I have followed this article to build demo app with on-premise ADFS federation.
http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/
I am able to get needed information for user using simple code
Dim UserEmail = System.Security.Claims.ClaimsPrincipal.Current.FindFirst(System.IdentityModel.Claims.ClaimTypes.Email).Value
But how I can get user groups where the username belongs and check if user account is member of Windows group in Active Directory?
I have tried to use System.Security.Claims.ClaimsPrincipal.Current.IsInRole to check if user is in group, but it won't work
In ADFS claims rules, you need to configure a rule "Send LDAP Attributes as Claims" / "Token Groups - Unqualified Names" and map to "Role" as the "Outgoing Claim Type".
ADFS then provides all the security groups the user is memberOf in Role format and WIF maps them to the IsInRole construct.
With this is enough.
ClaimsPrincipal.Current.AddIdentity(new ClaimsIdentity());
ViewBag.Name = ClaimsPrincipal.Current.FindFirst(ClaimTypes.Email).Value;
:)
Related
I am setting up an instance of WSO2 API manager, and want to give developers access to the API "store" pages by linking it to my existing OpenID Connect identity server (OpenAM). I've added the OIDC configuration into the store configuration file (wso2am-2.6.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json) with all the details of the authorise, token, userinfo endpoints, etc.
When users click login in the store, it is correctly redirecting them to OpenAM to login, and passing an access token back to the store app. I've also ensured some of the required claims are returned from the userinfo endpoint (like preferred_username). I'm also returning a "groups" claim listing the groups the user should be in "subscriber" for example.
The claims I'm returning from userinfo are:
{
"address":{
"formatted":"My House"
},
"given_name":"Danny",
"family_name":"Developer",
"name":"Danny Developer",
"preferred_username":"Danny Developer",
"groups":[
"subscriber"
],
"email":"adam.hatherly#nhs.net",
"sub":"developer1"
}
However, whatever I try with claims and group names, the store still gives the error message "User is not permitted to log in to the Store.". I assume there's something else I need to add in either the access token or userinfo endpoint
claims list to make the store app accept the user, or some other config in the store or carbon console?
The reason for the user login issue is that the user does not have relevant permissions to log in to the store. User needs to have internal/subscriber role assigned to it. Since the user is coming from OpenAM and APIM does not have any information to authorize it, login fails.
For this either you should share the user OpenAM user store with APIM (say a shared LDAP) and assign users with internal/subscriber role or use a custom code to add the user to the APIM user store and assign the role.
Another easiest option is to create a user in APIM side (add a dummy password) with subscriber role. but this is not a suitable solution if you do not know all the users
With WebSecurity, Registering a user is like this:
WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
I know I can pass in custom parameters for my User table as well. What I'm wondering is - in a multi-tenant scenario, how do I allow WebSecurity to enforce uniqueness on Username and TenantId columns, instead of just Username?
Related - when logging in, how do I specify a `TenantId' so that forms auth assigns a cookie only if the user exists on the specified tenant?
Unfortunately I can only extend WebSecurity and don't have the option to replace it. Hopefully there's a way to make this work.
We've solved this problem in the past by just adding a tenant identifier to the username when saving the user and again when verifying the login credentials.
The user doesn't see this, but it works brilliantly and easily!
I would like to know if there is way to configure Microsoft ADFS to assgined more than one roles user. Can I get the corresponding SAMLResponse XML for this ?
There are a number of ADFS claims rules "Token Groups as xxx".
Map one of these to Role - depending on what you want.
ADFS will then send all the security groups that the user is memberOf as Role.
How can I check if user is not Admin or User? I need this function to determine if the username connecting is anything but Admin or User.
Thanks for the help.
If (CurrentUser.UserName <> "Admin") Or (CurrentUser.UserName <> "User")
Are you using an identity model at all in your application? If you're using Forms Authentication for example, and using the Universal Membership Provider (default membership provider in ASP.NET), then that linkage will help you. From there, you can use the "IsInRole" method of the User object, and add\remove users from the appropriate roles. Start with this article, and Google from there for more info on using Universal Membership: http://msdn.microsoft.com/en-us/library/system.web.security.roleprincipal.isinrole(v=vs.110).aspx
In my asp.net application, users are created by the administrators & those users need to log-in into the system using their own email/password or openid. So what is the best option to implement in this scenario?
I mean, as users can't register them self,do administrator required to associate each openid with the users & what kind of table structure do I need?
And do I also need the log-in interface like that of stackoverflow.com showing multiple types of authentication(default & openid from various providers)?
if the below suits you can set it up this way:-
Have user come up to your site and try logging in.
Do the complete OpenID authentication fetching one pseudonym from OpenID which can be used as a unique user identifier
Once verified , check if the user exists in your database of authorized user. if not , add this to a sperate table of new_users. For the new user , show a message which is akin to "You can login to the site once admin authroizes you"
Provide an interface for admin to look into new_users
Allow admin to authorize the new user. This would move the user to authorized user based on your business criteria
Once authorized , user can login to the site.
P.S: Take a look at http://www.plaxo.com/api/openid_recipe