I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.
Related
TLDR: Which is the correct way to check for login states across multiple web pages, a SPA or a Web App.
I'm looking to develop an internal staff website for a company I'm working with. We currently have a SPA configured and developed and working properly but as we are adding more features I'm thinking that we are going to need more than one single page.
Correct me if I'm wrong, but this is my current understanding of MSAL.js with SPAs. Let's say a end-user is attempting to access our staff page at [company].com/home, if the user has not authenticated with their account that is stored in our Azure AD, the end-user can authenticate only for that page and their session state can be stored in the local storage, so when they access [company].com/home, their login can be acquired silently and the end-user will not have to log in again. If they do not have an account, they will not be able to access any page.
Also, by this logic, if the end-user accesses [company].com/staffresources, they will have to also login for this page as well, in addition to the cached login for [company].com/home, and the same will follow for each page throughout the website. At least, that is my understanding, correct?
I do see that there is an option for a Web App, would this solve the issue to where the end-user would have to authenticate each seperate page that they attempt to connect to? Or is there a way to check for a login state using a SPA, if the user has not been authenticated, they are can be redirected to a [company].com/login.
Any direct links to proper documentation for a solution would also be greatly appreciated.
localstorage is segmented by domain, not by each individual page. If a user signs in with msal.js on [company].com/login they will be signed on every page under the [company].com domain.
I am using IdentityServer3 for authentication. The indetityserver has 3 applications configured.
https://www.app1.com
https://www.app2.com
https://www.app3.com
A user is registered for all 3 applications. Currently user has to goto respective application url (for eaxample https://www.app1.com), which redirects user to identityserver for authentication and upon authentication user get redirected back to app web site.
Is there way to configure IdentityServer where user directly goes to identyserver, get authenticated and then identityserver list all the applications that user has access to? Here user would choose application he wants to login into.
Give your users a link to the IdentityServer login page. After login, display a form (with tiles or links or something) where the user can choose the application.
Make sure that the link to the application sends the user to a secured page (or a method where you challenge the user). This would cause the application to redirect the user to IdentityServer, which notices that the user is already identified (cookie), returns to the application where the user is automatically logged in.
In case the user wants to quit the application, redirect back to the tiles page to choose another application.
Please note that a user is not specifically bound to one application. Once logged in, the user can access all applications. If you want to allow specific access, you may want to solve this with claims.
P.S. I didn't notice you are using IdentityServer3 as you also tagged this as IdentityServer4. But I would expect this would work the same for both versions.
New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.
I am building a native iOS application and want to use AADB2C as identity provider where users login, signup, reset their passwords etc.
I cannot figure out a way to let users signup with AADB2C (or regular AAD for that matter) without redirecting them to a (customizable, but still) microsoft website. To be perfectly clear: I want to let customers create user accounts on AAD from a native iOS form without redirecting them to a website, preferably via REST request. (Like here under "Create consumer user accounts": https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet)
Can you create users from an iOS app?
Yes, using the Graph API as per the article you showed. You can only create local accounts at this time though.
However you need to be very careful about how you do it given that currently, the ability to create users requires Directory.ReadWrite.All permission, which also allows all other sorts of operations. You should NOT put the client ID and client secret for an app with these permissions in your iOS app. Rather, you would need to create a backend service that exposes an API for your iOS app to call for user creation.
However, more importantly, what you WON'T be able to do is SIGN IN the users without a redirect (which is what the B2C sign up policy does). In order to do this from your own UI without redirects, you would need Azure AD B2C to support Resource Owner Password Credentials Flow so that you can, after creating the user, use this flow to sign them in and get a token.
Note: You would also need to disable Email Verification so that you can leverage the user account right after user creation. You can set this in the Sign-up policy or Sign-up/Sign-in policy via Page UI customization > Local account sign-up page > Email Address > Require Verification > No
Lastly, as an FYI, there's a feature in the works in Azure AD B2C: Customer Owned Domains, which, paired up with UI customization, would allow you to have sign-up/sign-in pages that you can look like your own and have a URL of your own, with no trace of Microsoft for your end users to see.
Here is what we want at high level.
My Requirements,
Clients should be able to access my application using their existing username/password.
My clients should be able to provide me their user-roles, and based upon that I will manage the resource authorization in the server.
Client will share the database. (Multitenancy).
The OAuth 2.0 examples I went across are, utilizing Authentication Servers such as Facebook/Google, where in users can login thru their google or facebook account.
I wan't my clients to be able to login with their own accounts.
As far as CAS Authentication server is concerned it directs the user to its own login page.
I am looking for a standard way, where in I can use spring security and allow my clients to single sign on user their own credentials. Any references will be of great help. Thank you.
As already mentioned CAS is a web SSO, so you need to pass through it's own authentication page in order to get the SSO working. There are many ways to get CAS working with your authentication persistent system (in my projects I usually use JPA as my customers have many old applications based only on relational db persistence).
In your project I suppose you can setup CAS to use your application authentication method, while your application can point directly to CAS for authentication itself. What I mean is that your application as well should use CAS for single sign on, so the users can enter their credentials just once. Finally you can customize CAS theme in order to get login and error pages with the same layout as your application (you can even load CAS login page in an iframe and then reload your application page on success if you want to integrate it inside your webapp).
If I understood what you wrote you want it to behave this way:
you login in your application
your application tells CAS you logged in
you access another application
the other application asks CAS if the user is logged in and CAS answers yes
But the "easy" explanation of the workflow is:
you try to access a secured part of any application secured with CAS (your or another)
the application asks CAS if the user is logged
CAS answers no, so the user is redirected to CAS login
the user authenticates with CAS
CAS redirects the user to the calling application
the application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the application
the user try to access another application
the "another" application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the "another" application
CAS is a web SSO so you will be able to share the user identity accross multiple web applications and Spring Security is a good CAS client.
You can also enable the CAS server to delegate authentication to Facebook or Google.
The idea is to have your CAS server authenticate your users and get their profile and then push them to the web applications.
I thought CAS provided a REST API.
If that could be used for login then the various apps could present their own login interface and send the username / password to CAS.