I'm not really seeing a lot of documentation but I have implemented external authentication and external providers. But what's missing for me is:
How does one configure a client application to point to the federation gateway?
How do you configure identity server to be federation gateway?
Does the authentication manager somehow decide what provider to use?
My own research has lead to this:
https://www.identityserver.com/articles/identityserver4-ws-federation-and-sharepoint/
https://github.com/IdentityServer/IdentityServer4.WsFederation
Identity Server v3 as Federation Gateway only
Let me know, thanks.
Okay, from my own discoveries and searches for answers, I'm coming to find out that federation gateway is a type of system architecture used to hide and shield how connections are made to external providers. This is true to identity server 4. Identity server can act as a client to these external providers.
if you need to implement that specification with identity server 4, you will need to code your own plug-in to communicate over that protocol. Luckily, Scott Brady (link above) showed us a way to accomplish that. If you're using identity server 3, the team made their own plugin for you to grab from NUGET.
More information later as I get through this. Wish me luck.
Related
Is there a "best" way of achieving this?
Basically I want to leverage my company's Azure AD tenant to build a fully featured internal application. Using Microsoft Graph, I can retrieve users via their identifier guids, and use the identifiers as foreign keys for various tables in our on premises database, instead of having a dedicated User table, which would need to be populated and synced up with the AD. There are many other prospective uses for Graph, but leveraging users is the priority right now.
A large chunk of my application is built already. I am able to lock down my client app using the package react-aad-msal, requiring users to authenticate through single-sign-on. I have also successfully been able to pass that token back to the protected .NET Core API, accessing various endpoints as the authenticated user.
From here, I am not sure how I can develop the calls to Microsoft Graph. At which point should I make the connection? Should the client application connect to both the on-prem API, as well as Graph? Or should it only connect to the on-prem, which would then connect to Graph? Curious to know the pros and cons of either method.
I've also heard tell that Microsoft is working on their own package: #azure/msal-react, and that react-aad-msal should no longer be used (as it only supports msal 1.0 and not 2.0. I have no idea which version is better for my needs). While msal-react is still in development, apparently I should be using #azure/msal-browser. But I cannot find a good example of a react app using msal-browser to authenticate.
Here is a Sample on how to use MSAL with React to call Microsoft Graph.
The only different in your case will be that instead of calling Microsoft Graph, you will call your own API.
Bottomline is - there is no direct integration package yet for react. Which can also be read from the official statement on the msal-js repo:
After our current libraries are up to standards, we will begin
balancing new feature requests, with new platforms such as react and
node.js.
You can also use .net core instead. Please go through the sample here which can help.
I'm trying to follow this tutorial here, but I can't complete the verification step (#4). My domain provider doesn't allow me to add a DNS record for the type AAAA. I tried contacting my domain provider but they say it's not supported. Is there another work around I could do? Should I try using another cloud hosting service like Azure?
You can use the features and capabilities that Cloud DNS offers. No need for switching Cloud hosting services.
Cloud DNS is a high-performance, resilient, global Domain Name System (DNS) service that publishes your domain names to the global DNS in a cost-effective way.
Migrate to Cloud DNS an existing DNS domain from another DNS provider.
Then, Managing Records will make it easy for you to add and remove a record. This is done by using a transaction that specifies the operations you want to perform. A transaction supports one or more record changes that are propagated together.
Update
I would also check out Google Domains, which is a fairly new service (still in Beta) and allows you to register your domain name and works like a charm.
We are planning to implement seamless single sign-on between our consumer websites and need the below features,
All our external users should be on separate active directory domain.
Users should get seamless sign-on between Java and .Net applications.
Login Screen should look different for each websites i.e different header & footer based on relying party region and URL.
Password reset should be a self service.
We are not sure whether ADFS3.0 is the right solution for us. I did some research on ADFS features and could not find any direct documentation supporting above features.
If ADFS 3.0 is good enough please guide me on how we can achieve these features.
While you can do some customization via JavaScript evaluation of the URL to identify the RP, this is not a scalable solution with ADFS 2012R2 (3.0). Please check out ADFS 2016 (4.0) and which imminently close to RTM where we add support for this. You can validate on a TP5 build of server 2016.
Check the "Assigning custom web themes per RP" section at https://technet.microsoft.com/windows-server-docs/identity/ad-fs/operations/ad-fs-user-sign-in-customization.
Tweet me #MrADFS if you need more help.
Thanks
//Sam (#MrADFS)
To answer some questions:
2) Yes - as long as your Java and .NET applications are claims-based.
3) As per #MrADFS, OOTB for ADFS 4.0 (Server 2016). Or else, refer Customizing the AD FS sign-in pages per relying party trust.
4) Yes - refer ADFS : Expired password and the link inside it.
I have done end-to-end configuration for IdP and SP in ping federate. SAML Response is generated at IdP and the same is received at SP.But, I want the response to be at my local server in order to use the user's attributes for my logic. Could anyone tell me how it shall be achieved?
I just get openToken at the target resource I configure in Ping Federate.
Thanks,
Aswini J
In PingFederate terminology what you are trying to accomplish is last mile integration after the SAML assertion is processed by the PingFederate server operating in the SP role. There are two approaches that work best for providing subject & attribute information via last mile integration, mainly Agentless Reference ID integration Kit, or OpenToken Integration Kit. If your application is Java, .NET, or PHP, there are examples of the integration available from Ping.
The most simple configuration is to read attributes from SAML assertion into the OpenToken and then use the OpenToken integration Kit (PHP, Java, or .NET), which is an agent library in your application. The documentation for the OpenToken integration kit shows the code to write to read the OpenToken within your application. The configuration in the PingFederate SP Server will need an SP Adapter and IdP Connection where the SAML assertion values are mapped into the OpenToken, which is also in the OpenToken documentation.
In short, you can't. Also, you don't want the actual response because your application will then need to know what kind of protocol message it is receiving from your Partner (SAML 1.1, 2.0, WS-Fed, OIDC) and handle it correctly. To make life simpler for developers to integrate their applications with PF, Ping provides a variety of Integration Kits to abstract that protocol data from your application. PF handles the complexity of the standards based messaging and your application only needs to decrypt and pull the authenticated user information (attribute/value pairs) out of the OTK that you're currently using within PF. You can configure the SP Adapter in your IDP Connection to included all kinds of identity information that is included in the SAMLResponse received.I would refer to the OpenToken Integration Kit as a starting point.
I have built an ERP for a small company using MS-Access (front end) and SQL Server 2008 R2 as database. Now one of their clients is implementing "SAP Business one" and I am asked to provide a web service for that SAP to enquire our database for stock availability.
I don't really know where to start. I have seen there are native web services in SQL Server, but MS seems to discontinue that.
From what I have googled, I understand that REST is not appropriate, because we want the service to be restricted to identified clients, so we would have to go for SOA and WCF ?
Is that correct or stupid ?
I am looking for links / books, or very simple code samples (if that exists).
I have already found Good starting point for learning to create ASP.NET SOAP web services and https://stackoverflow.com/q/296040/78522.
Any suggestion welcome, thanks.
Edit: just for the info: I have found these 2 links quite usefull, specially the 1st one, which is really "quick and practical", ideal for a total newbie in the field.
on w3schools.com
on siteduzero.com (in French)
Windows Communication Foundation
Windows Communication Foundation Walkthrough
https://stackoverflow.com/questions/386801/wcf-book-recommendations
I understand that REST is not appropriate, because we want the service to be restricted to identified clients.
This is not correct. REST services can have security, and most of them that I'm aware of do. The common ways to do this are:
Use HTTP authentication (basic or digest). Most languages will already have libraries to handle this for you.
Define some other way of logging in. Some REST services accept a username and password and return a cookie. Some use OAuth. Twitter is a good example of this.
Don't use login at all, just validate that the client has some sort of token or password (probably sent as a cookie).
Use any other form of security that works over HTTP.