We have an ASP.NET web application that we offer as a Service (it's hosted and it's accessible on the Web). We use Forms Authentication and our users have to enter a username/password to connect to our application. Some of our customers ask that we support single sign-on by authenticating users with their own Active Directory.
Our application has a different URL for each customer
www.ourapp.com/client1/
www.ourapp.com/client2/
www.ourapp.com/client3/
and each URL has its own web.config file (where asp.net settings can be specified and can vary for each customer).
What do I have to change in my ASP.NET application to support that?
What do I have to change on my Windows server configuration?
What will the customer have to do on his side to enable that?
Regards,
Check How To: Use Forms Authentication with Active Directory in ASP.NET 2.0 In short, you configure an ActiveDirectoryMembershipProvider to verify each username/password with the customer's AD. The customer must create an AD account for you that is allowed to perform the verification - which may be a problem with some customers. What's more, your code will handle the actual username/password used by users in their internal network, which can be an even bigger problem with customers.
A more secure solution is to use federation (using ADFS) or Claims Authentication using Windows Identity Foundation. In this case you "only" have to set trust relations between your domain and theirs.
Related
Is it possible to mix authentication types in a C# ASP.NET MVC web application hosted in Azure?
I have an ASP.NET MVC application written in C# that uses ASP.NET Identity as its authentication system.
A customer has asked if they can sign into the application using their Azure Active Directory (SSO using openconnect id).
I can recreate the application using openconnectid and assign their tenant as the AAD directory but users from my company can not log into the application because we do not exist in the customers Azure Active Directory.
We need to be able to log into the application because we perform data entry tasks for them using the web app.
Has anyone come across a similar issue?
Regards,
Graham
You may need to show login screen with 2 possible options. You redirect the user to their respective identity provider , they get authenticated and bring back the access_token/Id_token to access application resources.
Very much like different OpenID connect providers in the same application(FB, Google, Microsoft etc) and regardless of which provider user choose to get authenticated the token is same to access resources.
I have three asp.net applications. Only one of them has a forms authentication login. I redirect anonymous users to that one login page for all three applications to login. Once they log in, they automatically redirected back to the application and page they were attempting to access.
I enabled this functionality by setting the same MachineKey in all three applications.
Is there a way to do this for ADFS 3.0 WIF authentication as well? It doesn't seem to work the same in my testing. When I log into the application that is wired up to ADFS, I still can't access the other two.
WIF and ADFS don't work the same way as traditional forms authentication. These technologies rely on issuing access tokens, and require that dependent applications (also known as Relying Parties, or RPs) configure a trust relationship with the token provider (AKA Identity Provider, or IP). You can't share the cookie with MachineKey between apps that have not directly authenticated with an IP, and to be quite honest you don't want to.
The typical web scenario (also known as Passive Federation) is to have a separate application that functions as a Security Token Service (STS). This application houses the Login.aspx page and is protected with Forms or Windows Authentication like you would find in a classic ASP.NET scenario. When you attempt to access a web application that requires authentication, it needs to be set up to redirect you to the STS website, rather than handling it by itself. Once you log into the central STS, it will issue you a token that you then provide to applications to gain access. If you use WIF properly, this is all handled behind the scenes and is just a matter of configuration.
Each of your three web applications should be configured with a trust relationship to your IP. You said that you have a web application wired up to ADFS already, if that's via the proper trust relationship, then you should simply have to replicate that set up to your other 2 applications.
I am developing an ASP.NET application. I have successfully added an STS reference to a stand-alone AD FS 2.0 server, so I can authenticate against a 3rd party's active directory. The problem is that I have more than one client who wishes to be able to authenticate against their own active directory. It seems that I can only add one STS reference to a project. How do I add multiple identity providers to an ASP.NET application and then programatically choose which provider I want to redirect the browser to for authentication? Thanks!
Ralphie
That's not the normal federation pattern.
You normally "bind" your application to one STS (say STS1) using FedUtil and then at the STS level federate with other STS (say STS2 and STS3). Then when the user accesses the application, WIF redirects to STS1 and you get a "Home Realm Discovery" screen that asks "Who would you like at authenticate against (STS1 / STS2 / STS3).
Your question doesn't indicate whether you already knew this or whether you are wondering how to authenticate against multiple STS.
Update: You can use VS to create a custom STS - not sure if HRD is out-the-box. What other authentication stores do you need to cater for? Why do you think you need a custom STS? You can use multiple instances of ADFS all federated against each other or federate ADFS with PingIdentity or OpenAM ... Have a look at IdentityServer. That's a custom STS which is a very good base to use.
Update 2: Yes - you are correct.
I am developing an ASP.NET Web application which should be accessible to the users who can access from both intranet and internet. Could you suggest the approach to implement this with ADFS 2.0.
The requirement is when users are logged in in the intranet the authentication to the app should be seamless without giving user id and password. Whereas for the same users if they are accessing out side intranet it should take email id and password as creditentials and authenticate.
You can put an ADFS proxy in front of ADFS for external users which by default uses Forms.
Internal users will get Windows Auth.
ADFS out-the-box only allows authentication with user name.
You would have to do some custom development - refer Adjusting the Home Realm Discovery page in ADFS to support Email Addresses.
We have an ASP.NET website set up using Active Directory as the Membership Provider. The site uses the Forms authentication mode and the .NET Login control. We recently merged with another company and now they also need access to the site, but they are of course on a different domain. Our IT people have set up the two Active Directories in a two-way trust.
I can log on to their domain using a test account from our network. But when I use the same DOMAIN\username + password combo on my website it does not work.
How can I make our site able to see users on the second domain? Is this not possible using the Login control? Or is there something else I'm missing?
I don't think it's possible to authenticate against a remote AD domain, via a trust with the built-in provider. You could setup a second provider which is configured to point at the other domain, and then add addition logic to your Login control to pick the right provider to authenticate against. I use a similar approach to support "pass-through" authentication of domain users while also support non-domain users with standard forms authentication.