I'm working on IdentityServer4, I used Microsoft.AspNetCore.Authentication.AzureAD.UI for Microsoft login and I see there is also OpenIdConnectExtension(AddOpenIdConnect("aad", ...)) for Microsoft login.
They both work the same in a client, but not when I set up an instance of IdentityServer like IS4 demo.io. Because if I use AzureAD.UI the idp is "AzureAD" and if I use OpenIdConnect extension the idp is "aad". Are they the same?
They're different packages. The former depens on the latter.
Related
I have been looking into using an identity provider (IDP) to provide user authentication for a Windows Forms client. The user credentials will be hosted by Auth0. After creating a trial account with Auth0 I have downloaded a sample C# Windows Forms client application that can be used to authenticate to the Auth0 IDP using OpenID Connect ("OIDC"). The WinForms sample application pops up a web browser component, displays the Auth0 login screen, I login to the Auth0 IDP (having setup some test credentials in Auth0) and the WinForms application then is sent an authentication token. All well and good, and if I try to login a second time I no longer need to enter my credentials.
However... the company that I will be fetching authentication data from in production would like to use SAML. Is there any way to do this? Based on what I have read, SAML needs a "Service Provider" that will receive credentials from the IDP. The Service Provider is (typically?) a web site. That does not seem to match very well with what I am trying to do (authenticate a windows client). Is there any way of using SAML to do essentially what I have done using OIDC (fetch authentication information for a user from an IDP)? Would I need to develop a separate Service Provider component for this?
Sounds like what you've done so far is fine architecturally:
A modern desktop app following OIDC standards
This puts you in a good position architecturally, where:
Your app gets tokens from Auth0 using OIDC
Auth0 can reach out and do federated authentication with other standards based identity providers, which could be SAML, OIDC, WS-Federation or anything else
This can be done without changing any code in your app - and your app does not need to understand SAML
Feels like you need to set up a federated connection from Auth0 to the SAML Service Provider, and most commonly this involves these steps:
You give the partner your Entity Id and Response URL, to post tokens to
They give you am Entity Id, Public Key Certificate and request URL
You configure rules around account linking, so that users can be matched between their system and yours
There are prerequisites though, and the external identity provider needs to be SAML 2.0 compliant. My Federated Logins Article may help you to understand the general concepts, though I do not drill into SAML details here.
I am working on a project where we are planning to use SAML 2.0 to send authentication requests to OpenLDAP. Can someone please tell me if its supported or not? I am not able to get the clear answer via Google.
SAML and LDAP are completely different things. SAML is mostly used for Web-based SSO. The identity provider (IdP) part of the access manager software/system you're using (i.e., the one that implements SAML authentication authority) may use a back-end LDAP server (e.g., OpenLDAP) for authenticating users.
We currently have a solution where azure ad domains are federated with our ADFS server. This solution uses the WS-Trust and WS-fed protocols. Ws-fed is used for the passive auth flow in the browser, WS-Trust (the usernamemixed endpoint) is used for AAD joined windows 10 devices.
Unfortunately for us, ADFS doen not provide us with all the customization options that we need. Therefore we are looking in to moving to a custom IdP. IdentityServer looks like a good fit. Unfortunately the last version of IdentityServer to support WS-Trust is identityServer2. I'm currently trying to get this to work, but I would much prefer to leave the WS-* protocol behind completely and move to openid connect.
One thing I noticed during my experiments is that the powershell command Get-MsolDomainFederationSettings shows a field OpenIdConnectDiscoveryEndpoint. Does that mean that I can federate my azure domain with openid connect?
Another thing that I noticed is that the azure ad joined windows 10 machine was unexpectedly calling an open id discovery endpoint on my identityserver. That gave a 404 because I don't have it configured. But just the fact that it was called leads me to hope that AAD join could support openid connect.
Is this possible?
The short answer is yes. Both ADFS (2016) Azure AD support OpenID Connect and you can certainly use them as the ultimate IdP in an IDS4 implementation.
I have my own identity authority set up using the Identity Server.
I'm running a native windows application and currently I'm using IdentityModel's OidcClient library to connect on the authority and obtain the token.
I want to add support for Azure AD and since I haven't been able to set-up the application on the Azure AD to use HybridWithProofKey flow, and found this MSAL I've decided to give it a shot.
In MSAL there is a PublicClientApplication class with accepts the string authority in its constructor (source)
When passing my URL in this constructor I imagined it would use the discovery service and found the correct endpoints and to its job. But to my suprise this dont work.
I get following error message:
AADSTS50049: Unknown or invalid instance.
Search on github MSAL for AADSTS50049 returned zero results. I've cloned the project and started with debugging.
I've figured out that the request is sent to my authority url but instead there is a GET request on the
GET https://login.microsoftonline.com/common/discovery/instance?api-version=1.0&authorization_endpoint=https%3A%2F%2Fmyidentityserverhostname%2Fidentityserver%2Foauth2%2Fv2.0%2Fauthorize HTTP/1.1
This request is done in this source and it returns the error above.
So, is MSAL intended to use with non azure authorities?
No. It's a proprietary client library for their proprietary backend.
Yes it can,
You need to use the Azure B2C library, it can be configured with other identity provideer, like facebook, google, linked in etc.
There is also an option to utilise a custom IDP, if it conforms to openId
See here.
https://go.microsoft.com/fwlink/?linkid=854174
Using MSAL.NET with a non-MS OpenID Connect provider is unnecessary, as Microsoft.AspNetCore.Identity provides sufficient support for social logins and other OIDC providers.
Also vendors of custom OpenID Connect servers provide own extensions (see IdentityServer docs and OpenIdDict samples).
As per this official example, MSAL is not required if you're only signing users in. They claim:
MSAL is used for fetching access for accessing protected APIs
BTW, if you're interested in MSAL.JS, then it's a completely different story – https://stackoverflow.com/a/73618966/968003.
Anyone know if the following is possible?
IdentityServer4 with Active Directory as an Identity Provider — How?
Extra claims and roles using IdentityServer4 that link back to an AD user — How?
Yes, it is possible to use AD as an identity provider in IdentityServer. Take a look at mclark1129's IdentityServer4.Samples repo for an example. You can see the claims being generated in the AccountController.
While this example uses Azure AD, it is using it as a generic OpenIdConnect provider. Provided you are using a version of AD and Active Directory Federation Services (ADFS) which support OpenIdConnect, you can configure it is an upstream OpenIDConnect identity provider.