I'm running thinktecture IdentityServer v2 with two Relying Parties in my qa environment on Windows Server 2008 R2 Standard.
IdentityServer is configured for two RPs, one using Federation the other with oAuth
My first relying party (www.sitenumberone.com) is an ASP.Net Framework 4 web site using WIF Federation.
My second relying party (www.sitenumbertwo.com) is an ASP.Net Framework 4.5 MVC 4 application using oAuth.
When I attempt to access www.sitenumberone.com I am redirected to IdentityServer login and when I am authenticated I am redirected back to www.sitenumberone.com. This part works.
My problem is, once I have authenticated to www.sitenumberone.com, if I try to hit www.sitenumbertwo.com I am redirected back to the IdentityServer login page. I would expect it not to redirect me back to the login because I have already authenticated.
I have done some research and have not been able to find a solution to this problem. Do I need to set up www.sitenumberone.com as an oAuth client in IdentityServer?
I hope someone can help.
I think you need to add some Auth Param from your request site and also on sitenumbertwo authentication method.
Related
Hello all and thanks first,
I have a project that has .NET Core 2 API and Angular 8 Client application. I have implemented token based authentication between app and the api (without using IdentityUser or IdentityRole).
Now, I have to do authentication over SSO. I have a saml2 identity provider metadata and configured my api using this metadata using Sustainsys.Saml2.AspNetCore2 package.
Now I can create my own metadata and registered this metadata to IdentityProvider. Everything seems okay
up to this point but when I try to login from IdentityProvider login page there is no change on my api.
Crazy questions in my mind
In Identity Provider's metadata there are only SSO and SLO redirect urls. There is no other method for authnrequests.(HTTP POST etc.) How will I login this Idp?
Idp has its own login page. If I will be have to redirect user to this login page, will I get any authentication token or cookie. Will my API be recognized about this login?
There should be an authentication data in any case(token, cooke, sessionid etc.). Where will I get this data to set Authorization header while sending requests to my API?
I have been trying for a while but my last attempt also does not work.
Can anybody help please?
Thanks a lot.
You need to redirect to the identity provider, and it will then redirect back to your service provider api, from which you can set whatever security mechanisms you are using, and then redirect again to your local front-end (wherever you need to send your user).
Here are some resources I found helpful:
1) https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-3.1 (how authentication schemes work in .Net Core)
2) ASP.Net Core SAML authentication
1. https://github.com/Sustainsys/Saml2 (SAML 2.0 authentication package)
2. https://stubidp.sustainsys.com/ (Free IdP – can be used instead of local implementation, if desired. A local implementation would require deployment of the “Sustainsys.Saml2.StubIdp” project).
3) Sustainsys SAML2 Sample for ASP.NET Core WebAPI without Identity
4) https://github.com/hmacat/Saml2WebAPIAndAngularSpaExample (super useful sample implementation)
5) Not able to SignOut using Saml2 from Sustainsys (help in getting the logout to work with https://stubidp.sustainsys.com)
6) https://www.nuget.org/packages/Sustainsys.Saml2.AspNetCore2/
My asp.net web site is .NET 4.5, we get metadata.xml file from the partner company and gave them also our metadata.xml file. they say that they use SAML 2.0 so i am a little beat confuse but i guess we fall to the Ws-Federation scenario for authenication (and NOT Web SSO SAML Protocol). we want to implement SP-Initiated :
Does my asp.net web site default page need to do redirect to IdP server when doing web sso with ADFS 2.0 and SAML 2.0 or maybe it done by the ADFS infra?
(the Idp server is also ADFS2.0+SAML2.0)
Does my asp.net web site need to do make a logout request to do the IdP server?
Does my asp.net web site default page just need to extract the claims from the http user context and take for example the user email address and mark this user as logged in?
SP Initiated is SAML not WS-Fed so you need to go the SAML protocol route.
Easiest way is to use WIF (older technology) or the newer OWIN WS-Fed libraries on the ASP.NET application side.
This will then do all the redirection to ADFS for you.
It will return a Claims Principal which will contain all the claims.
yes (You need to be redirected on IDP server to enter the credentials)
yes (Logout request should be made to IDP server as well)
I'm not sure about the net application but according to SAML specification you will receive a response from IDP and you need to check if logout was successful or not.
We are having one web site which is developed in ASP.NET and VB code base and It has the normal forms authentication with username and password.
One of our client whats to setup the Single Sign On with our web site and they set up ADFS and gave us the Metadata xml file and We have created STS reference to that url and shared our website Metadata for them to add Relying party Trust.
when I access our website it redirecting to customer page and once they enter the login credentials and it's coming back with the Claims which is good.
Problem :
1).Now who ever access our website all user is automatically redirect to client ADFS login page which should not happen.Users should be Prompt with Our login page and it shouldn't automatically re-direct to client ADFS. If user Wants to use the SSO then it should be re-directed to client page ? How to handle that in programmatic ?
2).If one more client also wants to use the SSO with their IDp then how to configure more than one IDP for One web site?
Thanks.
WIF or OWIN?
WIF by default protects all pages.
You could un-protect your login page (location tag) and then if SSO redirect to a dummy protected page which will cause WIF to kick in.
Beware: for older apps. WIF and FBA in the same app. can cause problems.
The classic way to handle 2) is to federate the two ADFS. Then a user will see a Home Realm Discovery screen and get to chose which IDP.
I'm running thinktecture IdentityServer v2 with one Relying Party in my development environment (Windows 7 Professional Visual Studio 2012).
My relying party (www.myprotectedcustomersite.com) is an ASP.Net Framework 4 web site using WIF Federation.
This works fine. When I attempt to access www.myprotectedcustomersite.com I am redirected to IdentityServer login and when I am authenticated I am redirected back to www.myprotectedcustomersite.com.
My problem is, I have another site (www.mycompanyfrontdoorsite.com) where users need to be able to login (on the home page) and authenticate then redirect to www.myprotectedcustomersite.com via IdentityServer. Most of my users enter www.myprotectedcustomersite.com this way.
I'm not sure how I would configure this. I have done some research and have not been able to find a solution to this problem.
I'm trying to accomplish this without making any significant changes to IdentityServer.
I hope someone can help.
Sounds like each of those needs to be a separate RP configured in your STS. Then if/when RP1 wants to send the user to RP2, it can do the redirect. Once they land on RP2, it will trigger authentication to the STS and they will still be logged in which will issue the token to RP2. Recall one goal of federation is SSO. I don't see why IdentityServer needs to be involved with the redirect at all.
I am trying to do something like this:
I have a MVC4 Web App and a Web-API service (hosted on two separate roles in azure)
Another role runs CustomSTS1.
The MVC Web App trusts the CustomSTS1
Now the customer logs into the site he is redirected to the STS login page.
Once logged in, he is redirected back to the MVC Web Site.
From this web site, the customer performs actions, which in turn invoke the web-API Service.
I have the SAML token in the web app, which I pass to the WebAPI service.
Now when I try to validate the SAML token at the Web API side, I get a
Message=ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement, or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement.
This is without the Web API service trusting the CustomSTS1
Once I setup the trust,
I am always given a HTTP 401: UNAUTHORIZED, whenever I try to make a HTTP Get request to the WEB API Service.
Now, My Question is, (I know that my current approach is definitely wrong)
How do I setup the Trust relationship with the CustomSTS1, such that the WebAPI service is able to do an ActAS on behalf of the user logged into the MVC site?
OR
Is this architecture wrong?
And is there another way to achieve this?
That approach is wrong conceptually. The MVC application should negotiate a new token for the Web API in the STS using ActAs. That's how it traditionally works for SOAP Services. However, Web APIs are moving away from SAML as it is a complex format that relies on different WS-* specs. OAuth 2.0 is becoming the standard in that area if you want to support SSO at that level.
Another approach is to establish an implicit trust between the MVC app and the Web API, so all the calls to the Web API from the MVC app are done through a more standard Http auth mechanism like Basic Auth using an specific set of credentials that only the MVC app knows. The info about the logged user in the MVC app is passed as additional information.
Regards,
Pablo.