Regarding Time out error in ITfoxtec Identity Saml 2.0 - itfoxtec-identity-saml2

I have to implement the single sign-on functionality in my project. But once I have downloaded ITfoxtec Identity Saml2 project from Github and run the asp.net core project I have to face error like the below screen.
Please revert me on the same as soon as possible.

The solution contains a test identity provider (IdP) project called TestIdPCore. The other test applications in the solution are relaying parties and therefore depends on the TestIdPCore application being running before they can start.
You can either start multiple projects at the same time or ensure that TestIdPCore is running before you start another test application.

I have started multiple projects TestIdpCore and TestWebAppCore.
Once I click on the TestWebAppCore Login link I have to face error like "Sequence contains no elements"
https://i.imgur.com/CoawPM2.png

Related

Message "Unable to unprotect message.State" when scaling IdentityServer4

When running a single instance of IdentityServer4, we can login with another identity provider succesfully. As soon as we create several instances of IdentityServer4, the same process fails after the user authenticated if the result is handled by a different server.
The message "Unable to unprotect message.State" is written to the logs even though ASP.NET Core DataProtection API is configured correctly to run in a multi server environment.
In addition to ASP.NET Core DataProtection, some components of IdentityServer4 rely on ASP.NET Core distributed caching. In our case, the following call registered a component that relies on IDistributedCache:
services.AddOidcStateDataFormatterCache();
In the default implementation, an in-memory-cache is used which leads to the problem.
After removing the line, IdentityServer4 works in the multi server deployment.
An alternative would be to configure distributed caching to work in a multi-server environment as described here.

Which Nuget package for Active Directory should I use?

I built an Azure WebAPI. I did not create the project with Authentication at the time it was first created. I added Active directory Authentication based on a code sample from Microsoft. It utilizes Microsoft.IdentityModel.Clients.ActiveDirectory which I got from NuGet. It works just fine.
I then created a WebAPI from VS 2017 and selected Authentication (using AD) at the time of project creation. It included Microsoft.AspNetCore.Authentication.AzureAD.UI.
I am not sure of the difference between these two NuGet modules nor which is better suited for my Azure WebAPI.
Then comes the modules to use in a .NET WPF client. There is no AuthorizationContext class (and others) in Microsoft.AspNetCore.Authentication.AzureAD.UI. Should I stick with Microsoft.IdentityModel.Clients.ActiveDirectory in the .NET WPF client or are there equivalents in Microsoft.AspNetCore.Authentication.AzureAD.UI?
For your web api project, answer is it depends on what you're trying to do from within the web api. For most simple scenarios where you just need to read/validate tokens, you should be good with the added Microsoft.AspNetCore.Aurthentication.JwtBearer nuget pacakges. More detailed question/answer available in this SO post
In case of your WPF client application although, you won't have much choice. You will need to work with ADAL or MSAL based on which AD version/endpoints you want to use. Also, in case of WPF client more probably than not you will need to acquire a token from Azure AD so internal operations (which library will take care of under the hood e.g. authenticationContext.AcquireTokenAsync) will be a little more involved than just reading the provided token from a header and hence the package.

Map asp.net core 2.0 Identity to existing DB schema

I have built a small web application with asp.net core 2.0 MVC. In this web application, I did not implement any authentication methods so far.
Right now I have an MSSQL database running in the background and I can add/view/edit/delete users from the database.
I adapted this tutorial and followed it pretty closely. However I also added some functionality like localization and stuff, and everything is running pretty smoothly.
My next goal is to enable authentication and authorization. The authentication part shall be straightforward. The goal is that the application will be running as an intranet solution. This means the authentication method just shall check if the Windows User is existing in the previously mentioned database. I don't want to create a separate login. However, it might be that there is a Windows user in the active directory, which is not part of the database. This User should just be able to see a default error page.
I made quite a huge research and I also tried a lot of different stuff, however, I do absolutely not find any "database first" tutorial for this part or any other documentation which explains what to do.
I actually "just" want to teach the asp.net core 2.0 identity framework that it shall look into my user-table and check if the current windows user is existent and if not to forward him to the error page.
A second step would be to load all the roles which this user is assigned to from the mapping table.
Any kind of help would be highly appreciated.
Dosc Microsoft has a lot of posts regarding authentication for ASP.NET Core. Here are some of the links to get you started:
ASP.NET Core Authentication
ASP.NET Core Authentication Identity
and a lot more.

Desktop client flow for MicrosoftAccount access to Azure Mobile Service API

I have followed Adrian Halls book to create a cross platform app with a Mobile Service API backend. I have successfully got unsecured access to the backend working from Android, iOS and Desktop (WPF) clients. I am moving on to adding security to the API using the Authorise attribute. I would like to add social authentication using MicrosoftAccount (formerly passport/Live ID).
Since Adrian wrote his book the Microsoft.Azure.Mobile.Client and the authentication and authorisation landscape seem to have moved on. The samples given in the book no longer build and Microsoft's social authentication and AAD authentication seem to have been rolled into one API.
I have spent days searching for up to date and relevant information but there seems to be lots of stuff on the internet that is either out of date or only shows examples of authenticating using Facebook or Google from Xamarin clients or authenticating against Azure AD.
I am using .NET 4.7 and WPF for the desktop app. I am also using Microsoft.Azure.Mobile.Client V4.0.1. and my questions are:
Should I be using the Microsoft.Identity.Client to authenticate users from my desktop client; and,
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
If so can someone point me to an example of the client flow that I need to follow, specifically how do I get the authorisation token that I need to pass to the new MobileServiceClient.LoginAsync() function that uses the identification provider and token parameters?
According to your requirement, you want to use client-flow authentication with MSA. As I known, MSA authentication uses the Live SDK for signing users.
Since Live SDK is deprecated, you could leverage OneDrive SDK for CSharp for logging with MSA, and you could follow the detailed steps for achieving this purpose:
Install the client libraries via NuGet:
Microsoft.OneDriveSDK
Microsoft.OneDriveSdk.Authentication
Log into Microsoft Account Developer Center and create your app, add the native application platform, then Register your app with Microsoft Account.
Then you could follow the code below and add to your WPF application as follows:
For more details about OneDrive SDK for CSharp, you could refer to here and Authentication Adapter for the OneDrive SDK.
UPDATE:
It's my fault. I did not mention that the above code would automatically open a web browser. Per my test, you could configure the parameter returnUrl to https://login.microsoftonline.com/common/oauth2/nativeclient when constructing your MsaAuthenticationProvider instance.
I was in a similar boat - and here is summary from the top of my head - There two security libraries currently in play for authorization- ADAL, and MSAL.
ADAL
This is the first library that came out, and services like B2C must each be handle separately using this library.
MSAL
One security framework to rule them all!
https://github.com/Azure-Samples/active-directory-xamarin-native-v2
This library has a go live license, but technically it's still in Beta.
Head to Mobile.azure.com for the last info in creating a mobile application, and this article on a V2 endpoint.
When you register an application for Authorization - there are two categories a "Converged" application, and a "Live SDK application" ( see https://apps.dev.microsoft.com/#/appList) - why they would choose these names is beyond me to understand. IMPORTANT Translation - Converged application ONLY work with MSAL, the other ONLY works with ADAL. THAT will go a long way for you to get the authentication working, as the Application / Client ID must match the correct SDK, and hence endpoint.
In the end, we chose to stay with ADAL for now as we were having problems with MSAL. MSAL is the future however, as all services will be incorporated, and it should be an easier SDK to use.
Here are some links that I kept, all of which refer to ADAL or MSAL:
http://aka.ms/aadv2
https://azure.microsoft.com/develop/identity
https://learn.microsoft.com/en-ca/azure/active-directory/develop/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/AzureAD
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet
These links are about month old - HTH

Pure Angularjs Single-Sign Up with ADFS

Does anyone know is it possible to do a single sign up web application with ADFS in a "pure" angularjs enviroment? I am at the point to decide which framework for my next project. One of the main requirement is the ability to do "single sign up" with ADFS, but I don't want to "mix" angularjs with asp.net, just make thing more complicated. I would like to go pure angular without any asp.net framework, is it even possible?
I know there are a lot of questions on this topic, but it seems no one is really answering the question. Is it because it's not doable?
By the way, It is an intranet web application.
The problem is not with your ADFS server, the ADFS protocol itself, AngularJS, JavaScript or the browser.
It's with the way you tell your client-side application that the user is logged in from your server-side application.
As far as I know there is no way to do "pass-through" authentication over HTTP so you will need to have your users go through the preauthentication step.
With ASP.NET you get an access token "for free" because the ASP.NET application runs on a machine that's in the "trusted" ADFS network. Your browser on the other hand is not. The only way for ADFS to know you are who you say you are is to preauthenticate you.
I just implemented it using the Azure Active Directory for JavaScript library. After IT registered my app for me, I was up and running in 10 mins. There is an AngularJs example in the source code. https://github.com/AzureAD/azure-activedirectory-library-for-js
You should also register your development workstation so you can test locally.

Resources