What is the best approach to achieve saml2.0 in ASP.NetCore2.1 MVC application?
i am using Sustainsys.AspNetCore2.1Saml2 nuget, below is code. but the EntityId in it requires System.IdentityModel.dll 4.0 sounds like i am not able to run the application it shows below error.
Code
services.AddAuthentication()
.AddSaml2(options =>
{
options.SPOptions.EntityId = new EntityId("https://localhost:44349/Saml2");
options.IdentityProviders.Add(
new IdentityProvider(
new EntityId("http://localhost:59410//Metadata"), options.SPOptions)
{
LoadMetadata = true
});
options.SPOptions.ServiceCertificates.Add(new X509Certificate2("Sustainsys.Saml2.Tests.pfx"));
});
i am getting below error
You can support SAML 2.0 in ASP.NET Core 2.1 by using ITfoxtec Identity Saml2. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Project https://itfoxtec.com/IdentitySaml2 and code samples https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test
Related
I am currently working on a Tab application for Microsoft Teams and have stumbled upon the extension called TeamsFx which enables easy retrieval of an authentication token from Teams without the need of prompting the user every time. Likewise, I used the Teams Toolkit extension for Visual Studio to get started. The project is implemented with .NET 5.0.
What I need, is to use the same authentication token retrieved from Teams inside the tab to then access a web API that is implemented in the same project. I have spent two full days trying to work this issue out with pretty much no result. I can retrieve an authentication token via TeamsFx, but simply using this as the bearer auth token in my web api did nothing but it telling me that the signature was wrong.
I have tried adding something like this to my Startup class:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
,but then it threw an exception because the TeamsFx library has already done the same with this call:
services.AddTeamsFxSimpleAuth(Configuration);
In previous Web API projects I have been able to set up Azure AD authentication to the site, and pretty seemlessly add the [Authorize] tag to any WebAPI classes and it just worked.
I hope that someone can save me from my own insanity ;D
Best,
//F_
I think this is the same question which created in Github, it is already answered and got the solution.
https://github.com/OfficeDev/TeamsFx/issues/1363
Since we only got JavaScript version of microsoft/teamsfx sdk, so we including webpack to wrapper it and using JSRuntime to trigger it in Blazor.
The webpack source code is in JS/src/index.js, you could add these code to get SSO token
export async function getSsoToken() {
var credential = new TeamsUserCredential();
var token = await credential.getToken("");
return token;
}
Then under JS folder , run 'npm install' and 'npm run build' to webpack the code and refresh the webpack file (wwwroot/teamsfx.js).
Finally you could using JSRuntime trigger the new func you just added in TeamsFx.cs.
await jsRuntime.InvokeAsync<AccessToken>("TeamsFx.getSsoToken");
I'm running some tests with MSAL but unfortunately it's not working as expected.
I had all configured for an ASP.NET MVC (.net 4.6) + Angular 1.6 SPA application with ADAL and ADAL Angular. All worked just fine but then I decided to try MSAL.
My configured provider's OnValidateIdentity handler in Startup.Auth.cs was being hit correctly with ADAL and I could add additional claims:
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = async context =>
{
Now that I changed to MSAL for Angular JS, I'm getting the ID Token and the Access Token but my OnValidateIdentity handler is not being hit anymore.
Is using app.UseWindowsAzureActiveDirectoryBearerAuthentication still valid when using MSAL?
app.UseWindowsAzureActiveDirectoryBearerAuthentication(
new WindowsAzureActiveDirectoryBearerAuthenticationOptions
{
.
.
.
MSAL is meant to be used with converged/v2.0 application registrations, while ADAL is usually meant to be used with v1.0 App registrations,
You should create a new application using the new portal in portal.azure.com if you're trying to migrate to the v2 endpoint. In addition to that these docs go over creating a v2.0 App Registration : https://learn.microsoft.com/en-us/graph/auth-register-app-v2
Please refer to this resource for more information on migrating from v1 to the v2 endpoint. https://azure.microsoft.com/en-gb/resources/samples/active-directory-dotnet-v1-to-v2/
In regards to the specifics of using app.UseWindowsAzureActiveDirectoryBearerAuthentication
// NOTE: The usual
WindowsAzureActiveDirectoryBearerAuthenticaitonMiddleware uses a
// metadata endpoint which is not supported by the v2.0 endpoint. Instead, this
// OpenIdConenctCachingSecurityTokenProvider can be used to fetch & use the OpenIdConnect
// metadata document.
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{
AccessTokenFormat = new JwtFormat(tvps, new OpenIdConnectCachingSecurityTokenProvider("https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration")),
});
This is referenced from the startup.cs : https://github.com/AzureADQuickStarts/AppModelv2-NativeClient-DotNet/blob/a69a4cb41e821f0ea8dddc937ea401a03e2f49fe/TodoListService/App_Start/Startup.Auth.cs
Some more good reading that does a bit of a comparison between the v1/v2 sample apps can be found here : https://simonlamb.codes/2017/02/27/net332-introduction-to-authentication-on-azure-active-directory/
I am trying to figure out how to search for users in Okta using the SDK and .net core in C#. outside of .net core I am able to do this using Okta.Core but that is not supported in .NET Core. I can't find any documentation for doing this stuff in .NetCore using the SDK.
I can get the OktaClient connected no problem with my API token but after that I am lost now.
Anyone have an example of doing this in Core or can point me in the right direction to get documentation from Okta?
Looking thought the Okta documentation I found the below code, where the client is the Okta client. Hopefully this helps:
Getting A User
// have some user's ID, or login
var someUserId = "<Some User ID String or Login>";
// get the user with the ID or login
var vader = await client.User.GetUserAsync(someUserId);
We have a new application which is having ReactJS as front end and back end is .NET Core API.
A requirement is to authorize the windows logon user with respect to Active Directory.
The .NET Core API will be doing the Authorization part.
We have used the following code in .NET Core API but it is returning the ID under which the App-Pool of .NET Core API is running. We tried setting the API on Windows Authentication enabled but it did not work as well.
dynamic userIdentity = WindowsIdentity.GetCurrent();
dynamic userPrincipal = new WindowsPrincipal(userIdentity);
string Admin = _configuration["AppUserRoles:Admin"];
result = userPrincipal.IsInRole(Admin);
I have changed the code to the following:
dynamic userIdentity = WindowsIdentity("UserID");
dynamic userPrincipal = new WindowsPrincipal(userIdentity);
string Admin = _configuration["AppUserRoles:Admin"];
result = userPrincipal.IsInRole(Admin);
We need to pass the the UserID from ReactJS to the API Layer.
In ReactJS I have tried the following:
var path = require('path');
var userName = process.env['USERPROFILE'].split(path.sep)[2];
var loginId = path.join("domainName",userName);
But this is not working in ReactJS.
Is there a way we can fetch the Windows Logon ID in React JS and pass it to the API layer for authorization?
We were able to get this done by the following approach:
under IIS we hosted the website as follows:
Added a website ReactJSWeb.
i. Added .NETCore virtual directory under the ReactJS website.
Both Main website and Virtual directory had Authentication set as Windows Authentication Enabled.
In .NET Core API - authentication module we added a Attribute [Authorize] on the class and added the following code in the method:
using Microsoft.AspNetCore.Authorization;
dynamic userIdentity = WindowsIdentity(**User.Identity.Name**);
dynamic userPrincipal = new WindowsPrincipal(userIdentity);
string Admin = _configuration["AppUserRoles:Admin"];
result = userPrincipal.IsInRole(Admin);
This worked and we are now able to do the Authorization properly based on the Active Directory security group the user is part of.
Is it possible to share what you did to have client authenticated following that approach? I'm getting crazy with a similar scenario like yours...
I very appreciate that.
Great docs and samples for IdentityServer4. And likewise for Nancy. But running into some issues getting Nancy + IdentityServer4 together. Anyone done this yet? When I add this to the API Startup:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:55555",
RequireHttpsMetadata = false,
ApiName = "MyAPI"
});
It fails to resolve UrlEncoder when the service starts up. Plus I'm not sure how to configure the authorization requirements in Nancy modules. Any direction appreciated.
Add Url encoder here
Identity setup
Module setup