I am wanting to use your software ITfoxtec Identity Saml2 to implement SAML2 for multiple IDPs w/ .Net Core 5 MVC
I only see examples for a single configuration within the appsettings.json file and want to know if your software will support multiple configurations and/or how to authenticate from different IDPs.
Thanks for your assistance.
You can implement support for multiple IdPs you self and thereby get around the appsettings.json file problem. I have answered a question about multiple IdPs support. And two related answers multiple tenant and multiple certificates.
Related
We have a set of applications consisting of Asp.Net MVC websites, Single page applications and Asp.Net Web APIs. We're planning to use Identity Server 4 to secure them. But before we proceed, we want to know whether it's NIST complaint or not? Will it create any issue during security audit?
I have built a small web application with asp.net core 2.0 MVC. In this web application, I did not implement any authentication methods so far.
Right now I have an MSSQL database running in the background and I can add/view/edit/delete users from the database.
I adapted this tutorial and followed it pretty closely. However I also added some functionality like localization and stuff, and everything is running pretty smoothly.
My next goal is to enable authentication and authorization. The authentication part shall be straightforward. The goal is that the application will be running as an intranet solution. This means the authentication method just shall check if the Windows User is existing in the previously mentioned database. I don't want to create a separate login. However, it might be that there is a Windows user in the active directory, which is not part of the database. This User should just be able to see a default error page.
I made quite a huge research and I also tried a lot of different stuff, however, I do absolutely not find any "database first" tutorial for this part or any other documentation which explains what to do.
I actually "just" want to teach the asp.net core 2.0 identity framework that it shall look into my user-table and check if the current windows user is existent and if not to forward him to the error page.
A second step would be to load all the roles which this user is assigned to from the mapping table.
Any kind of help would be highly appreciated.
Dosc Microsoft has a lot of posts regarding authentication for ASP.NET Core. Here are some of the links to get you started:
ASP.NET Core Authentication
ASP.NET Core Authentication Identity
and a lot more.
I am developing an AngularJS application with some Asp.Net Core Web API support. This application is not using any database in backend. Now I want to implement a social login option for some privileged access. What is the best authentication mechanism without using any Asp.Net Identity tables?
As far I know OpenIddict is coupled with Asp.Net Identity So that I must implement a storage mechanism for that. Please correct me if I am wrong. I am also looking for other options like ASOS but it is too complicated compared to OpenIddict so I couldn't find a good solution with that.
Kevin Chalet published an excellent article but still I am struggling because of my poor technical knowledge on this subject.
http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/
Can you please guid me?
With the recent release of .NET Core 1.0, we're in the process of migrating our RC1 applications to the final release. The only piece we can't seem to figure out is how to integrate Active Directory authentication.
Previously in the RC1 applications, we had used the System.DirectoryServices.AccountManagement library to handle the LDAP authorization queries. However, we can no longer mix this library with .NET Core v1.
Generally, what is the best way to integrate Active Directory authentication into our applications using the libraries available for use in the .NET Core framework? IdentityServer, some other third party service like Auth0 or something else?
The Novell.LDAP library has been ported to .NET Core you can find it in NuGet. There are numerous samples available, including a verify password sample.
Best is subjective, really there's only one way right now, given the missing DirectoryServices namespace (which is planning for 1.1) - federation.
You'd have to install ADFS, and expose it to the internet. Then you configure it to act as an OAuth2 endpoint, and use the generic OAuth middleware to redirect logins to your ADFS server. You could also install the latest ADFS beta, which needs the latest Windows Server beta, and use OpenID Connect, but that's a lot of beta risks you may not find acceptable.
Or, if you just want the latest MVC pieces, run it on .NET Desktop, where you have full access to the directory services namespace.
The System.DirectoryServices namespace is currently being implemented in .NET Core, work is ongoing.
https://github.com/dotnet/corefx/issues/2089
Just want to say that they just issued a pre-release of the Microsoft.Windows.Compatibility which contains the System.DirectoryServices components needed to integrating with Active Directory
https://www.nuget.org/packages/Microsoft.Windows.Compatibility/2.0.0-preview1-25914-04
I've possible got to implement SAML for a couple of sites we have and I was wondering if this kind of requirement can be implemented in infrastructure technologies like Active Directory or do I have to implement the solution in application code?
Cheers
Ollie
I think ADFS supports this so you shouldn't have to write any code. Just do some configuration tweaking.
AD FS implements the standards based WS-Federation protocol
and Security Assertion Markup Language (SAML).
http://msdn.microsoft.com/en-us/library/bb897402.aspx
However, you might need to tweak some code based on how the domains and usernames are handled. For example, if the app just uses the username as a key and there's another guy in a different domain/directory with the same username then you'll have problems. If they use domain/username, then it would be less of a problem, but you might still have collisions based on how the user authentication and lookups are handled.
There are some commerical products provided by Ping Identity and RSA (EMC) that do some of the SAML work for you, too.
Note that I'm a dev and not a AD/networking guy (so I could be wrong about AD stuff), but I'll be working with this in the near future to integrate some of my intranet sites to our various sibling companies/divisions who are on different networks/directories.
Just to clarify, ADFS leverages the SAML token but is NOT interoperable with the SAML protocol. Since you need to support SAML for your websites, then you'd need to implement the same SAML protocol as your SSO partners will be using - either 2.0, 1.1 or 1.0.
We have a lot of info about SAML in the information library portion of our website: http://www.pingidentity.com/information-library/index.cfm
Of course, we also offer an simple and secure solution for these requiremetns - PingFederate.