We are looking into Microsoft ASP .NET(WS-Federation with windows identity foundation) interoperability with WSO2 identity server. I posted the issue on the forum 14 weeks ago (http://wso2.org/forum/thread/14221) but have not got any response on the thread yet. I would really appreciate if I get some guidance on how to configure the passive STS in context to an ASP .NET client using WS-Federation protocol (windows identity foundation) for the claim based security model. In our last investigation session, we found Stonehenge project (http://incubator.apache.org/stonehenge/) as an example closest to what we want to achieve but identity server version 3.2.0 had the Passive STS feature missing which I hope has been added back to version 3.2.2.
Q1 - Can you please confirm if WSO2 identity server has got full support of WS-Federation protocol? (If yes please provide related documents, if no please suggest best alternative for Microsoft identity foundation interoperability)
Q2 - Can you please provide a guidance and a sample of how to use passive STS feature in context of an ASP .NET application using Windows Identity Foundation (WIF)?
Q3- How to administer claims in identity server to be consumed in ASP .NET application?
Q1 - WSO2 Identity Server does not have full support for WS-Federation specification.
Q2 - Identity Server has support for PassiveSTS and we are in process of writing an article on that. That will be available by next week. Will post this link here once its available.
Q3 - Identity Server has the Claim Management feature. Where you can add your own claim dialect.
Related
We have an ADFS 4 server and I'm trying to create a dot net core web app in Visual Studio 2019 that uses SAML "flow" for authentication/authorization.
I remember seeing a tool/extension in an old version of Visual Studio (2015?) that allowed you to configure some details of authentication.
But in VS2019, when I select "Cloud - Single Organization" on the new app wizard, I can't tell whether it's creating WSFed, SAML or OAuth protocol app.
Is it because AzureAD defaults to SAML?
No - Azure AD defaults to OpenID Connect.
Yes - there was a tool back in the day but that was for WS-Federation (WIF).
There was a SAML implementation of WIF for a brief moment but it was withdrawn and never formed part of the tool.
Microsoft has never had an official SAML client stack.
There are a number of options here.
I understand ADFS 3.0 has removed the need for IIS and that it's run directly out of HTTP.SYS now.
So does this mean it's not even possible to add IIS back so one could implement a custom FormsAuth (web forms) type integration as you used to be able to do under ADFS 2.0?
Or is it all Shibboleth these days?
Edit: We've been able to successfully deploy our own custom authentication provider in ADFS 3.0 (adjacent to Active Directory) and use it to SSO into Office 365 so this is no longer required. See Implementing Office 365 single sign-on using custom authentication/claims provider in ADFS 3.0 (RE: AADSTS90019)
You can as long as the SSL bindings and routing for anything under /adfs, /federationmetadata remains the same. We've seen cases where this has not happened and resulted in the most painful of troubleshooting.
Thanks //Sam
If you mean can you install IIS on Server 2012 R2 to run apps., yes you can.
If you mean can you customise ADFS aspx pages as you used to be able to do, the answer is no but you can do some stuff with Javascript.
We're in the process of migrating our authentication and authorization logic away from the original membership providers. We are currently looking at Asp.net Identity, but no one on the team has experience with this technology. We've been asked to support ADFS in the future and looking to see if this framework directly supports ADFS, which no one on the team has experience with either.
The only article I've found, http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ seems to imply asp.net identity will support ADFS as a provider. Are there any other definitive resources for asp.net identity and ADFS?
Regards,
Noobian
ASP.NET Identity offers an "easy" way to add users and authenticate against them in a SQL DB.
ADFS can only authenticate against AD.
WIF is still supported but older - the OWIN WS-Fed libraries are the way to go these days.
If you want to use ASP.NET Identity have a look at thinktecture's IdentityServer. Offers full support for this plus you can federate with ADFS.
Kind of weird to ask this question, I have successfully implement SSO for ASP.NET MVC with ADFS 2.0 on Windows Server 2008 R2, now my Web App needs to authenticate to another LDAP implementation which is Open-LDAP which is on non-windows platform basically a domain controller on linux. I am still not clear in my approach as if this is possible to implement SSO other then windows server Active Directory.
Please suggest an approach to implement the solution as the authentication will be on Open-LDAP.
Any reference implementation is highly appreciated.
ADFS can only authenticate against AD.
The next version on Server 2016 will be able to authenticate against Open-LDAP.
In the meantime, your only option is to federate ADFS with another IDP that can do this e.g. shibboleth.
I am developing a website that should authenticate users using ADFS.
Basically, we have a CRM Dynamics deployed on a server, and the CRM Dynamics is having ADFS authentication.
Now, I am writing a .NET website that will target the CRM Dynamics and that .NET website will be available to public.
In order to implement authentication using ADFS, I read about this blog, but most of the information are unclear.
Anyone having an experience implementing ADFS authentication in ASP.NET site?
Any help on this much appreciated.
thanks
This is standard workflow for a claims-enabled ASP.NET application.
e.g. Building a test claims-aware ASP.NET application and integrating it with ADFS 2.0 Security Token Service (STS).
This uses VS 2010. In VS 2012, the same utility is called "Identity and Access Tool". In VS 2013, it's part of the project creation.
Basically:
Create your application
Add WIF as reference in .NET 3.5
Update web.config using above utility
Add your application as a Relying Party in ADFS
It is possible but it may effect some security issues..
This is the way you can do..
Host your application in Static ip
Create users in your AD who and all are need to access the application from outside
Try to access from public
Ask the credential first time.
Dis adv: Security issues