I've a PHP application. I wish to centralize AA on IdentityServer. How to protect APIs of external PHP web application?
You have 2 options.
1. Configure your Apis to trust the Identity server( not sure any identity server library available for this to use in PHP. You have to check)
Identity server any way uses JWT token validation so you can use any JWT token validation library in your PHP api, decrypt the token using identity server cert( you can get cert url from identity server disco document) and validate the token parameters
Related
I'm working with a company that has a WinForms application running on a corporate windows network. The application currently connects to a web application server that has its own private username/password store. The web app server has JSP based UIs, but also has some web services which support JWT based authentication.
The company would like to use use accounts from its windows domain to authenticate the users rather than using a separate set of usernames and passwords. The company's domain has an AD FS server and the web application is a SAML service provider.
The question is, is it possible to use the identity information from the original windows login to get a SAML token from ADFS and then use that token to talk to web services on the web application machine?
We're looking at Windows Identity Foundation built into the .net framework as a possibility. Open ID Connect also seems like a possibility, but we don't want to have to present the user a web page for them to log in; we want to use the original windows login identity information to automatically grant access to the service provider.
Is this possible?
SAML support is already built into the web application, but if necessary we could add support for OpenID Connect.
ADFS does have the ability to generate JWT tokens but sadly not for SAML.
There is no way to convert a SAML token to a JWT one that is signed.
SAML doesn't really have support for web API / web services.
WS-Fed does but it's WCF not web API.
The easiest way is to convert to OpenID Connect. That does deliver a JWT token that you can use to authenticate to a web API. You need ADFS 4.0 to do this.
Does IBM Single Sign On service allows to use JWT tokens, not cookie based session approach?
I have web project with backend in Node.js and frontend in Angular.js as separate applications. So I would need a SSO that works with JWT tokens.
There are two parts to your question: (1) Does IBM SSO use JWT tokens and (2) Can we use the JWTs as session tokens for an Angular app.
(1)
IBM SSO service has been deprecated in favor of IBM Cloud App ID which manages identity for different types of identities (including anonymous and directory based) as well as profile management. The service is OAuth2/OIDC compliant and so the access and identity tokens that clients obtain are all JWT.
(2) Check out this blog on how to secure an Angular+Nodejs app with App ID. An important point here is whether you want to use the JWT you get from App ID as your session token. Remember that your App ID access token gives the bearer capability beyond that of the session identity (it give the bearer access to /userinfo and /attribute endpoints as well) so that unless you are ok with exposing this info to your frontend, create and manage your own JWT for session or use Express sessions.
You want to use the IBM Cloud App ID service which provides the single sign on capabilities (IBM SSO service has been deprecated). It provides openID Connect- and OAuth2-compliant authentication. The access and identity are JWTs (JSON Web Token).
I would recommend that you check out the related App ID Node.js SDK. There are samples that show integration with the passport framework. I have seen it in use with Angular.js apps.
I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application.
I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:
Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?
Thanks
In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.
Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.
Current State of web application:
We have an existing web application designed in AngularJs, MVC5. Authentication is happening against our custom database.
SignIn:
We did over ride Microsoft.AspNet.Identity.UserManager and other source classes to talk to our database to get user related information.
adding the results to System.Security.Claims.ClaimsIdentity.
Passing on to "Microsoft.Owin.Security.IAuthenticationManager.SignIn(params System.Security.Claims.ClaimsIdentity[] identities)
What I need SSO:
We would like to move the auhentication to SSO with SAML 2.0 token as we are planning to integrate 2 new vendors into our web application
Identity Provider:
We are implementing Identity provider in F5 Big Ip which does the authentication by providing the login page and generates the saml2 token. Our web application would be configured as Service provider. On redirect to the web application it will pass on the saml2.0 token.
Consuming SAML2.0 in MVC .net framework 4.5.2
All my application would need is to consume saml2.0 token and integrate with existing authentication pipeline.
Things to do:
Meta data from Identity provider has public key to decrypt saml2.0 token and as well a key which is used to sign the meta data file
My assumption would be parse the request for SAML 2.0 token and verify if the token is valid and use the data from the attributes and query the database for more details and insert the results into "System.Security.Claims.ClaimsIdentity" and use the existing signin operation.
Need to figure out how to configure the principle.. and do we still need Microsoft.AspNet.Identity.UserManager.
Research:
In visual studio we had identity and access tool which doesnt exist from vs2013.
Went through the article on windows identity foundation and claims identity principle
www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF
I know wif support saml2.0 token but not saml2 protocols.
Here are the third party tools that was suggested to be used
http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html
I am not sure just to consume do I need to used one of the tool? As we have our IDP configured in F5 bigip and not designed in .net
Another good article I found
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Also saw some suggestions about Saml2SecurityTokenHandler to process saml2.0 token.
I appreciate if someone can direct me to simpler solution to integrate to my existing web app. Just need to consume saml2.0 token and integrate with existing claims based authentication.
OK - then you have to use a SAML stack as per the link you used.
Have a look at Kentor - there's some examples on the site plus I did a write up
Update:
The way SAML works is that the client needs to send an AuthnRequest to the IDP, then the user authenticates and then the IDP sends a AuthnResponse to the client. The response contains the SAML token which contains the assertions (claims).
We are planning to integrate Identity Server3 in SPA page application using AngularJS with .Net Web API.
1) Need to create identity token and oAuth token for the application and store identity token in browser cookie. So taking Hybrid approach and need to map the identity to create oauth token, so both users and api are protected. Able to create oauth token, but struggling how to do authenticate using custom login page (not using identityserver3 login page) where userid and password validated from Angularjs page and create identity token and store it in browser cookie.
Any one have implemented custom login approach with identity token creating using identityserver3?
2) How to integrate identity Server3 with Active Directory as user data store?
Please provide comments.
Thanks
Regards
Ramkumar.C
For Active Directory(AD) user store, implement Identity Server as a Relying Party to your AD implementation. You can then simply integrate it within Identity Server as an external Identity Provider. Details on how to do this are in the official documentation: https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html.
I assume you'll be doing this over WS-Federation, so you'll need to use the Microsoft.Owin.Security.WsFederation package.
If you want to use just AD as your user store, you can disable local logins in the IdentityServerOptions, set AD as the only Identity Provider for your Client using the IdentityProviderRestrictions property or use the acr_values property of idp when using the Authorization endpoint.
Regarding custom log in page external to Identity Server, many people have asked about this on the Identity Server issue tracker. Some have made implementations, but FYI: the team behind Identity Server do not recommend this approach.