We want to develop application for customer which uses LDAP for authentication makes it use for single sign on (SSO) technique.We are very beginner about this topic.
What we think about LDAP upto now is(Correct me if i am wrong):
There is LDAP server somewhere which contains users and its
associated role.
when user browse our web application it asks to enter username and
password (which is actually credentials for LDAP server)
when LDAP server authenticates it sends a token to our web
application ,we put that token in cookies and use this token to
authenticate users for every web application with in our domain.
so using this technique we do not have to make additional modules
for user management.
what we are missing ?
Any idea will be appreciated/
Thanks in Advance
Related
One of my customers wanted to implement SSO using ADFS. I was thinking to do a POC for the same using ADFS in Azure. But one requirement is only some users have ADFS login and other user needs to use custom authentication using the identity provider.
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
My client just shared the federatedmetadata.xml. (Do we need to give the full URL DNS name + metadata URL when you create the new project?).
Is it possible to use custom and ADFS authentication in the same web application? Like presenting a page with sign-in using SSO or sign-in with credentials?
If you're open to it, you could integrate your application with an identity provider, and that provider does this for you.
For example:
Your application integrates with CAS as the IDP, and CAS presents this screen to the end user for the authn attempt. User can choose either option, and then once completed, they will be redirected back to your application to continue, and your application interacts with CAS to validate the user account/session. CAS itself is connected to your own account store, and is also integrated with ADFS.
What do you mean by "ADFS in Azure". The only way to do this is to run ADFS as a VM in Azure. Otherwise, you would use Azure AD.
Yes, you can federate ADFS with other identity providers so they both are accessible from the same login screen.
What other identity providers are you looking at?
ADFS is not a project, it's a server add-on and it's all done via configuration on the Windows server.
In terms of importing metadata, see this.
I am working on a Intranet application where i am calling a SAP service from a ASP.NET WEB API, Currently it is working fine with a HttpBasicAuthentication with a predefined user name and password. But now the requirement is to get the logged in windows user's user name and password through ASP.NET WEB API and pass it to the SAP service for authentication? Can anyone help me on this?
1) HttpBasicAuthentication won't apply in this case.
2) Use identity impersonate via the web.config tag (ref Identity Impersonate) to have the current user's identity taken up in api. However this will only work for Intranet based applications and not over internet. For Internet based, you will need to have Kerberos bridge (somewhat complicated) concept implemented.
3) In you app.start method, you need to set the current principal to windows principal.
Then you can have the user detail available..
Please note that you will not have the user's password available as OS protects that very very securely. You can get the user's Kerberos token though which your target system can auth against the AD being used.
We are going enhance the authentication and authorization system of our Intranet web app. After having few days reading about ADFS, STS, claim based authentication, asp.net Identity. Still not sure how these things works together.
Most of our intranet web applications are using Windows Integrated Authentication, we uses windows group or AzMan to do role base authorization. We have few applications(Vendor application) use it own user database and form base authentication.
We want to add following features to our web applications.
For Windows Authentication application, we want to let user to Sign Out / Sign in as different user. So when User A using his/her computer to access the application, it will auto logged in (default windows integrated authentication). When he/she do log out, it will redirect to a form to allow to input other user credential.
We want to allow user login to System A using System B username/password.
e.g. For the windows authentication application, we want allow user login to the application using the credential of the Form base application (Vendor application) of via visa
I don't know if ADFS can solve these two problems.
From my understanding, the main purpose of ADFS is to allow access to internal application from Internet, and it require SSL.
Our application all are in Intranet, and we don't want to manage the ssl cert.
But by using ADFS, perhaps I can enable both Windows and Form Authentication on my application, so then let use log out and re-direct him to the login form as which just like he access outside company network. It should solve the problem 1.
For problem 2, what if I can create a custom STS to issue security token by using the user database of the form base authentication appliaction. Then I can use claim based authentication and allow one application can use ADFS and my STS. It should solve my problem 2.
Is my direction correct? or am I complicated the problem?
ADFS will not work without SSL.
Furthermore, all RP have to use SSL.
Internally, users will be logged in seamlessly using WIA. When they logout, they will simply be seamlessly logged in again.
Also ADFS v3.0 and below can only authenticate against AD.
While what you want is possible using ADFS, the question is whether it's a good idea and worth the trouble. It may be more appropriate to ask the user to log out of the machine and log in with a different account so you can stick with Integrated Windows Authentication (IWA). Writing your own security infrastructure is fraught with peril.
If you really feel these are hard requirements and it is worth the trouble, the following may work.
Write an ASP.NET web application based on Katana and enable Integrated Windows Authentication. This will make sure that the first time a completely unauthenticated request comes in, the application will challenge the browser. Subsequent requests will have a WindowsPrincipal populated in the HttpContext.User and Thread.CurrentPrincipal.
Now, write a piece of OWIN middleware that checks if an authentication cookie is present. If the cookie is not present, it checks the Thread.CurrentPrincipal and serializes the claims into a secure cookie.
If the security cookie is present, it overwrites the WindowsPrincipal in Thread.CurrentPrincipal with a new ClaimsPrincipal created from the claims in the cookie.
Now, when a user navigates to the web application the first time, he/she will be logged in automatically using IWA and the cookie will be created. Now, provide a logout action which deletes the authentication cookie and presents the user with a username and password dialog.
In the POST handler for that action, use WIF to talk to the username endpoint in ADFS (using WS-Trust protocol) and try to authenticate the user with the supplied credentials. If successful, use the claims from the returned token to create a new authentication cookie.
I am new to Identity server but I found it quite easy to set up.
Our goal is to implement SSO down the line but at the moment we are just moving our authentication logic out of application.
It is going good except I have one confusion.
When I set up the Idsrv, I had to create admin user as well as token requesting user. This was to access and configure Idsrv.
For application auth, I have to use Idsrv as federation server as well and authenticate users against some Asp.Net data store.
Now there is already one data store where Identity server specific users are stored.
Should I be using same store for my application user auth and created/edit these users in that store? Or can I/should I create a separate database for application specific users and use both?
At the minute, I am authenticating application users against Idsrv store.
I am not sure if I am logically thinking in right way to split these two user sets and calling one as Idsrv specific users. (We will have Identity service separately deployed for each application)
Thanks for your help in advance.
I have a .NET Web API with a bunch of end points/methods that an Angular App calls. I want to now implement the login system against our active directory, and wondering what my options are.
Back in the days, it was simple: windows or forms authentication, and then just some simple configuration in the web.config, and may be a custom provider. But now it seems like there are a lot more options with OWIN, OAuth, token based authentication, etc.
Where do I start? I have a form with username, password, and a login button on the Angular app, and I have the active directory in the backend. What should happen after the user hits the login button? Any direction would help.
Thanks.
Well, it depends on what you actually need.
If you want to authenticate only AD users then you can try authenticate in AD on their behalf and in case of success you return either token or authentication cookie.
But I don't think it is a good idea to make users use their domain password unless you have two factor authentication.
It's better to extend AD schema with additional data for authentication through your service or even to have standalone auth server with associated domain user info. Look how it is done in SQL server (but in reverse direction): you need to define internal user corresponding to domain login. This approach allows you to have users that do not belong to AD, sometimes this can be important for outsourcing some tasks.
Look at IdentityServer