I have a Oracle Identity Federation integration with ADFS. I'm inspecting the SAML trafic and when triggering the SLO from OIF I get a successfull SAML SLO response answere answer back from ADFS.
When I try to start a new SSO session with ADFS I am not asked for username and password.
Does anyone have a clue on how to make ADFS do a real sign out if the user?
When ADFS does send a response it normally clears the ADFS authentication session cookies. Which means that there is a new authentication is required. It really work, no doubt.
What often happens is that Windows Integrated Logon automatically (without questions) logs the user on again. You will need a low level trace to see it.
Related
We are going enhance the authentication and authorization system of our Intranet web app. After having few days reading about ADFS, STS, claim based authentication, asp.net Identity. Still not sure how these things works together.
Most of our intranet web applications are using Windows Integrated Authentication, we uses windows group or AzMan to do role base authorization. We have few applications(Vendor application) use it own user database and form base authentication.
We want to add following features to our web applications.
For Windows Authentication application, we want to let user to Sign Out / Sign in as different user. So when User A using his/her computer to access the application, it will auto logged in (default windows integrated authentication). When he/she do log out, it will redirect to a form to allow to input other user credential.
We want to allow user login to System A using System B username/password.
e.g. For the windows authentication application, we want allow user login to the application using the credential of the Form base application (Vendor application) of via visa
I don't know if ADFS can solve these two problems.
From my understanding, the main purpose of ADFS is to allow access to internal application from Internet, and it require SSL.
Our application all are in Intranet, and we don't want to manage the ssl cert.
But by using ADFS, perhaps I can enable both Windows and Form Authentication on my application, so then let use log out and re-direct him to the login form as which just like he access outside company network. It should solve the problem 1.
For problem 2, what if I can create a custom STS to issue security token by using the user database of the form base authentication appliaction. Then I can use claim based authentication and allow one application can use ADFS and my STS. It should solve my problem 2.
Is my direction correct? or am I complicated the problem?
ADFS will not work without SSL.
Furthermore, all RP have to use SSL.
Internally, users will be logged in seamlessly using WIA. When they logout, they will simply be seamlessly logged in again.
Also ADFS v3.0 and below can only authenticate against AD.
While what you want is possible using ADFS, the question is whether it's a good idea and worth the trouble. It may be more appropriate to ask the user to log out of the machine and log in with a different account so you can stick with Integrated Windows Authentication (IWA). Writing your own security infrastructure is fraught with peril.
If you really feel these are hard requirements and it is worth the trouble, the following may work.
Write an ASP.NET web application based on Katana and enable Integrated Windows Authentication. This will make sure that the first time a completely unauthenticated request comes in, the application will challenge the browser. Subsequent requests will have a WindowsPrincipal populated in the HttpContext.User and Thread.CurrentPrincipal.
Now, write a piece of OWIN middleware that checks if an authentication cookie is present. If the cookie is not present, it checks the Thread.CurrentPrincipal and serializes the claims into a secure cookie.
If the security cookie is present, it overwrites the WindowsPrincipal in Thread.CurrentPrincipal with a new ClaimsPrincipal created from the claims in the cookie.
Now, when a user navigates to the web application the first time, he/she will be logged in automatically using IWA and the cookie will be created. Now, provide a logout action which deletes the authentication cookie and presents the user with a username and password dialog.
In the POST handler for that action, use WIF to talk to the username endpoint in ADFS (using WS-Trust protocol) and try to authenticate the user with the supplied credentials. If successful, use the claims from the returned token to create a new authentication cookie.
I am working on a web application which should authenticate users via ADFS. WS-FED Passive was chosen as the simplest and fastest to implement.
The setup went smooth and the application seemed working: a user is first redirected to the the Identity Provider service, enters username/password and in case of success a SAML token is POSTed back to the web app.
Here where I get confused: a SAML token can be validated via the Signature and X509Certificate data which are contained in it.
However, what is the proper mechanism to verify that the token was POSTed by the Identity Provider service, not by a third-party which also posesses the certificate?
After 2 days of research ,now i am at assumption that ADFS can be used as Identity Provider which uses Active Directory as its Repository (this means we can store Username,password... required to identify user) .My confusions are
When a user opens a login Page in SP ,and if there is trust
relationship between SP and ADFS(IP) ,does the IP takes the windows
logged in UserId to check user from active directory ?
If the authentication is successful then does IP sends
UserInformation(as a SAML responce) to SP ,so that i can create
session for logged in user ?
what should i do ,if user logs out from SP ,should i also have to
clear session in IP(now ADFS)
if my assumption are right ,how to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider) ?
When the SP notices that the user is not signed in it sends the user to the IDP. This is where the login page is presented. ADFS can be configured to authenticate the user based on the signed in windows user.
Yes ADFS can be configured to return user information in the SAML response. This is defined as claims in ADFS
When the user is logged out in the SP, the SP should send a SAML LogoutRequest to the IDP to remove the session on the IDP.
Here is a library I have seen others use for .net
Another option is to use a product such as Shibboleth in front of you application
Your question is: "How to implement ADFS as Identity Provider (IP) and consume its service in Asp.net Application (Service Provider)"
Then you have tagged it with SAML?
Why do you want to use SAML? (And here I am talking about SAML the protocol NOT SAML the token).
Just use WS-Federation and WIF which is OOTB support. WS-Fed also uses SAML tokens.
If you want to use SAML, refer SAML : SAML connectivity / toolkit and SAML : ASP.NET MVC application talking to SAML IDP .
I want to implementing SAML P in a web application as a SAML Service Provider. I wonder how my application can know that a user X has logged out from the IdP?
I've read that the IdP might make a broadcast when the user logged out from the IdP directly or from any other SP but the IdP I'm using is not making any broadcast.
Should I redirect to the IdP in the Application_AuthenticateRequest event handler?
You have heard right: The identity provider must send a LogoutRequest to all ServiceProviders in the session (on the log out URL that the SPs have registered with the IdP) - see page 37 of http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.pdf.
In SAML there is no other standard way for SPs to deterministically know of user logging out.
Have you registered your Logout URL with the IdP?
I'm working on an MVC project and I'd like to abstract authentication out completely using WIF. By default, without any additional configuration, this app needs to be it's own STS in additional to also being a relying party. Has anyone done that and have any suggestions?
I tried to think of exactly the same mechanism some time ago and I failed.
My reasoning was that to be an RP, the application has to get a signed SAML token issued by an STS. Upon receiving the token, the federation cookie is created.
But to be the STS, the application should have a login page and a mechanism to persist the login session so that users do not have to login again. Then it should react to wsignin1.0 requests and issue SAML tokens.
This leads to a contradiction in my opinion. The application should have a federation cookie (to maintain users sessions as an STS) before it issues the SAML token but in the same time it can create a federation cookie (as an RP) just after it receives the SAML token.
Of course, you could possibly maintain two cookies, a federation cookie for the RP part and a forms cookie (probably) for the STS part but it sounds impractical and against the idea of abstracting the authentication.
In a short way: this is not easily possible in my opinion. However, I would be glad to hear other ideas from someone.