How to secure IdentityManager with IdentityServer v3 - asp.net

Brock Allen released the new beta version of IdentityManager last week. There are quite some changes in the security model, so the configuration also changed.
He even took some videos (Setting up ASP.NET Identity and Security and IdentityManager) on how to configure the new version properly. These well explain the usage in a classic ASP.NET MVC application, and also ADFS setup, but I couldn't find any help or sample code about how to make it work side by side with Identity Server v3.
Can you please share your experiences configuring IdMgr's remote access with the help of IdSrv3?

After posting that question, I opened an issue on Github and had some chat on IdentityManager Gitter Chatroom, I managed to solve that issue.
There was a sample host configuration in IdentityManager Github Source. Implementing the exact configuration on my project, now I can remotely connect to IdMgr using IdSrv3.
Hope that helpes someone.

Related

Issue with OAuth2 returning now Access_denied

I'm using Linkedin SSO on my website for more than a year now it has always performed as ask, until today. My website is an ASP.NET MVC5 website (C#). I use the classic Oauth2 integration and everything was working fine until yesterday when I changed the domain of my website. I changed in the developer interface the redirect urls (or should I say I added new url redirects) by it always sends access_denied to my callback url and I don't understand why. Has anyone the same issue these days or tips on how I can correct that issue.
Thanks a lot for your help
We had the same issue and after a bit of digging it appears that LinkedIn is now forcing tls1.2 - if you are on an old framework - you may have to upgrade - 4.6+ has tls1.2 as default and should work with no extra setup (although depending on the server you're running on you may still need to set up support for TLS 1.2 - follow the instructions in the top answer on this post : .Net Framework 4.6.1 not defaulting to TLS 1.2) .
If you are on 4.5+ you can just tell your code to use Tls1.2 by adding the following command somewhere global (for example when you initialize linkedin auth):
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Some further info about Tls1.2 and support in .net can be found here : https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
Hope this all helps!

Debugging Dot Net Website as Domain Normal User

We are developing asp.net website, API and MVC project using Visual Studio. Currently the system we're using are using local administrator account. We are now mapping it to the domain user (normal user). However, certain features are not supported by Visual Studio when we do things like this... importantly..
Debugging applications that a run under a different user account,
such as ASP.NET websites.
Deploying a web application to Internet Information Services (IIS) on a local computer.
Check MSDN Doc here
Note that deploying to IIS is not an issue for us, however the we're unable to debug the application and that is real deal breaker here!
I would like to know how to do debugging for asp.net websites when using domain mapped normal user.
I know this is not a programming related question. However, seems like most of dot net programmers are affected with this and I don't know where to ask for help, so posting it here. (Suggest if any other site is suitable for this!)
Thank you for your help in advance.
The simple answer, as mentioned in that MSDN document and this SO question, is that you can't.
It might be possible to do it through roundabout ways, such as changing the credentials that the IIS worker, application pool, and related processes run as, but even if it were possible, it wouldn't be supported, and most likely wouldn't be worth the effort. Here are two very old articles that deal with the topic:
https://msdn.microsoft.com/en-us/library/aa289173(VS.71).aspx
http://jameskovacs.com/2006/03/16/debugging-as-a-nonadmin/
It may be more feasible if you're able to run your application in an OWIN (Wikipedia) container running in an alternate (to IIS) host.

Can I receive SAML 2.0 message in ASP.NET without WIF?

We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian

How to implement DotNetOpenAuth as Oauth provider in MVC3 .net?

I have been researching for a while now about how to implement an OAuth provider to secure my web api, but without good results.
For what I've seen so far, apparently there are only three libraries to develop an OAuth provider in .net:
1- DotNetOpenAuth
2- DevDefined
3- OAuth.net from madgex
madgex doesn't have any documentation for providers at all, at leats I haven't found anything, same with DevDefined, well, the last one has some documentation, but it lacks samples.
DotnetOpenAuth I think is the one most developers use, but I'm having a hard time to understand its samples, and documentation is terrible.
Has anybody implemented any of these libraries to write an Oauth PROVIDER, NOT CONSUMER, or anyone knows where I can find a decent documentation fro any of these.
For the record im trying to develop a 3-legged oauth provider.
Can anybody help me out here??
Have you checked out this project template, which although it's MVC 2 should provide some useful ideas for doing it in MVC 3:
http://visualstudiogallery.msdn.microsoft.com/81153747-70d7-477b-b85a-0374e7edabef
Then there is the OAuthServiceProvider sample that comes with DotNetOpenAuth, which is WebForms but the principles are mostly the same.
A good sample of DotNetOpenAuth implementation could be found here Releasing an ASP.NET MVC 3 OpenId StarterKit under Open Source License
Project url: http://mvcopenid.codeplex.com/
It should be good for you to start with.
UPDATE
By the way in ASP.NET MVC 4 third party auth providers it is out of the box.
I have followed the steps mentioned at https://github.com/DotNetOpenAuth/DotNetOpenAuth/wiki/Security-scenarios to implement an OAuth 2.0 authorization service.
I have used the below link to create security certificates:
http://www.jayway.com/2014/09/03/creating-self-signed-certificates-with-makecert-exe-for-development/
Don't forget to change your solution to use the thumbprints from the certificates created by you.
This is the best place to understand the OAuth 2 protocol:
https://www.rfc-editor.org/rfc/rfc6749

Shibboleth and .NET

I've got a requirement that a ASP.NET web app use Shibboleth for the authentication. Has anyone done this before? Are there libraries out there to support the method calls? Or is this a Java only thing?
It's definitely not a Java-only thing, there's an Apache module available for download on the Shibboleth site.
I don't know if there's anything specific for .NET.
We implemented Shibboleth a while back and we originally tried to use the Java solutions - it was a nightmare. The java apps were badly-written, buggy and badly documented. It was hassle after hassle and we eventually decided to use the Apache module on a dedicated server and forward successfully authenticated users onto our Tomcat app.
The Apache module was a breeze to setup, configure and get working.
Don't know if you've already realised but the Shib documentation and website are incredibly hard to navigate - it's a fight to find any useful information. I did go and look for a .NET implementation on there but gave up!
If our Java experiences are anything to go by I would seriously suggest setting up an Apache server with the Shibboleth module installed and saving yourself a world of pain.
This is a good site for testing your Shibboleth install once you have it set up: http://www.testshib.org/testshib-two/index.jsp
If you do find a good .NET solution then I'd be very interested to hear about it. Good luck!
I know this is a really old question, but I thought I might be able to do a bit better expanding for those who are finding the answers from Google.
As recommended above, you really want to configure your web server to load a module. The hard part of shibboleth is the configuration file, but assuming some one else in your organization has utilized shibboleth you can use theirs as a template and its fairly easy.
For .NET based authentication, you'll need to configure Shibboleth in IIS. The default configuration for IIS creates a directory called /secure, and anything put under there will require shibboleth authentication (i.e. it will redirect to the identity provider). You can configure it to cover other directories or even do lazy authentication.
Once you have the authentication piece in place, you can check headers to "read" the information the identity provider is passing to you. IIS handles things a bit differently then Apache, but its still pretty easy. If you just want username you could use HTTP_REMOTEUSER although there could be better options; i.e. Ohio State University recommends using the eduPersonPrincipalName.
As MatthewMartin says Shibboleth is just a SAML server, Windows Identity Foundation supports SAML as explained in this blog post.

Resources