I have a windows azure application already running.(testing phase). Currently I use ACS authentication. users can log on with their windows live-ID. and this is all. no authorisation for now. I need to authorise users with different roles. plus I need also users to log on with different Identity providers like gmail and facebook. I have the idea to store profile information in a table (eg. Idp as partition key and User ID(which I get from the provider)as RowKey.)
Now I have have no idea how to give different roles and how to start? can any body give me a clear tutorial or just an idea how to begin with?
tnx
I suggest you take a look at the BlobShare application. This isn't a tutorial, but it's a complete application showing a few interesting concepts you could use:
The BlobShare Sample is a simple file sharing application that
demonstrates the storage services of the Windows Azure Platform,
together with the authentication and authorization capabilities of
Access Control Service (ACS).
http://blobshare.codeplex.com/
Related
I have built a web-based MVC application in .Net 6.0 that has been in use for years within my company (upgraded recently to 6.0, of course). One of the functions of the app has allowed internal users to send emails and this was working through the Office 365 SMTP until recently. Our parent company introduced MFA and since then, the email function is broken and alternative methods I have implemented are only half working. Based on my research, Microsoft Graph seems to be a good way to replace this email functionality, however I'm lost on how to implement it with my current app.
The application is hosted on our own server with IIS and uses Windows Authentication. What I have not been able to find is a step-by-step guide on how to implement Microsoft Graph API with this setup. I'm completely self-taught and maintain this app on the side, rather than as my main job. All of the examples I've found aren't particularly helpful on the "here's how".
What I do know is that I need to have the app registered in Azure AD. I've spoken with our admin, and that won't be a problem once I know what I need to do. With .NET Core (.NET 6.0), MVC, Windows Authentication, hosted on an internal server with IIS:
Is it possible to implement the Microsoft Graph API? (I believe the answer is yes)
Is there a good step-by-step guide on exactly what I would need to do?
The closest thing I've found is this: https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-iwa-v2/active-directory-dotnet-iwa-v2/
Unfortunately, I'm mostly just staring at the code, not able to figure out how I can make use of most of it. I'd appreciate any guidance or recommendations.
Let's tidy up the ideas first.
You have realized windows authentication, that means you can know who is signed in now, or in other words, your sending-email funtion knows who is the sender. Then you also need a page to let users set receive and CC list, subject and email content.
Then you want to use graph api to send email. This required you to have an azure ad application which has Mail.Send permission which permission type is Application(I think using this kind of permission is a good choice in your scenario). By the way, you also need to make sure email senders has their corresponding accounts in azure ad. Because graph api need to know who is the sender, and sender is required to be a member in the tenant which the azure ad application is registered(users outside the tenant can't use the resource in the tenant, right?). For example, users' account information are stored in your local database, and your app linked to your localbase, so your app knows who is the user, but when you try to use graph api/azure ad, you also make sure azure ad know who is the user, so azure ad can authenticate and graph api can know who is the user than allow the user call api.
Normally, in our application, we try to integrate azure ad so that users in azure ad can use their azure ad accounts to sign in, then use the authentication by azure ad, they can call graph api to do some actions. In you scenario, you didn't integrate azure ad authentication, so that using client credential flow to authenticate your app to call graph api is better, so I said give "Application" permission is better. You may refer to this answer and try the sample code in it.
In the code sample, it requires you to set user id as one of the input parameter. If the user passed windows authentication, I trust you can get the user id, but you need to make sure the user id is the same in azure ad. If not, you may also need to set up a matching relationship.
I want to create a new .NET application with implemented Individual User Accounts.
Actually, there is no more possible to create it with users stored in local DB so Active Directory is necessary.
I created AD on Azure but have no clue how to fill this form.
I have a problem with all three inputs.
I have 3 question:
How to fill this form?
Is there any reason why I should implement Authentication by myself.
Is there other solution to get authentication out of the box? (like template with already implemented authentication)
To answer your first question, filling out the form, you will need to get these details from the Azure AD you setup. The Domain Name is the domain you created in Azure Ad. The Application ID is the guid you got when you registered your application in your Azure AD. The last field, Sign-up or sign-in policy, is the Azure AD policy you want to use to manage people signing up for your service as well as signing into your service.
The problem is, setting up your Azure AD is only one step out of many. What you should be learning how to do is setting up Single Sign On (SSO) using Azure AD. For that, I suggest looking at Authentication Scenarios for Azure AD, What is application access and single sign-on with Azure Active Directory? and Azure Active Directory B2C: Built-in policies. These series of articles should put you on the right path to get started with using Azure AD.
Your second question can be subjective, so I'll simply point things you will need to concern yourself with if you try to implement your own authentication. The biggest problem with doing it your self is making sure you have addressed the necessary security concerns. You will need to have your passwords stored securely which means salting and hashing them (I suggest Googling if you aren't aware of those term). You will also need to handle scenarios like password reset, forgetting user name and/or handling inactive or disabled user accounts. Many organizations and developers like using third party providers for SSO so they don't have to deal with such issues.
For your last question, yes there are. Microsoft does include a basic one with their web project templates (if you choose) and there are other providers out there such as Google or Facebook. There are many other options out there that are open source. A quick search on NuGet yielded over 2k results (https://www.nuget.org/packages?q=user+authentication).
What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.
There are two "roles" in the system, users will have one of the
roles. One role should allows access to some APIs (call it "VIEW"),
the other role allows access to other APIs
All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
I would like to persist the session so I don't have to look up AD for every API call
I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.
I believe that Oauth would be my best option.
There are two "roles" in the system, users will have one of the roles.
One role should allows access to some APIs (call it "VIEW"), the other
role allows access to other APIs
For role based authentication, you can use [Authorize("Role" = "Manager")]. The token will be provided by the identity server and will contain the claim as Role.
All users are in Active Directory, so if I have a username, I can
check what role they are in- Some clients are on Windows boxes, the
others are on Linux
If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.
I would like to persist the session so I don't have to look up AD for
every API call
For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.
I would like single sign on. On the Windows machines, I don't require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.
For this one, you can have your Identity sever trust the WSFederation for windows Authentication.
So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.
I am not sure what you expect exactly. Anyway, first I'm gonna reformulate your question with requirements:
you accounts and role are in active directory
you want to manage roles based on an active directory group
you want anybody whatever the system (windows, linux, mac, mobile...) to connect on your application using the same authentication
you want to avoid your AD to be hit constantly (not at any call for example)
if the user is connected on an application that uses the authentication system, he doesn't have to do it so again on another application that uses the same authentication system
If these requirements are yours. I believe the only standard (and clean) solution is to use OAuth. I'm not gonna go in detailed description of OAuth, but this authentication protocol is the most standard one on the net (facebook, google, twitter...). Of course as you don't want to use facebook, google or twitter accounts in your business applications but your active directory accounts you'll have to install/setup/develop your OAuth identity provider using accounts of your active active directory server. Your choice will depend on how well you know ADFS protocol and its different flows (code, implicit, assersion) You have two solutions for it:
Use ADFS: install ADFS; it provides a OAuth portal that will work out of the box with asp.net mvc. This uses the code flow of OAuth that is the only OAuth flow supported by ADFS. For roles and its related AD groups, you'll have to map role claims with AD groups. (it's in the setup of adfs, you'll find many tutos on the net). You'll find lot of tutos as well about how to use ADFS with asp.net mvc/asp.net webapi. I mention .net here, but every technology has an implementation for OAuth authentication (nodeJs/express, php, java...).
Use thinktecture identity server (.net technology). This will provide all the foundation to implement a custom identity server with the least effort: http://www.thinktecture.com/identityserver / https://github.com/IdentityServer/IdentityServer3. It contains an addin to plug its accounts to active directory. With this, you can use implicit and assertion flows.
Use oauth2orize (for nodeJs): https://www.npmjs.com/package/oauth2orize. This will permit you to make the same than thinktecture identity server but in nodeJs. Apparently you'll have to make all the wirering with ad manually. With this, you can use implicit flows (not sure about assertion flows).
At application side, most of frameworks can authenticate easily using OAuth with a lot of existing frameworks. For example, even if you make a single page application, you can use adal.js or oidc.js for angular if you use angular. As I mentioned above, all this is taken in charge by asp.net mvc/webapi out of the box but I know it's the case for other server technologies. If you have more questions, don't hesitate as I'm not sure of what you expect exactly.
I have an existing production application that uses vanilla ASP.Net Membership for authentication.
However, I'd like to provide other means of authentication as well as the current ASP.net membership system, such as Facebook.
The Windows Azure Access Control Service makes this extremely easy and straight forward. Provided, that is, you're starting a new web application from scratch.
So, in this case, how do I
Integrate the Access Control Service authentication into my app without affecting the current login system and its users?
Migrate users over or Link logins? ( not sure if this is even possible)
Thanks all
Roberto
You need to create a custom identity provider based on your membership database. See this article on custom WS-Federation Identity Providers that can be integrated to access control: http://msdn.microsoft.com/en-us/library/windowsazure/gg185933.aspx
Also see this article on one that was written on top of the membership database: http://blogs.msdn.com/b/vbertocci/archive/2009/04/23/enhance-your-asp-net-membership-based-website-by-adding-identity-provider-capabilities.aspx
Approach of creating an identity provider (IP) based on your ASP.NET membership database which Paul Tyng suggested is valid.
However, it means that if you just create an IP you'll allow log in to all people who are authorised with other IPs (e.g. Google or Facebook). I'm guessing it's not what you want - you'd still want people to first register (either plainly with username-password or with their external identity). If that's the case then your task is the following:
Add a data store for users' external identities which is related to your existing Users table.
Modify the ACS login handling within your application to check that the identity returned from ACS actually exists in your members database.
Perform member log in (instead of federated log in) if you found the returned identity in your db.
Add external identity tie in during the registration process so your Identities table can be actually populated.
(optional) Re-use the bulk of the #4 mechanism to provide an ability to attach external identity to existing user accounts (i.e. I already have a normal membership with you and now want to add an ability to log in with Google as well, for example).
There is no one single tutorial/walk-through to achieve this (or I have not found one) so I had to pull bits from a variety of sources to make it work. Please let me know in the comment if I understood your requirement correctly and I'll add a guide on how to set this up. Cheers!
Might be a bit late, but check out the following blog posts by fellow Windows Azure MVP - Dominik Bayer:
Mixing Forms and Token Authentication in a single ASP.NET Application
Mixing Forms and Token Authentication in a single ASP.NET Application (the Details)
Replacing ASP.NET Forms Authentication with WIF Session Authentication (for the better)
Invaluable readings which will help you in any way!
This will probably turn out to be a doozie.
I'm developing an application in ASP.NET to be put on our company's intranet site. I've been handed a specification in regards to security and have no idea how to do it.
First part: The application is to use Windows Authentication. This part seems easy enough; I opened IIS in Administrative Tools, right clicked the node of my website, properties and checked 'Integrate Windows Authentication'. However, I have no idea how I will govern which people have access to my site. I'm thinking this should be taken care of at the database level. This is Q#1
Second part -- I have to implement a process for the following scenario: User 'Jane' can log in to our network, but does not have rights to my application. User 'Bob' does have rights to use my application. Bob needs to be able to sit at Jane's computer (under her network account), but be able to enter his credentials into my application and use it (even though Jane is logged into the local machine and network). This is Q#2
Any help, general direction, or advice would be appreciated. The winning lottery numbers would be appreciated even more.
Thanks,
Jason
You're looking for Windows Authentication and Authorization in ASP.NET
How To Use Windows Auth in ASP.NET
Authentication/Authorization Explained
How To Implement Windows Auth in ASP.NET
Part 2...you're right, that's tough. You'll need to roll your own custom security provider.
You'll have a login page, then check that against Active Directory yourself. From MSDN
ASP.NET also supports custom solutions
for using Windows authentication,
which bypasses IIS authentication. For
example, you can write a custom ISAPI
filter that checks the user's
credentials against Active Directory.
With this approach you must manually
create a WindowsPrincipal object.
You've got requirements around authentication and authorization here.
Authentication: The act of confirming identity
Authorization: The act of correlating an identity to a privilege (eg Read/Write/Delete)
Windows Authentication is useful if you want "auto-signon" capability. The site will "know" the user by ID without them having to sign in.
The need for users to login from multiple locations means that you must implement a login page. This would fulfill your requirement in which one user may sit at another's workstation and log in.
You will want to authenticate users against the Windows domain. This can be done with a custom membership provider. Here's a walkthrough:
http://msdn.microsoft.com/en-us/library/ms180890(v=vs.80).aspx
This will allow you to present a login page that will authenticate users with their domain username and password. This will authenticate users- the identity of the user will be stored in the HttpContext.User. You can then also maintain a user list in a database to store authorization data.
Also found this -- a pretty good resource for anybody out there who's in the same boat:
Mixing Forms and Windows Security in ASP.NET
http://msdn.microsoft.com/en-us/library/ms972958.aspx