Is Identity Server 4 NIST compliant? - identityserver4

We have a set of applications consisting of Asp.Net MVC websites, Single page applications and Asp.Net Web APIs. We're planning to use Identity Server 4 to secure them. But before we proceed, we want to know whether it's NIST complaint or not? Will it create any issue during security audit?

Related

Implement SAML2 for multiple IDPs w/ .Net Core 5 MVC

I am wanting to use your software ITfoxtec Identity Saml2 to implement SAML2 for multiple IDPs w/ .Net Core 5 MVC
I only see examples for a single configuration within the appsettings.json file and want to know if your software will support multiple configurations and/or how to authenticate from different IDPs.
Thanks for your assistance.
You can implement support for multiple IdPs you self and thereby get around the appsettings.json file problem. I have answered a question about multiple IdPs support. And two related answers multiple tenant and multiple certificates.

Map asp.net core 2.0 Identity to existing DB schema

I have built a small web application with asp.net core 2.0 MVC. In this web application, I did not implement any authentication methods so far.
Right now I have an MSSQL database running in the background and I can add/view/edit/delete users from the database.
I adapted this tutorial and followed it pretty closely. However I also added some functionality like localization and stuff, and everything is running pretty smoothly.
My next goal is to enable authentication and authorization. The authentication part shall be straightforward. The goal is that the application will be running as an intranet solution. This means the authentication method just shall check if the Windows User is existing in the previously mentioned database. I don't want to create a separate login. However, it might be that there is a Windows user in the active directory, which is not part of the database. This User should just be able to see a default error page.
I made quite a huge research and I also tried a lot of different stuff, however, I do absolutely not find any "database first" tutorial for this part or any other documentation which explains what to do.
I actually "just" want to teach the asp.net core 2.0 identity framework that it shall look into my user-table and check if the current windows user is existent and if not to forward him to the error page.
A second step would be to load all the roles which this user is assigned to from the mapping table.
Any kind of help would be highly appreciated.
Dosc Microsoft has a lot of posts regarding authentication for ASP.NET Core. Here are some of the links to get you started:
ASP.NET Core Authentication
ASP.NET Core Authentication Identity
and a lot more.

How to share the same ClientId in two different environments (sandbox and production)

I'm developing an API using IdentityServer4 for authentication. I have already configured the stores to use EF Core and I'm using Asp.Net Identity too.
To improve the experience of the users, we want them to try our API on sandbox after signing up and offering them an autogenerated ClientId and ClientSecret. Once they want to go to production, we want to generate another ClientSecret for the production environment.
In other words, we want to reuse the ASP.NET Identity user and the IdentityServer client except for the secret.
We have different urls, databases, etc. for sandbox and production. Currently we are using two different IdentityServer servers and databases, but we are considering to share the same IdentityServer server and database for both environments.
Is this scenario supported in any way?
EDIT 1:
As stated on a comment to the response of travis.js, environments should be called live and sandbox instead of production and sandbox, as both environments are production ready to my clients.
EDIT 2:
The app embedding IdentityServer and Asp.Net Identity is the app that will manage the sign up, so the live and sandbox API will ask this app for authentication.
You'll run into problems trying to reuse the same the IdentityServer app/db under different urls. The hostname of your IdentityServer instance part of what make it unique and authoritative. One instance can't have two different authority names to my knowledge.
Sounds like a basic data migration issue, i.e., you just need to some of the sandbox config data moved up the production database.
Whatever app handles the user registration and "go live" features can do that work. It would just need access to both databases.

Web API OAuth external login without using any Asp.Net Identity tables?

I am developing an AngularJS application with some Asp.Net Core Web API support. This application is not using any database in backend. Now I want to implement a social login option for some privileged access. What is the best authentication mechanism without using any Asp.Net Identity tables?
As far I know OpenIddict is coupled with Asp.Net Identity So that I must implement a storage mechanism for that. Please correct me if I am wrong. I am also looking for other options like ASOS but it is too complicated compared to OpenIddict so I couldn't find a good solution with that.
Kevin Chalet published an excellent article but still I am struggling because of my poor technical knowledge on this subject.
http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/
Can you please guid me?

A starting point to create a web service?

I have built an ERP for a small company using MS-Access (front end) and SQL Server 2008 R2 as database. Now one of their clients is implementing "SAP Business one" and I am asked to provide a web service for that SAP to enquire our database for stock availability.
I don't really know where to start. I have seen there are native web services in SQL Server, but MS seems to discontinue that.
From what I have googled, I understand that REST is not appropriate, because we want the service to be restricted to identified clients, so we would have to go for SOA and WCF ?
Is that correct or stupid ?
I am looking for links / books, or very simple code samples (if that exists).
I have already found Good starting point for learning to create ASP.NET SOAP web services and https://stackoverflow.com/q/296040/78522.
Any suggestion welcome, thanks.
Edit: just for the info: I have found these 2 links quite usefull, specially the 1st one, which is really "quick and practical", ideal for a total newbie in the field.
on w3schools.com
on siteduzero.com (in French)
Windows Communication Foundation
Windows Communication Foundation Walkthrough
https://stackoverflow.com/questions/386801/wcf-book-recommendations
I understand that REST is not appropriate, because we want the service to be restricted to identified clients.
This is not correct. REST services can have security, and most of them that I'm aware of do. The common ways to do this are:
Use HTTP authentication (basic or digest). Most languages will already have libraries to handle this for you.
Define some other way of logging in. Some REST services accept a username and password and return a cookie. Some use OAuth. Twitter is a good example of this.
Don't use login at all, just validate that the client has some sort of token or password (probably sent as a cookie).
Use any other form of security that works over HTTP.

Resources