I have a different access role for each of the pages in my application (using Windows Authentication) to restrict users from access, using SqlRoleProvider. So to add users to role, I would go,
Roles.AddUserToRole(userName, roleName);
Now, I need integrate the company's AD groups into my application, such that each AD groups will be assigned these access roles as well, and users part of a certain AD group will automatically "inherit" the roles.
My questions are:
Can I continue to use my SQL tables like aspnet_Users, aspnet_Roles etc?
How do I go about integrating AD groups? And how do I assign roles to AD groups? (So far, I can check all the AD groups a user is part of using Directory Entry).
As a user logs in to the application using Windows Authentication, after I check that they are part of a particular AD group, how do I "give" or "assign" them the roles as per AD group?
Would deeply appreciate your help with these questions.
The AD ASP.NET Membership and Roles system ties directly into AD, your database tables are ignored. An AD Group becomes an ASP.NET Membership Role.
The rest of my post is concerned with applications modifying AD groups directly:
You can, with great difficulty, but in that case it is not recommended.
Active Directory group membership is assigned by another user who is a member of the Domain Admins group, or is delegated the permission to assign users to other groups.
In order to do this from code (using ADSI) your program would then need to run under (or use an impersonation token of) a user identity that is a member of the Domain Admins group or is delegated that user right.
...this means that your program is suddenly trusted with an ability that if hacked or abused, can wreck havok in your security domain. I do not recommend doing this.
Documentation is available on MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa706022%28v=vs.85%29.aspx
Related
I have created a secondary User store using LDAP. By default, all users of the secondary store have no permission. Is it a way to assign the suscriber role to all users in one operation or I have to do it manually for each user ?
Thanks
Since by default WSO2 uses groupId('Organization) of the user to share the Application in the Devpotal as mentioned here in the documentation: sharing applications
You can go to the Carbon UI and search for the LDAP users among which you want to share an Application. Next to the User click on the 'User Profile' tab. There you can edit the value next to the 'Organization' column. For this, your secondary user store should be 'ReadWriteLDAPUserStore'. Similarly, edit the value for each user in the secondary user store to the same value to share the Application among them.
In fact, in the ldap user store if you configure LDAP groups there are automatically created as a role and you can apply permissions to a role which will be apply to all users of your LDAP group.
But I didn't find a way to share applications between users of a LDAP group ...
Here is a better way to achieve it. In the official documentation it is mentioned that it allows the Applications to be shared if we have common roles, in as you said WSO2 treats AD groups as roles. Lets assume you have two users user1 and user2 in your LDAP store both of which are the part of AD group 'AD_Group'.
So mention the AD group name common to the users among which application needs to be shared : -
Also change the configuration as following in the deployment.toml file : -
[apim.devportal]
enable_application_sharing = true
#application_sharing_type = "default"
application_sharing_claim=http://wso2.org/claims/role
I am trying out the multi tenent features in Azure Active Directory for my company. We want to offer single sign on and claims based authentication and authorization for users of our web applications. Some customers have their own Azure AD, while others will get users in an Azure AD that we own. We would like to allow all users from other approved Azure tenants to authenticate, but only specific users should be authorized since we charge the customer per user per application. Hopefully, our Azure AD groups can be used for this purpose. I have succesfully created a test app that allows users from both my Azure AD and from another tenent to log in to our application.
My question is this: Is it possible to add users from another Azure AD (that we do not control) to groups in our Azure AD, so that we can use the group membership of users to allow access to different applications that we build? Is this possible or have I missunderstood something fundamental? :) Should we abandon Azure AD groups and use our own sepperate database to store claims that can be assigned to users from all tenents during the ASP security pipeline instead?
The application I tested got read access to the other Azure AD and read/write access to our Azure AD. I was unable to assign users (from another Azure AD) to our groups through the Azure managment portal ("No user exists with this user name in a directory to which you have access.") and I have thus far been unable to do it with the graph api from the application. Adding users that I create in our Azure AD to our groups works fine.
Fundementally, you will need a database to keep your user mapping.
As we're here, consider Stackoverflow - you can create an identity with stackechange, but you can also use your existing identity from google, yhaoo or facebook. This means that SO needs to keep a record of your identity in some database, and next to it what you're allowed and not allowed to do.
In many respects though, you could consider WaaD simply as a database for that matter and automatically create the user record, but keep in mind that the user will not be authenticated to your AD. you will simply be using the graph API to query based on a key and this may be done more efficiently on a dedicated database or, arguably, something like Azure table storage.
Given that you will need to query the WaaD graph API to get group membership anyway (it is not provided with the initial claim-set) you could query table storage instead.
for your specific case of "No user exists with this user name in a directory to which you have access", YES, this can be met and you can add the user of one Azure AD(abc.onmicrosoft.com) to another(def.onmicrosoft.com).
Necessary Condition:
1. you have to be at least a global-admin-user & co-admin in the Azure AD in which you have to add the user from another Azure AD.
2. you should be explicitly added in the other Azure AD, whose user you are registering in the current Azure AD, with at least a "User" privilege.
Boom!! User added with "Sourced from: Another Azure AD" tag.
You can try B2B invitation from your Azure AD to the members of different domain. As you said you have to allow people from multiple tenants, create a group and add the users via B2B invitation and map that group to your app. This is really handy because that will work for a single go as well as being easy to maintain.
I am working on an Intranet Asp.net mvc with windows authentication enabled. I am building an asset management application, and I need to define user groups and security roles. For example I have a group that contains senior HR employees; this group will be linked to a security role. The security role will allow for example to add new vehicles, but only allow reading the information about IT assets such as PC, etc.
But since I am working on intranet and the users exists in the Active Directory, and I want to link the user groups to customize security role. So is it a recommended approach to use my own userGroups table and securityRole table to store the information about the user groups and their security roles.
Currently I only use the users from AD , but stores the info about user groups and security roles inside my custom tables. As this will give me more flexibility of implementing the requirements, OR it is recommended to use the build-in groups and role management that comes with asp.net?
Thanks
If the ability exists to maintain the active domain groups there is no reason to maintain a local groups table isinrole can be used for group access checks
I'm trying to implement some role-based functionality in my web application (.NET 4.0.3) so that I can control what menu items users can see based on their roles, either Administrator or User.
I'm simply using existing AD groups to administer the roles. Let's say there is a team in my organisation that is represented by an AD group called IT-Managers, and there is another team with AD group IT-Support. I simply want to map IT-Managers as Administrator and IT-Support as User.
I can easily use WindowsPrincipal.IsInRole() to check whether the currently logged-in user belongs to either group, but how do I tell the application that the logged-in user holds the Administrator role or the User role, therefore sitemap security trimming can pick this up?
By implementing your custom Role Provider. Once implemented you can easily use the ASP.NET role provider framework....
Roles.IsUserInRole("Admin");
Roles.GetUsersInRole("Users");
etc.
You can implement a Role Provider by implementing the RoleProvider abstract class or by extending an existing one such as SqlRoleProvider. There's a lot of extensive documentation out there. I'll paste a couple of links
http://msdn.microsoft.com/en-us/library/aa478950.aspx
http://www.codeproject.com/Articles/28546/Active-Directory-Roles-Provider
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)