Our legacy applications store user account information in a database. I can't seem to find clear information as to whether AD FS 3.0 supports authentication against both Active Directory as well as SQL Server.
To be clear about my question:
How can AD FS 3.0 be used to provide federated authentication for users stored in both SQL Server (if at all) as well as Active Directory?
TIA
In short, it can't.
ADFS 3.0 and below can only authenticate against AD. It can, however, use a SQL Server DB for authorization i.e. it can query the DB for attributes that it uses to build up claims.
Have a look at Identity Server which authenticates against SQL Server. You can federate this with ADFS.
ADFS 4.0 (Server 2016) will be able to do this i.e. AD / LDAP for authentication.
Related
Hey I have given a task to setup shibboleth to authenticate my web application ( .net core application (SP) ) using saml 2.0 with azure ad. My web application will act as SP and will manipulate the claims/attributes returned from IDP which is azure ad in my case. I have made a research but could not find any relevant documentation or implementation example of configuring shibboleth as a SP for saml authentication using azure ad as (IDP). Can we setup shibboleth to support saml 2.0 with azure ad? Also I am wondering after successful authentication how claims/attributes will pass from shibboleth to my application so that I can further use them for processing?
Please check if this blog> Azure AD SAML federation using Shibboleth SP | by Rohan Islam | Medium can be worked around in your case.
Configure the SAML SSO in azure ad portal for the application by selecting Single sign on and Copy the identities to use later.
Try to do Shibboleth SP configuration by updating shibboleth2.xml file under /etc/shibboleth directory.
Update the applications’s entity ID , session lifetime configuration .Also change sso entity ID with the azure AD generated
entity ID.
Generate SP Metadata by accessing the metatdata url and by making the required changes .This SP metadata xml file is to be uploaded in
sso page of azure ad under mange identity section.
All the mapped attributes will be stored in the session so that you can access them in your application.
SP makes attribute and other session information available to applications is by "exporting" the data to a set of environment variables or HTTP request headers using HTTP_ PREFIX
References:
NativeSPAttributeAccess (atlassian.net)
How to read attributes? - Stack Overflow or NativeSPAddAttribute - Shibboleth 2 - Confluence (atlassian.net)
c# - asp.net MVC authentication with Shibboleth - Stack Overflow
Have .Net Core 2.2 MVC application and integrated with Azure AD for userAzure AD. User authentication and sign out is working as expected.
But if we copy the cookies AspNetCore.AzureADCookie, .AspNetCore.AzureADCookieC1, .AspNetCore.AzureADCookieC2 from the authenticated browser session using the EditThisCookie extension and logout then if we import again those copied cookies back into browsers and we are able to access the application. Application trusting the application and login automatically.
I'm using NuGet Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package
Is this behavior expected?
This depends on the permissions and authentication configurations that you have set for the users within your Azure AD tenant and within the application. If the users are members of your Azure AD tenant or of your application and you've set up SSO using an MSAL library like OpenID Connect, then their credentials might be stored and they can log in by default.
Are you trying to say that you do not want your users to be able to one-click SSO with their pre-authenticated credentials?
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal?view=azurermps-5.7.0
https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad
I am building a REST-API that talks to an Azure SQL database using .NET core 2.2 and C#. The API runs as a webapp on Azure. The user-access rights are managed by the database itself.
My API requires the users expects users to have a Microsoft account and to be registered in Azure Active Directory and the authentication is done using Bearer tokens.
Is it possible to perform a query on the database on behalf of the user? In other words having the same access rights as if the user logged in to the database directly and performed the query himself.
I believe they need to be Azure Active Directory users if you want to grant access that way. The other option is to use SQL authentication and manage the connection string (user & password) in your web api layer.. This document from Microsoft explains the process for each: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-manage-logins
I have an application developed in ASP.NET MVC using Entity Framework / Sql Server 2008
Actually, connections to the database are made with the "sa" account.
Is it possible to use, instead of "sa" the windows final user credentials ?
This would be helpful to control more efficiently the security limitations of each user.
I use, in my application windows authentication.
Thank's !
It is possible but whole your system must run inside windows domain, users must have domain accounts and your system infrastructure must be enabled for Kerberos delegation (belongs to ServerFault). The reason is that you have two hoops in the system - first user authenticates from his client machine to your web server and then web server delegates user credentials to database server. If client computer, web server and database server are different machine Kerberos delegation must be enabled (if db and web runs on the same server you should be fine without Kerberos). Your web application will have to use impersonation and your connection string will have to use windows integrated security.
Also using end user credentials will reduce performance of your system because EF will have to maintain separate connection pool per user. Administrator of SQL server will have to give access for every single user (or user group) using your application.
We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.