We are using IdentityServer4. We have a Windows 2016 server running ADFS (Active Directory Federation Services) version 4.0. This version of ADFS has OpenID Connect endpoints to do active directory authentication. We set this up as an external oidc provider in IdentityServer4. The authentication works fine. What I'm having an issue with is the logout. The current logout correctly disposes of the identity server and client cookies, but doesn't log the user out of the external provider (ADFS). I upgraded the ADFS server so the metadata endpoint exposes end_session_endpoint, frontchannel_logout_supported, and frontchannel_logout_session_supported properties.
What is the proper way to have our identityserver4 implementation also ask the external provider to perform a logout when it does? I'm a little confused by the spec.
http://docs.identityserver.io/en/release/topics/signout_external_providers.html
http://docs.identityserver.io/en/release/topics/signout.html#refsignout
I'm not sure if the front-channel or back-channel is what I should be looking at in this scenario or if this is even related. The spec also mentions a idp value at authentication time that would indicate to the identity server that a external provider needs a logout as well. Is this what I should be looking at? Little lost. Looking for guidance. Thanks!
Related
IdentityServer newbie here....
I am building a mobile app and would like to provide the end user the ability to sign in using SSO for users that have a corporate identity provider and my company as the identity provider for those that don't have an identity provider.
it's possible that over time we add more external identity providers.
We have an on premise identityServer4 already installed and configured and only using it for client credentials for our API->API communications.
We also have an Azure Active Directory tenant with all of our AD accounts (our internal corporate accounts).
Here is what I would like to do (if possible of course):
Have the mobile app (swift and android, but for now let's just discuss swift) be completely unaware of any external identity providers and have it point to our on-premise identity server for authentication.
Add external identity providers in identity server
Control what external identity providers we "add" all on the backend and not have the UI layer concerned with specific external providers, but have the identity server redirect accordingly.
Not bother the user to have to select which provider to use (if I am a corporate user with an external IDP configured, it should automatically take me to MY e-idp login page, if not then present my own login page)
I am also open to the idea of using Azure identity management as the identity provider and add external identity providers there.
What about Azure B2C?
Can someone please point me in the right direction?
thanks in advance!
You can check this app integrated with AppAuth for iOS. Link in GitHub
Customer is triyng establish the connectivity to the DWH using SSO login from databricks cluster. If we go to this document: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-spark-connector, it talks about SLQ DB github repository but this link: https://github.com/AzureAD/azure-activedirectory-library-for-java mentions that MSAL4J is the new authentication library to be used with the Microsoft identity platform, so we need confirmation if ADAL will work or we need to upgrade to MSAL4J?
You can acquire tokens for Azure SQL DB with ADAL by using the resource:
https://database.windows.net/
If you used MSAL, you'd use this scope:
https://database.windows.net/.default
The main difference between MSAL and ADAL is that ADAL uses the older "v1" endpoint of Azure AD.
You can acquire tokens for any API using either ADAL or MSAL, v2 and MSAL do not allow calling more APIs etc.
While it is generally recommended to use MSAL now, ADAL should also work fine for you.
Using Azure Active Directory When i am applying single sign on for my web application i am able to do the Password-based single sign-on successfully.
But when i am doing with Integrated Windows Authentication(for kerberos authentication mainly), i am not able to configure it. i am very confused.
Can anybody guide me how to enable kerberos authentication for web application.
or please send me any example links how to set kerberos authentication for web applications.
Thanks!
If you are trying to use Azure AD with Kerberos for Windows Integrated Authentication there was a comment about AADConnect, which has some offerings, especially if you use ADFS for Federated sign-ins. There is also the Azure App Proxy with KCD support
Background:
ASP.Net MVC website. Hosted on IIS7, intranet.
Database: SQL Server. Accessed via NHibernate.
In the connection string, access is set to Integrated Security: SSPI.
(Permissions to DB are Active-Directory-based.)
In short, this is a typical double-hop situation,
where I need to pass client's credentials to IIS, and from IIS to SQL Server.
The Problem:
The problem is a yellow screen of death, with the error:
Login failed for user 'MyDomain\UserThatRunsAppPool'.
Things I tried doing to fix The Problem:
Configuring authentication to enable only Windows Authentication
and ASP.NET Impersonation
Setting Windows Authentication Provider to Negotiate:Kerberos
(After disabling Kernel-mode authentication)
Making sure that UserThatRunsAppPool's delegation is set to:
'Trust the user for delegation to any service (Kerberos only)' in Active Directory
Moving the NHibernate SessionFactory creation from Application_BeginRequest()
to Session_Start()
How successful I've been with my attempts to fix The Problem:
Not at all.
EDIT:
I also tried setting IIS server's delegation to 'Trust the user for delegation to any service (Kerberos only)' (in Active Directory).
In short, this is a typical double-hop situation,
where I need to pass client's credentials to IIS, and from IIS to SQL Server.
You've hit upon the "delegation" problem. If you want to remain sane, change your connection string to use a SQL username + password instead of SSPI.
If you feel like two weeks of frustrated debugging and quarreling with your domain admins, read Fun with the Kerberos Delegation Web Site.
Can an Active Directory be used as an OpenID provider? WIF is an option, but it's quite complicated and not very widespread.
Yes, you can. Just host an ASP.NET web site that itself uses Active Directory authentication, and exposes an OpenID Provider using DotNetOpenAuth.
ADFS 4.0, available from Windows Server 2016 onwards, allows authentication using OpenID.
There is also OpenID-LDAP server which claims to work with AD LDAP.
Or you can use RedHat Keycloak, which leverages any LDAP or Kerberos Server as a repository to be used with OIDC or even with poor man's auth SAML.