UAG (Microsoft Forefront Unified Access Gateway) authentication for .NET website - asp.net

Help!
I am absolutely clueless on this. I've been told that the web application I'm building (.net 4 / mvc3 / c# / sql server) will be "sitting behind UAG so we can silently authenticate". I've no idea now how to approach the authentication part of the build in my dev environment.
Should I just use "windows authentication"? Will that be the required setting when the application goes live? How do I test the authentication?
The people asking me to do this are currently just getting started with UAG too do so any help, pointers, explanations or suggestions will be very much appreciated.
To put the situation in context, this application will be accessible via the company network internally, and also via the web externally (via UAG portal, of course). The company is on Active Directory, and all I actually need to "pull through" to the application to get further people entity data is the AD username.
Thanks in advance..
:)

Which authentication method you use depends completely on your application. I wouldn't worry too much about the UAG, as the idea should be that an existing web application can sit behind this product, rather than we have to customise our web application to sit behind this product. UAG should do the authentication/credential creation heavy lifting.
So in that regard, what is your user model? Do you want people to have to log on, or should their Windows credential be sufficient? Do we want Forms Authentication or Windows?
As an aside, we used the product when it was IAG, and it wasn't the greatest. If there was one thing it definitely did NOT enable was silent authentication. We had more problems with it than the problems it was trying to solve!

Related

Debugging Dot Net Website as Domain Normal User

We are developing asp.net website, API and MVC project using Visual Studio. Currently the system we're using are using local administrator account. We are now mapping it to the domain user (normal user). However, certain features are not supported by Visual Studio when we do things like this... importantly..
Debugging applications that a run under a different user account,
such as ASP.NET websites.
Deploying a web application to Internet Information Services (IIS) on a local computer.
Check MSDN Doc here
Note that deploying to IIS is not an issue for us, however the we're unable to debug the application and that is real deal breaker here!
I would like to know how to do debugging for asp.net websites when using domain mapped normal user.
I know this is not a programming related question. However, seems like most of dot net programmers are affected with this and I don't know where to ask for help, so posting it here. (Suggest if any other site is suitable for this!)
Thank you for your help in advance.
The simple answer, as mentioned in that MSDN document and this SO question, is that you can't.
It might be possible to do it through roundabout ways, such as changing the credentials that the IIS worker, application pool, and related processes run as, but even if it were possible, it wouldn't be supported, and most likely wouldn't be worth the effort. Here are two very old articles that deal with the topic:
https://msdn.microsoft.com/en-us/library/aa289173(VS.71).aspx
http://jameskovacs.com/2006/03/16/debugging-as-a-nonadmin/
It may be more feasible if you're able to run your application in an OWIN (Wikipedia) container running in an alternate (to IIS) host.

Classic ASP / VbScript - SAML 2.0 - Identity provider

I have a Classic ASP / VbScript website that I need to act as an SAML 2.0 Identitiy Provider.
Despite extensive searching I have been unable to find any resource / demo / example to steer me towards a solution.
As I can't find any information I am thinking that it is simply not possible, or is it so obvious nobody needs to ask or that is such an uncommon situation that no resource exists.
Further clarification added
My website.com is coded in Classic ASP / VbScript running in IIS7.5 on Windows 2008 server.
User logs into website.com and can now browse the site.
One section of website.com has links to other-website.com which ordinarily requires login.
To avoid this I can use SAML 2 based SSO to gain direct access to other-website.com by passing over EntityID and unique references from website.com database which correspond to other-website.com database to ensure authentication.
What I really don't understand is from the point that the User clicks hyperlink to other-website.com what I need to do to create and pass over the required information to other-website.com
I think that I have to create some form of encrypted XML document and then POST it via a form to the URL supplied by other-website.com - but I am not sure how to do this and can't find any sample / demo to help.
Hopefully that explains fully what I am trying to achieve!
The normal model is that you have a third-party product (ADFS, OpenAM, PingIdentity, ...) as your IP and your application is the RP (Relying Party).
You don't normally have an application as an IP.
What do you intend to authenticate against?
ADFS / WIF is based around ASP.NET not ASP.
WIF uses WS-Federation not SAML.
To use SAML you need ADFS and that runs on Windows Server.
Check out PingFederate and the Agentless Integration Kit from PingIdentity. Here's an overview of how the integration would work with your application - http://documentation.pingidentity.com/display/AIK12/Implementing+IdP+Functionality. PF would handle all the fancy standards-based requirements and your application would continue to maintain its own session and user authentication functionality. When SSO is needed, you then invoke the PF server. Once you integrate your app, it's very simple to add new service providers via the PF Admin Console.
[Note: I work for Ping]
For anyone reading this question, I would highly recomend taking a look at this article and sample code, I was in the same situation as the OP and found for me it was easier to use this C# ASP.Net code as a starting point (I have little experiance of C# but still got this working quickly and easily). It's clearly comented and works right out of the box and was easy to amend for my needs. In the end it was simpler to implement this in .NET and call it from my ASP application than create from scratch in ASP.
http://www.voiceoftech.com/swhitley/index.php/2008/09/single-signon-with-saml/

IBM Portal Server integration with non wsrp application

The project has a situation which can be described as: a portal application has to be built. This is expected to be home for many existing non portlet applications (some are Java EE based and some not).
Obviously, portal will provide SSO. Options of rendering a non portlet application to portal seem to be using either an iFrame or a URL redirect. In either case, it looks like the request has to pass through the portal server (??).
What are the challenges that this solution face? Best practices to get this implemented?
This is what a Portal solution has been meant to provide: central point of access to applications, services, people, processes...
There is also the third option for integrating legacy web applications (I assume you are asking about WebSphere Portal Server) and that would be "Web Application Integrator". You can find some info on it here
Challenges with this solution would be related to:
1. SSO - there could be some complications with this, depending on infrastructure.
2. Look and feel uniformity - Portal themes should be appropriate for web applications to be integrated.
3. In some cases Web applications will need to be changed in order for integration to be possible.
Yes, each request will need to pass through Portal Server.
Hope this helps..

How to migrate applications from Classic ASP to ASP.NET MVC?

Currently, we have many web applications (external & internal) developed using Classic ASP through .NET 2.0 technologies. Each of those web applications have their own login screen authenticating against their own custom database or using Windows authentication. Users have access to one or more of these applications, meaning they have to log out and log back into applications that they would like to access. All applications share some part of the back-end data sources. Also, the business logic is embedded in the UI in addition to being duplicated across applications because there is no code/business logic sharing. Screenshot #1 gives a brief idea of the existing architecture.
Screenshot #2 shows the suggested architecture, which I hope will help in faster development, code/business re-usability and may be simpler maintenance. Users will access either external or internal url. In external, users will provide credentials and will be authenticated against custom database. In internal site, users will be automatically logged in using Windows authentication. After creating some samples, I have begun to like ASP.NET MVC 3. It keeps business logic separate from UI and I also like the unit testing capabilities.
Here are my questions:
Based on what I have found on the web so far, multiple authentications are not feasible within a single website. My understanding is that I have to host one website for each type of authentication (Forms and Windows). How do I redirect users to common landing page after they are authenticated so they can see the modules (links/menus) that they are authorized to access? Should I have to publish the same code set (dlls and content) to both the websites?
Has anyone faced a similar architecture problem? If yes, could you please share the challenges that you faced and how you tackled them? What are the industry standards in designing applications of this sort?
Does the suggested architecture make any sense or is it a really bad design? Are there any drawbacks in doing this in ASP.NET MVC 3?
I would really appreciate your inputs.
Thanks in advance.
I would set up a seperate web site which only handles the windows authentication. I would then rely on something like OpenID and/or OAuth to ask for credentials/token to make sure to user has proper access.
The user that want to sign in using windows credentials go through that process because you are right in that a IIS server running windows authentication is hard to mix with other stuff.
You can set up some kind of claim based network of thrust in which you applications get thier credentials from trusted sources and through that process you can negotiate and control access privileges cross many web sites. As long as your not doing custom hosting or white label branding you can have everything in one place (or even if you did you could design it so that you have a central solution of handing out authentication tokens).
Keep in mind the difference between Authentication and Authorization. You presumably want a single authentication mechanism (or maybe two, one for internal and one for external users). There is a similar post here that lays out some pretty good guidelines: How to allow multiple authentication methods in ASP.NET?
On one project we built a common controller class used in every page of the site. It handled authentication and access control. When a user tried to access any page it checked to see if they had a session identification cookie. If they did not they were required to authenticate(login). A challenge was doing a good implementation of the security. Current browsers have many flaws that make this difficult.

authentication winform + asp

I am building a desktop application that needs to update current user's status frequently. This status will be available as RSS feed.
In order to do this, I think I can create a asp.net folder and secure it using form authentication. When the desktop application written as winform in c# needs to update status, it can set WebRequest.Credentials and upload data.
Is there any better way of doing this?
Thanks
Forms Authentication might be a little 'overkill' for what it sounds like you're trying to do. Consider writing a simple .NET web service, and using SoapAuthentication or even passing in some credentials (or an authentication token that your server recognises) as parameters to the web method. It depends on how important security is, and what kind of traffic you think your desktop application will generate.
It's difficult to be more specific without more details! :)

Resources