We have an ASP.NET application using Forms authentication (ASP.NET Membership). Now we would want to make it to be claim-aware ASP.NET application in below scenario:
ADFS acts as an IP-STS for intranet (AD) users
If AD User is not mapped to ASP.NET Membership User or mapped ASP.NET Membership User does not have permission to access application --> Fallbacks to form authentication (an external IP-STS)
If end-user accesses the application from outside the domain, we don't want ADFS to prompt for Windows Credentials. We would like redirect end-user to out external IP-STS using form authentication.
Is this scenario achievable? Or is there any other possible solution? And how should I setup/configure my application?
Thanks
The classic solution to this problem is to have two ADFS with a split DNS.
Internal users redirect to an ADFS in the Intranet configured for WIA.
External users redirect to an ADFS in the DMZ configured for FBA.
For your second point, not clear if internal or external user.
If external (i.e. FBA) then you can modify the Forms login page, access AD yourself and redirect appropriately.
Related
My Application in ASP.Net 4.0 Webform version. Application runs on SAAS based model. Deployed on Internet.
One of the client wants to use ADFS for SSO implementation.
When user logged in domain local intranet and try open Application deploy on Internet then he should be automatically logged into the application.
Process Flow will be
User Logged into Domain
Open Browser and try to open Internet application
Authenticate user with ADFS and Valid user then return the Claims
Any Blog or MSDN - how to configure ADFS (we did at our end but when user redirected to ADFS it again ask for Login from ADFS).
How to achieve this?
You are talking about IWA - refer this (page down).
Note this is browser functionality.
Create RP trust here.
We are having one web site which is developed in ASP.NET and VB code base and It has the normal forms authentication with username and password.
One of our client whats to setup the Single Sign On with our web site and they set up ADFS and gave us the Metadata xml file and We have created STS reference to that url and shared our website Metadata for them to add Relying party Trust.
when I access our website it redirecting to customer page and once they enter the login credentials and it's coming back with the Claims which is good.
Problem :
1).Now who ever access our website all user is automatically redirect to client ADFS login page which should not happen.Users should be Prompt with Our login page and it shouldn't automatically re-direct to client ADFS. If user Wants to use the SSO then it should be re-directed to client page ? How to handle that in programmatic ?
2).If one more client also wants to use the SSO with their IDp then how to configure more than one IDP for One web site?
Thanks.
WIF or OWIN?
WIF by default protects all pages.
You could un-protect your login page (location tag) and then if SSO redirect to a dummy protected page which will cause WIF to kick in.
Beware: for older apps. WIF and FBA in the same app. can cause problems.
The classic way to handle 2) is to federate the two ADFS. Then a user will see a Home Realm Discovery screen and get to chose which IDP.
I have three asp.net applications. Only one of them has a forms authentication login. I redirect anonymous users to that one login page for all three applications to login. Once they log in, they automatically redirected back to the application and page they were attempting to access.
I enabled this functionality by setting the same MachineKey in all three applications.
Is there a way to do this for ADFS 3.0 WIF authentication as well? It doesn't seem to work the same in my testing. When I log into the application that is wired up to ADFS, I still can't access the other two.
WIF and ADFS don't work the same way as traditional forms authentication. These technologies rely on issuing access tokens, and require that dependent applications (also known as Relying Parties, or RPs) configure a trust relationship with the token provider (AKA Identity Provider, or IP). You can't share the cookie with MachineKey between apps that have not directly authenticated with an IP, and to be quite honest you don't want to.
The typical web scenario (also known as Passive Federation) is to have a separate application that functions as a Security Token Service (STS). This application houses the Login.aspx page and is protected with Forms or Windows Authentication like you would find in a classic ASP.NET scenario. When you attempt to access a web application that requires authentication, it needs to be set up to redirect you to the STS website, rather than handling it by itself. Once you log into the central STS, it will issue you a token that you then provide to applications to gain access. If you use WIF properly, this is all handled behind the scenes and is just a matter of configuration.
Each of your three web applications should be configured with a trust relationship to your IP. You said that you have a web application wired up to ADFS already, if that's via the proper trust relationship, then you should simply have to replicate that set up to your other 2 applications.
I am developing an ASP.NET Web application which should be accessible to the users who can access from both intranet and internet. Could you suggest the approach to implement this with ADFS 2.0.
The requirement is when users are logged in in the intranet the authentication to the app should be seamless without giving user id and password. Whereas for the same users if they are accessing out side intranet it should take email id and password as creditentials and authenticate.
You can put an ADFS proxy in front of ADFS for external users which by default uses Forms.
Internal users will get Windows Auth.
ADFS out-the-box only allows authentication with user name.
You would have to do some custom development - refer Adjusting the Home Realm Discovery page in ADFS to support Email Addresses.
We have an ASP.NET web application that we offer as a Service (it's hosted and it's accessible on the Web). We use Forms Authentication and our users have to enter a username/password to connect to our application. Some of our customers ask that we support single sign-on by authenticating users with their own Active Directory.
Our application has a different URL for each customer
www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/
and each URL has its own web.config file (where asp.net settings can be specified and can vary for each customer).
What do I have to change in my ASP.NET application to support that?
What do I have to change on my Windows server configuration?
What will the customer have to do on his side to enable that?
Regards,
Check How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 In short, you configure an ActiveDirectoryMembershipProvider to verify each username/password with the customer's AD. The customer must create an AD account for you that is allowed to perform the verification - which may be a problem with some customers. What's more, your code will handle the actual username/password used by users in their internal network, which can be an even bigger problem with customers.
A more secure solution is to use federation (using ADFS) or Claims Authentication using Windows Identity Foundation. In this case you "only" have to set trust relations between your domain and theirs.