What difference between active federation and passive federation in ADFS? - adfs

I am new in ADFS. Actually I dont know what is Active or passive federation and also don't know the difference between them,Can Anybody help me on this?
Thanks in advance !!!...

Passive uses the browser - to do redirects etc. Protocol is WS-Federation. User is asked to log-on via a flow.
Active uses a web service - protocol is WS-Trust. It's essentially "headless". User normally doesn't actively log-on - credentials may be part of the web service.

Related

Custom authentication with ADFS(Not multifactor)

I need a good advise and wanted to know whether a solution is feasible or not. Right now one of my customer has a common login application which is based on Forms authentication(ASP.NET) using membership provider. All internal users use their AD credentials to logon and external users use custom username and password. Both are wrapped via Forms authentication. Now the new proposal is to replace this Forms authentication with ADFS. I have gone through various articles over internet and not able to come to a conclusion. Let me list my findings so far with ADFS extension points.
1) It is possible to add a custom attribute to ADFS claims by the approach mentioned in https://blogs.technet.microsoft.com/cloudpfe/2013/12/27/how-to-create-a-custom-attribute-store-for-active-directory-federation-services-3-0/.
2) It is possible to add a second level of authentication( or multifactor authentication) via the approach https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/. Here I understand that after first level authentication done by AD then only our external provider will come into picture.
So I have a general question that is it really possible to achieve what I am looking for with ADFS. Please let me know.
This is based on where the user accounts are stored. If both internal and external users are in AD, you can just redirect to ADFS.
If internal is in AD and external is in an untrusted or other LDAP source, using ADFS 2016 you can link to both these account stores and still offload authentication to ADFS.
If external is in SQL, you can either use a virtual directory in front to project it as an LDAP store (previous option) or use IdentityServer.
If externs is something else, you'd need IdentityServer.
Thanks //Sam (#MrADFS)
Yes - you can add a custom attribute store.
Yes - you can add a custom authenticator.
A better way might be to use thinktecture's IdentityServer 3.0 for the ASP.NET Identity part and then federate IdentityServer and ADFS.

Posting user credentials in SAML to a service provider

I have been tasked to implement a SSO process for one our internet sites. I have been reading as much as I can to fully understand SSO and SAML so here goes:
I need to forward to a 3rd party's Service Provider (SP-3rd_party) the credentials a user used to login to our site (SP1). Then SP-3rd_party will authenticate those credentials against their own Identity Provider. Then that 3rd party IdP will redirect back to our service with either success or failure.
Our sites are all written in .NET 4.5. It seems that we as SP1 should just authenticate against their IdP and not go thru their Service Provider (SP-3rd_party). Does that make sense? I feel we are making an additional hop that shouldn't be needed but I am fairly new to all this. If anyone can provide guidance that would be great. Thank you!
This use case is commonly referred to as Service Provider Initiated SSO (SP-Init SSO) in SAML 2.0 and is fairly common. You can find a number of resources that outline the flow a little more succinctly -
http://documentation.pingidentity.com/display/PF70/SP-Initiated+SSO--Redirect-POST#SP-InitiatedSSO--Redirect-POST-1070862
https://developers.google.com/google-apps/sso/saml_reference_implementation
Also, see Section 4.1.2 of the SAML 2.0 Tech Overview document - https://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf
HTH -
Ian

Common Custom STS for both Active and Passive Federation with ACS

I've a Custom IP-STS(non-ADFS) for passive federation scenario. For an active client I've created custom IP-STS for active federation referring to http://msdn.microsoft.com/en-us/library/hh446531.aspx . However, I'd like to use a single IP-STS for both passive and active clients. How do we handle this with a common FederationMetadata.xml since the entityIds(endpoints) should be different for active and passive scenarios? And what are the changes we need to make in order to use a single STS for both?
Passive federation endpoint:
"https://localhost/MyCustomIdp" - Clients will be redirected to Login page.
Active federation endpoint:
"https://localhost/MyCustomIdp/Service.svc" - Clients will pass credentials to this service. The service has a ws2007HttpBinding endpoint and returns SAML token for given credentials after validation.
Look at the ADFS metadata - you'll see both passive and active endpoints.
In terms of how to implement it, have a look at Thinktecture IdentityServer.

ASP.NET / IIS Security (Windows Authentication)

This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx

ADFS v2.0 : How to federate with Windows Live, OpenID and Facebook

We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.

Resources