We have ADFS 2.0 running and have federated with various STS.
Is it possible to federate with Windows Live, OpenID and Facebook?
Some of our users already have these types of credentials and it would be a bonus to be able to use them.
If so, what URL would be used for the federation metadata address in the "Add Claims Provider Trust" wizard?
Any other gotchas?
ADFS doesn't natively support the protocols of those IP-STSs (with the possible exception of Windows Live). You'll need to put an FP-STS that understands those protocols (e.g., PingFederate) between ADFS and them.
We have been investigating this question a lot.
It seems that the best setup is to use ACS in combination with AD FS 2.0 as described in this article.
This setup also enables claims transformation, for example, if you want to add the corporate customer number as a claim.
We have not yet seen any examples where you can connect AD FS 2.0 directly to Facebook however.
Yes . there are no direct way to get the claims from ADFS , need to configure the ACS and need to set the ACS as ID providers to ADFS.
But the token validation for ACS is 24 hours at max , so you need to be happy with short-lived token for Social Id providers.
Related
What is the best method of securing a REST Web API with the following requirements. The system has an Angular JS frontend with the REST APIs implemented in ASP.net.
There are two "roles" in the system, users will have one of the
roles. One role should allows access to some APIs (call it "VIEW"),
the other role allows access to other APIs
All users are in Active Directory, so if I have a username, I can check what role they are in- Some clients are on Windows boxes, the others are on Linux
I would like to persist the session so I don't have to look up AD for every API call
I would like single sign on. On the Windows machines, I don't require them to enter user and pass as I already can retrieve their username using Windows Authentication.
I believe that Oauth would be my best option.
There are two "roles" in the system, users will have one of the roles.
One role should allows access to some APIs (call it "VIEW"), the other
role allows access to other APIs
For role based authentication, you can use [Authorize("Role" = "Manager")]. The token will be provided by the identity server and will contain the claim as Role.
All users are in Active Directory, so if I have a username, I can
check what role they are in- Some clients are on Windows boxes, the
others are on Linux
If you have ADFS then you can have an Identity server that trusts the ADFS. The ADFS will provide a token which will have the claim for role and your Identity Server will do the claims transformation and will return the same Role claim back to angular app.
I would like to persist the session so I don't have to look up AD for
every API call
For this while requesting the token, you can ask for offline scope so the Identity server will provide the Refresh Token with Access Token so you don't need to ask for AD again and again.
I would like single sign on. On the Windows machines, I don't require
them to enter user and pass as I already can retrieve their username
using Windows Authentication.
For this one, you can have your Identity sever trust the WSFederation for windows Authentication.
So basically you need to setup Identity server that will provide you with the token and the REST API will use that token to verify claims to return the correct information back to the user.
I am not sure what you expect exactly. Anyway, first I'm gonna reformulate your question with requirements:
you accounts and role are in active directory
you want to manage roles based on an active directory group
you want anybody whatever the system (windows, linux, mac, mobile...) to connect on your application using the same authentication
you want to avoid your AD to be hit constantly (not at any call for example)
if the user is connected on an application that uses the authentication system, he doesn't have to do it so again on another application that uses the same authentication system
If these requirements are yours. I believe the only standard (and clean) solution is to use OAuth. I'm not gonna go in detailed description of OAuth, but this authentication protocol is the most standard one on the net (facebook, google, twitter...). Of course as you don't want to use facebook, google or twitter accounts in your business applications but your active directory accounts you'll have to install/setup/develop your OAuth identity provider using accounts of your active active directory server. Your choice will depend on how well you know ADFS protocol and its different flows (code, implicit, assersion) You have two solutions for it:
Use ADFS: install ADFS; it provides a OAuth portal that will work out of the box with asp.net mvc. This uses the code flow of OAuth that is the only OAuth flow supported by ADFS. For roles and its related AD groups, you'll have to map role claims with AD groups. (it's in the setup of adfs, you'll find many tutos on the net). You'll find lot of tutos as well about how to use ADFS with asp.net mvc/asp.net webapi. I mention .net here, but every technology has an implementation for OAuth authentication (nodeJs/express, php, java...).
Use thinktecture identity server (.net technology). This will provide all the foundation to implement a custom identity server with the least effort: http://www.thinktecture.com/identityserver / https://github.com/IdentityServer/IdentityServer3. It contains an addin to plug its accounts to active directory. With this, you can use implicit and assertion flows.
Use oauth2orize (for nodeJs): https://www.npmjs.com/package/oauth2orize. This will permit you to make the same than thinktecture identity server but in nodeJs. Apparently you'll have to make all the wirering with ad manually. With this, you can use implicit flows (not sure about assertion flows).
At application side, most of frameworks can authenticate easily using OAuth with a lot of existing frameworks. For example, even if you make a single page application, you can use adal.js or oidc.js for angular if you use angular. As I mentioned above, all this is taken in charge by asp.net mvc/webapi out of the box but I know it's the case for other server technologies. If you have more questions, don't hesitate as I'm not sure of what you expect exactly.
I need a good advise and wanted to know whether a solution is feasible or not. Right now one of my customer has a common login application which is based on Forms authentication(ASP.NET) using membership provider. All internal users use their AD credentials to logon and external users use custom username and password. Both are wrapped via Forms authentication. Now the new proposal is to replace this Forms authentication with ADFS. I have gone through various articles over internet and not able to come to a conclusion. Let me list my findings so far with ADFS extension points.
1) It is possible to add a custom attribute to ADFS claims by the approach mentioned in https://blogs.technet.microsoft.com/cloudpfe/2013/12/27/how-to-create-a-custom-attribute-store-for-active-directory-federation-services-3-0/.
2) It is possible to add a second level of authentication( or multifactor authentication) via the approach https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/. Here I understand that after first level authentication done by AD then only our external provider will come into picture.
So I have a general question that is it really possible to achieve what I am looking for with ADFS. Please let me know.
This is based on where the user accounts are stored. If both internal and external users are in AD, you can just redirect to ADFS.
If internal is in AD and external is in an untrusted or other LDAP source, using ADFS 2016 you can link to both these account stores and still offload authentication to ADFS.
If external is in SQL, you can either use a virtual directory in front to project it as an LDAP store (previous option) or use IdentityServer.
If externs is something else, you'd need IdentityServer.
Thanks //Sam (#MrADFS)
Yes - you can add a custom attribute store.
Yes - you can add a custom authenticator.
A better way might be to use thinktecture's IdentityServer 3.0 for the ASP.NET Identity part and then federate IdentityServer and ADFS.
I am developing an ASP.NET application. I have successfully added an STS reference to a stand-alone AD FS 2.0 server, so I can authenticate against a 3rd party's active directory. The problem is that I have more than one client who wishes to be able to authenticate against their own active directory. It seems that I can only add one STS reference to a project. How do I add multiple identity providers to an ASP.NET application and then programatically choose which provider I want to redirect the browser to for authentication? Thanks!
Ralphie
That's not the normal federation pattern.
You normally "bind" your application to one STS (say STS1) using FedUtil and then at the STS level federate with other STS (say STS2 and STS3). Then when the user accesses the application, WIF redirects to STS1 and you get a "Home Realm Discovery" screen that asks "Who would you like at authenticate against (STS1 / STS2 / STS3).
Your question doesn't indicate whether you already knew this or whether you are wondering how to authenticate against multiple STS.
Update: You can use VS to create a custom STS - not sure if HRD is out-the-box. What other authentication stores do you need to cater for? Why do you think you need a custom STS? You can use multiple instances of ADFS all federated against each other or federate ADFS with PingIdentity or OpenAM ... Have a look at IdentityServer. That's a custom STS which is a very good base to use.
Update 2: Yes - you are correct.
We manage a website that runs of the .NET 4 framework and we need to implement SAML 2.0 to support single sign on. We do not wish to run Active Directory federation services as all user accounts are stored in a SQL server. What do I need to consider when developing a single sign on service whereby we are the identity provider?
I work with SiteMinder Federation Services (SMFSS) and Federtation Manager for CA. Are you planning on also doing Authorization for the SP based on Attributes? Do you have an Authorization SSO Solution already? IF so what is it? If it is SiteMinde then the fastes easiest to impliment solution would be SMFSS. Aside from from ServletExec and Java JDK bugs which are pretty much fixed up now I can get customers who have never used Federation up and running in a day for a SAML 2.0 POC. So, if you do have SiteMinder I would give that a try and I am sure you will be quite pleased. If not we also have Federtion Manager which can run as a proxy into your site or not. We have customers who do things such as use the SiteMinder access logs to charge users for access to SP sites a certain charge per access. We have the attribute Authority so that if you want to provide Authorization based on user attributes you can do that. If SMFSS is on the SO side you can just have the attributes stored on the SPO sides session store. Can you tell more about your use case? When SiteMinder was orignally created one of the uses cases was for SSO between different web servers, etc.
Let me know if I can help with any follow up questions and have a splendid day!
Thanks!
Crissy Krueger Stone
CA SiteMinder Support
Based on your initial requirements, you should take a look at PingFederate from Ping Identity [Note: I do work for Ping I'd]. It can support multiple databases and directories simultaneously as well as provide multi-protocol support in both an IDP and SP role. We can also support different development languages you may have beyond. NET.
HTH- Ian
Is it possible to make make ADFS to authenticate a user against an ASP.NET Membership database in SQL Server? Alternatively can a .NET C# plug-in be created and installed in ADFS which could provide this "service" to ADFS?
As far as I know this is not possible. ADFS (v1 and v2) ONLY supports an AD Domain Controller as the Authentication source of users. Other flavors of AD do not work (ADAM/AD LDS).
There are other options that are easier to deploy and give you IP-STS (aka IDP) functionality. For example, our PingFederate product can leverage your SQL Server pretty easily if you are interested.
No, this is not possible. See this answer of mine for the official documentation at this point, and for an alternative solution involving a custom STS.
A lot of issues with ADFS can be worked around by federating ADFS with another STS and adding the required functionality to the STS.
StarterSTS is a good example of an STS that authenticates against an instance of a SQL Server aspnetdb database.