I will soon need to add SSO to an ASP.NET app using SAML. The client will not provide access to their Shibboleth identity provider for testing, so I'll need to verify that SSO works myself.
What would be the easiest method to use/setup a SAML identity provider for testing? I'm not keen on having to setup an infrastructure myself if I don't have to.
I'm planning on using a SAML component from http://www.componentspace.com/
If you are a SaaS Provider - Check out "Getting Ping Certified"
http://www.pingidentity.com/partners/becomeapartner.cfm
All your suggestions look quite helpful.
For others who may find this page, the ComponentSpace SAML 2.0 component comes with an Identity Provider that appears to mimic Shibboleth. This appears to be the easiest way to test adding SSO to your own application.
Related
I want to enable SAMP into '.net core 3.1' application with Auth0 as IDP. I tried to explore Auth0.AspNetCore.Authentication but I did not find any information around SAML configuration as it's just a wrapper around Microsoft.AspNetCore.Authentication.OpenIdConnect.
Can someone help here with some documentation or sample code with some well proven open source library.
Thank you!
Microsoft.AspNetCore.Authentication.OpenIdConnect is for OpenId Connect.
SAML is a completely different protocol.
I don't think Auth0 have a sample for a .Net core client-side stack?
Otherwise, look here.
To configure Auth0 as a SAML IDP, look here.
What is the best open source or paid library to make ASP .net web forms application as relying party, sign in a user, when Ping Federate as Idp.
PingFederate Integration Kit
https://documentation.pingidentity.com/display/NETIK/.NET+Integration+Kit
One Login
https://developers.onelogin.com/saml/c-and-aspnet
Kentor.AuthServices
https://github.com/KentorIT/authservices
Do all these solutions use open token protocol ?
Thanks
ameet
Calling one library the best is not that straightforward as it's highly circumstantial.
If you're the Ping Identity customer yourself, the Integration Kit would make sense, as it's supported by Ping, making life easier if something goes wrong. This limits you to an integration with PingFederate, but doesn't mean a SAML 2.0 connection couldn't be set up via PingFederate.
If the application might be offered to other customers who don't run PingFederate, using one of the SAML 2.0 libraries might make more sense, as it would be possible to connect anyone who has a SAML 2.0-supporting solution in place.
I don't know how support with the OneLogin Toolkit works, but Kentor is Open-Source, which needs to be considered prior making the choice.
OpenToken is not a standard, and the PingFederate implementation might not work with 3rd-party or Open-Source libraries.
I'm very new to the identity management world, so please spare me. :)
What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.
That way, I could use SSO for the client applications (I guess).
Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)?
I don't know if IdentityServer could help me with what I want?
And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?
Thank you for all the help. :)
I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).
What I finally did was the following (very briefly):
IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
As a side note, IdentityManager is used as an internal admin tool to manage all the users.
If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)
Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?
I'm guessing you want to use ASP.NET Identity for the provisioning?
IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.
This scenario is also close to what you need, take a look at the answers:
How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk
I also recommend reading this article:
Decouple OWIN Authorization Server from Resource Server
I am working on integrating our application with client's Identity management system using SAML 2.0. Below is the requirement
The login screen of our application will have an option for Single Sign On. when clicked user will be directed to the login screen of Identity management system
The Identity provider will validate user's credentials and send us the information back to our application
based on the input from Identity provider the application has to be provide access to the user.
Now, the client has asked us to provide them SAML meta data files. Our application is developed in dot net.
I had a look at component space and ATC Inc components that can be used for SAML generation however I need help to start this.
Can someone help me on this? This is something new which I haven't worked.
Thanks,
Abhilash
If you are looking for a simpler integration than coding support directly into your application, check out the PingOne Application Provider Service (APS) "SAML as a Service" from Ping Identity. A handful of lines of .NET code (or Java or Ruby or Perl, etc) to integrate via a RESTful API and you're done. No need to embed complicated SAML SP code and the security overhead that comes with it [Disclaimer: I do work for Ping].
HTH
Ian
Is it possible to make make ADFS to authenticate a user against an ASP.NET Membership database in SQL Server? Alternatively can a .NET C# plug-in be created and installed in ADFS which could provide this "service" to ADFS?
As far as I know this is not possible. ADFS (v1 and v2) ONLY supports an AD Domain Controller as the Authentication source of users. Other flavors of AD do not work (ADAM/AD LDS).
There are other options that are easier to deploy and give you IP-STS (aka IDP) functionality. For example, our PingFederate product can leverage your SQL Server pretty easily if you are interested.
No, this is not possible. See this answer of mine for the official documentation at this point, and for an alternative solution involving a custom STS.
A lot of issues with ADFS can be worked around by federating ADFS with another STS and adding the required functionality to the STS.
StarterSTS is a good example of an STS that authenticates against an instance of a SQL Server aspnetdb database.