Unable to verify Identityserver3 issued tokens - identityserver4

We have upgraded Identityserver3 to Identityserver4 and we are using IdentityServer3.AccessTokenValidation in API endpoints to verify jwt tokens.
After the upgrade we are unable to verify tokens issued by IdentityServer3.
We are able to use IdentityServer4.AccessTokenValidation by using the option LegacyAudienceValidation = true; to support tokens from Identityserver3 and Identityserver4.
IdentityServer4.AccessTokenValidation is based on .NET Core which we are not using. It is not an option to upgrade all our API endpoints to .NET Core and we need to be able to support Identityserver3 issued tokens.
How can we enable our existing API endpoint to support tokens issued by identityserver3 and identityserver4. Most of our API endpoints are based on Microsoft OWIN and .NET Framework 4.5.1.

Related

What exact token validation is done by Microsoft.Identity.Web’s aspnet core middleware?

I am building an aspenet core application that uses AAD (B2c later on) to authenticate users.
I understand that OAuth2 and OpenID Connect JWT tokens must be validated. It is very important.
I am going through this code example:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/TodoListService/Startup.cs#L34
The example uses this Microsoft.Identity.Web's middleware for authentication.
services.AddMicrosoftIdentityWebApiAuthentication(Configuration)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches();
Which of the following validations is done by the above middleware?
Validate JWT's signature
Validate not before and expiration time
Validate nonce
Is there any documentation that confirms what exact validations are done automatically by Microsoft.Identity.Web and what type of validation I need to do manually (I think issuer claim is a manual code)
Microsoft.Identity.Web - The main package. Required by all apps that use Microsoft Identity Web
Microsoft recommends you use the Microsoft.Identity.Web NuGet package when developing a web API with ASP.NET Core.
It has lot of dependecies you can check the detailse from this Link
One of Dependecies is for .NetCoreApp3.1 is Microsoft.AspNetCore.Authentication.JwtBearer (>= 3.1.18)
The JwtBearer middleware, like the OpenID Connect middleware in web apps, validates the token based on the value of TokenValidationParameters. The token is decrypted as needed, the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:
Audience: The token is targeted for the web API.
Sub: It was issued for an app that's allowed to call the web API.
Issuer: It was issued by a trusted security token service (STS).
Expiry: Its lifetime is in range.
Signature: It wasn't tampered with.
for more information you can follow this MS documention.

AngularJS with ASP.NET Web API and Azure AD Single SignOn using msal

I have an asp.net web api and angularjs(1.4.x) app and planning to use Azure AD for authentication and single sign on feature. Most of the examples are using ADAL, which is deprecated as per Microsoft. Can anyone share some examples of what changes need to be done in Web api and AngularJS app?
Migrate ADAL.js to MSAL.js for Azure AD Authentication for AngularJS+ASP.NET Core application.
You could try #azure/msal-angularjs for AngularJS SPA
When migrating ADAL.js to MSAL.js, you need to use #azure/msal-angular that is based on Microsoft identity platform v2.0.
Below is the example using MSAL Angular and call a .NET Core web API.
Example : https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api
Reference Guide Based on SO Thread: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-compare-msal-js-and-adal-js
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-migration

creating a web application with Microsoft AD SAML

I have implemented OAUTH 2.0 authentication with MSAL libraries as below.
clientApplication.getAuthorizationRequestUrl(parameters).toString(); to invoke authorization endpoint and
clientApplication.acquireToken(authorizationCodeParameters) to aquire token from authorization code.
Now I have to implement the same flow for SAML V2.0 protocol too and need some help from the Microsoft team in finding related libraries with which I can invoke /saml2/ endpoint and fetch saml assertions.
I'm using Spring boot 2.2.
Thanks in advance
There are no official Microsoft SAML libraries.
There is a list of client-side libraries.

How use Windows Login in Winforms application to access SAML Service Provider

I'm working with a company that has a WinForms application running on a corporate windows network. The application currently connects to a web application server that has its own private username/password store. The web app server has JSP based UIs, but also has some web services which support JWT based authentication.
The company would like to use use accounts from its windows domain to authenticate the users rather than using a separate set of usernames and passwords. The company's domain has an AD FS server and the web application is a SAML service provider.
The question is, is it possible to use the identity information from the original windows login to get a SAML token from ADFS and then use that token to talk to web services on the web application machine?
We're looking at Windows Identity Foundation built into the .net framework as a possibility. Open ID Connect also seems like a possibility, but we don't want to have to present the user a web page for them to log in; we want to use the original windows login identity information to automatically grant access to the service provider.
Is this possible?
SAML support is already built into the web application, but if necessary we could add support for OpenID Connect.
ADFS does have the ability to generate JWT tokens but sadly not for SAML.
There is no way to convert a SAML token to a JWT one that is signed.
SAML doesn't really have support for web API / web services.
WS-Fed does but it's WCF not web API.
The easiest way is to convert to OpenID Connect. That does deliver a JWT token that you can use to authenticate to a web API. You need ADFS 4.0 to do this.

Consuming Saml2.0 in MVC5 .net frame work 4.5 (Saml2.0 token is generated by F5 BigIp tool)

Current State of web application:
We have an existing web application designed in AngularJs, MVC5. Authentication is happening against our custom database.
SignIn:
We did over ride Microsoft.AspNet.Identity.UserManager and other source classes to talk to our database to get user related information.
adding the results to System.Security.Claims.ClaimsIdentity.
Passing on to "Microsoft.Owin.Security.IAuthenticationManager.SignIn(params System.Security.Claims.ClaimsIdentity[] identities)
What I need SSO:
We would like to move the auhentication to SSO with SAML 2.0 token as we are planning to integrate 2 new vendors into our web application
Identity Provider:
We are implementing Identity provider in F5 Big Ip which does the authentication by providing the login page and generates the saml2 token. Our web application would be configured as Service provider. On redirect to the web application it will pass on the saml2.0 token.
Consuming SAML2.0 in MVC .net framework 4.5.2
All my application would need is to consume saml2.0 token and integrate with existing authentication pipeline.
Things to do:
Meta data from Identity provider has public key to decrypt saml2.0 token and as well a key which is used to sign the meta data file
My assumption would be parse the request for SAML 2.0 token and verify if the token is valid and use the data from the attributes and query the database for more details and insert the results into "System.Security.Claims.ClaimsIdentity" and use the existing signin operation.
Need to figure out how to configure the principle.. and do we still need Microsoft.AspNet.Identity.UserManager.
Research:
In visual studio we had identity and access tool which doesnt exist from vs2013.
Went through the article on windows identity foundation and claims identity principle
www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF
I know wif support saml2.0 token but not saml2 protocols.
Here are the third party tools that was suggested to be used
http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html
I am not sure just to consume do I need to used one of the tool? As we have our IDP configured in F5 bigip and not designed in .net
Another good article I found
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Also saw some suggestions about Saml2SecurityTokenHandler to process saml2.0 token.
I appreciate if someone can direct me to simpler solution to integrate to my existing web app. Just need to consume saml2.0 token and integrate with existing claims based authentication.
OK - then you have to use a SAML stack as per the link you used.
Have a look at Kentor - there's some examples on the site plus I did a write up
Update:
The way SAML works is that the client needs to send an AuthnRequest to the IDP, then the user authenticates and then the IDP sends a AuthnResponse to the client. The response contains the SAML token which contains the assertions (claims).

Resources