I've got a requirement that a ASP.NET web app use Shibboleth for the authentication. Has anyone done this before? Are there libraries out there to support the method calls? Or is this a Java only thing?
It's definitely not a Java-only thing, there's an Apache module available for download on the Shibboleth site.
I don't know if there's anything specific for .NET.
We implemented Shibboleth a while back and we originally tried to use the Java solutions - it was a nightmare. The java apps were badly-written, buggy and badly documented. It was hassle after hassle and we eventually decided to use the Apache module on a dedicated server and forward successfully authenticated users onto our Tomcat app.
The Apache module was a breeze to setup, configure and get working.
Don't know if you've already realised but the Shib documentation and website are incredibly hard to navigate - it's a fight to find any useful information. I did go and look for a .NET implementation on there but gave up!
If our Java experiences are anything to go by I would seriously suggest setting up an Apache server with the Shibboleth module installed and saving yourself a world of pain.
This is a good site for testing your Shibboleth install once you have it set up: http://www.testshib.org/testshib-two/index.jsp
If you do find a good .NET solution then I'd be very interested to hear about it. Good luck!
I know this is a really old question, but I thought I might be able to do a bit better expanding for those who are finding the answers from Google.
As recommended above, you really want to configure your web server to load a module. The hard part of shibboleth is the configuration file, but assuming some one else in your organization has utilized shibboleth you can use theirs as a template and its fairly easy.
For .NET based authentication, you'll need to configure Shibboleth in IIS. The default configuration for IIS creates a directory called /secure, and anything put under there will require shibboleth authentication (i.e. it will redirect to the identity provider). You can configure it to cover other directories or even do lazy authentication.
Once you have the authentication piece in place, you can check headers to "read" the information the identity provider is passing to you. IIS handles things a bit differently then Apache, but its still pretty easy. If you just want username you could use HTTP_REMOTEUSER although there could be better options; i.e. Ohio State University recommends using the eduPersonPrincipalName.
As MatthewMartin says Shibboleth is just a SAML server, Windows Identity Foundation supports SAML as explained in this blog post.
Related
I have an ASP.NET C# WebForms application built using the following:
Mono
Apache
PostgreSql
NPGSQL
OS Linux
Because those platforms are used a custom user/role management system was written for the application login.
One of the features we need is to redirect a visitor if they try to access a page if they have not logged in to the application.
I have been researching the Forms Authentication
As expected almost everything I find is using the ASP.NET built-in tools that are prominently used in Windows environments. (Which is not necessarily the case I have in my application)
My question is can Forms Authentication be used in my scenario? Or is there another approach I could take to accomplish the same result.
PLEASE NOTE: Before marking this as a possible duplicate question notice my environment is not the normal ASP.NET stack.
Using [Sessions] is my solution.
This StackoverFlow question gives a really good explanation.
We are developing asp.net website, API and MVC project using Visual Studio. Currently the system we're using are using local administrator account. We are now mapping it to the domain user (normal user). However, certain features are not supported by Visual Studio when we do things like this... importantly..
Debugging applications that a run under a different user account,
such as ASP.NET websites.
Deploying a web application to Internet Information Services (IIS) on a local computer.
Check MSDN Doc here
Note that deploying to IIS is not an issue for us, however the we're unable to debug the application and that is real deal breaker here!
I would like to know how to do debugging for asp.net websites when using domain mapped normal user.
I know this is not a programming related question. However, seems like most of dot net programmers are affected with this and I don't know where to ask for help, so posting it here. (Suggest if any other site is suitable for this!)
Thank you for your help in advance.
The simple answer, as mentioned in that MSDN document and this SO question, is that you can't.
It might be possible to do it through roundabout ways, such as changing the credentials that the IIS worker, application pool, and related processes run as, but even if it were possible, it wouldn't be supported, and most likely wouldn't be worth the effort. Here are two very old articles that deal with the topic:
https://msdn.microsoft.com/en-us/library/aa289173(VS.71).aspx
http://jameskovacs.com/2006/03/16/debugging-as-a-nonadmin/
It may be more feasible if you're able to run your application in an OWIN (Wikipedia) container running in an alternate (to IIS) host.
I am looking to build a small ASP.NET application using WebAPI and a html front-end, on .NET 4.0. I need to support authentication, authorization, data access (EF), logging / tracing. It can be an intranet/internet application, so it should support load balancing / clustering.
I am sure if I just go with ASP.NET and IIS I will get all these features. However I like OWINs idea of independent async modules and its goal of being high performance hosting environment. But how much of OWIN/ KATANA is matured and what functionalities are still missing/buggy?
The whole idea of Owin/Katana is to build a light weight server with only the function we need. Your question is better to be "What are things missing in Owin/Katana, which is available in IIS?"
The short answer is, IIS is a full-blown server. Many of the websites we developed only requires a small fraction of all its functions. It is like shipping a bag of grocery using an 18 wheeler.
If you look at Katana, all functions are modular. Say, if I need WebAPI, I can add in that function. When CORS is needed, I will extend appBuilder to the related functions. So in a sense, we have a fully customizable server. Since all functions can be added in, I would say nothing is missing.
Another thing to mention is that an installation of IIS would require you to run a Windows Server. If you are on a Mac or not a server version of Windows, you can host your website on Katana or any other OWIN implementation.
We are planning to receive a SAML assertion from another website into ours (ASP.NET). No one here has ever worked with SAML. We simply need to verify the signed assertion, decrypt the token containing a user id and if we can verify it, log them into our site (authenticate/authorize). We are using Forms Authentication for all other authentication. I would like to avoid installing WIF if possible because my understanding is we'd have to install the runtime on all the developers machines and servers. Our machines are locked down by policy such that it would be a lot of paper work to get it installed. Are there alternatives to WIF and are they realistic to use in an enterprise environment? If so, can someone point me in the right direction, a good tutorial, video, book or anything with examples would be helpful? I looked at some third party components but I'd have the same issue as with WIF on our servers (not to mention dealing with procurement).
Thanks
Is this internal or an external facing application? You may want to checkout PingOne.com Application Provider Services (APS) [Note: I work for Ping]. PingOne handles all the SAML protocol stuff for you and provides self-service capabilities, reporting, etc. No need to install WIF... just a few lines of .NET code (or whatever) to integrate with the RESTful service that PingOne provides.
HTH - Ian
I have created an web service I need to publish this service. I need to host and authenticated users need to access my services using ASP.net 2.0
I'm not sure if you are asking for an alternative, but I've been experimenting with this code that seems to work well on codeproject.com (CP).
If your question is on security, perhaps this article on CP is a useful start.