ADFS with a split DNS.
Internal users redirect to an ADFS in the Intranet configured for WIA.
External users redirect to an ADFS in the DMZ configured for FBA.
For your second point, not clear if internal or external user.
If external (i.e. FBA) then you can modify the Forms login page, access AD yourself and redirect appropriately.
I'm trying to add LDAP support to an existing ASP.NET website that uses Form Authentication. This is not a big problem, I just build a simple login dialog (ordinary HTTP POST), query the LDAP directory and log the user in via Form Authentication ticket.
It would be extremely nice to automatically get the users credentials via NTLM (Integrated Windows Authentication) without the need for a login dialog (like what you get when using ASP.NET Windows Authentication with computers in the same Active Directory). Is there an easy way to do this (keep in mind, I can't use Windows Authentication for my ASP.NET app and the server is not in an Active Directory Domain, I need to be able to query LDAP directory manually)? Or would I have to manually do all the LDAP handshaking / challenge/response thingy?
Thanks for your help,
~ saxx
I do just this on my intranet here. These are the steps I use...
Create a login page (login.aspx seems good) & set the web app up for forms authentication. Set authorisation as deny anonymous. These means any attempt to use your app will cause the user to be redirected to your login page if they don't have a auth ticket.
Now the important step. In IIS, set the app to allow anonymous only. On your login page change this to only be Windows Integrated. Now what happens is when the user is bounced to your login page, IIS forces an NTLM authentication. We now have the users name in the headers.
2nd important step. in the page_load method add:
FormsAuthentication.RedirectFromLoginPage(Request.ServerVariables["Logon_user"], false);
What this does is take the username IIS will always give us and put into a forms auth ticket.
There's of course a certain amount of tidying up you may want to do, perhaps adding a logout feature, or stripping the domain name of the username.
Simon
We have a SSO solution with ADFS for logging into our web app, we also have standard setup that uses authentication with our database. I want to setup a solution that allows for both. So now I am trying to figure out, is there any way for ASP.NET to detect if a user is authenticated with Active Directory so I could do this on the fly? If user is logged in through AD, send through ADFS, else, show login screen. Any idea?
I also realize that this may not work if they are setup to use forms based authentication only after the ADFS process is started.
Yes... In IIS, enable both integrated authentication, basic, and anonymous. All the real work is done in HTTPModule that are registered in the root Web.config (e.g. in the runtime CONFIG folder). The built-in Authentication HTTPModule will set the user Principle once authenticated if authenticated via integrated credentials. You can add your own to be fired after it. If the IIdentity (e.g. User.Identity) has the IsAuthenticated set to false then you know they were not authenticated and can then redirect them. If it is set to true, you can then replace the IPrinciple with one that contains roles that are germane to your application.