Is logout option needed for a desktop application - security-testing

I am testing an application which generates security certificates. I need to login with appropriate credentials to access the application. I don't see an option to logout. Is logout needed for desktop applications, or just exiting/ closing the application is sufficient?

If the program has a concept of an account and asks to log in at some point, then it should have a corresponding option to log out and/or switch accounts.
If it doesn't have a concept of an account, then what are you expecting it to log out of?

Related

How can I diagnose authentication issues in a custom single tenant Teams app?

I am developing an ASP.NET MVC website. It is hosted in Azure and users are authenticated with AAD for our single tenant. I intend to make the website available in a Teams app, so that my coworkers can navigate to my website via the Teams Windows app and the mobile app.
I follow these steps to integrate security in a web browser: https://learn.microsoft.com/en-us/learn/modules/msgraph-build-aspnetmvc-apps/5-exercise-add-auth
I followed these directions to integrate security with Teams: https://learn.microsoft.com/en-us/microsoftteams/platform/tabs/how-to/authentication/auth-aad-sso. I'm not sure that I did this correctly.
At this point, I can:
Login with a web browser
Login via Teams mobile app
Load Teams in a web browser then load my app (not a use case that I need to support, but this worked and I was not prompted to login. I assume that I wasn't prompted to login because I was already logged in directly in another browser tab).
I cannot:
Login via Teams Windows app -- This is my primary use case unfortunately.
When I try to login with the Teams application on Windows (using the same pages and forms as on mobile), the page just disappears. I'm not prompted with the usual Microsoft login page.
How can I diagnose the cause of the problem? I don't see any obvious errors reported in Teams. Is there any way to get access to the root error?
EDIT:
login.microsoftonline.com is reporting "Your browser is currently set to block cookies. You need to allow cookies to use this service." I'm now aware of the SameSite changes (https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser?tabs=dotnet) and I've implemented the recommended SameSiteCookieManager code to address the SameSite issue.
I'm still running into the same issue. No exceptions or errors reported except that Teams does not accept cookies.
May have to break this down further, here's how I would decipher it.
First of all, you will have to figure out if the issue is with Teams or on the Auth side.
Figure out which line of code is executing last? You can debug or write to terminal/logs.
Do you see any exceptions? Ideally debuggers can help or you can add some code to catch any exception.
If it's failing before executing any code, do you see any http requests going out, you can use fiddler for this. See if you are seeing any error codes.
If you are using Windows then check Event Logs for any errors or exceptions for Teams App. Look at the Application logs.
Look out for Audit logs and sign in logs and check if you see any activity in your tenant when you run this app.
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-activity-logs-azure-monitor
Some other points would be to check if you can repro this with a sample app or a different user(elevated user). If there is any additional info do share.

How to manage multi user in the same browser application without having to logout/login all the time with azure ad/application

With Azure AD application I need to be able to login multi users in the same browser on the same computer and switch between them without having to login/logout all the time.
Now, every time I try to login another use, I need to logout the current!
You can set prompt=select_account on the login requests from your app. This will force account selection each time, instead of just signing in with active account.
You can see documentation for this at: https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Then it's a matter of handling those multiple sessions on your app's side.

Drupal ; TOTP Authentication for authenticated users

I have enabled the modules Two Factor Authentication and TFA Basic Plugins. I am using TOTP as my validation plugin. I had downloaded the Google Authentication app on my mobile device.
I have successfully done TOTP Authentication on my admin account. However, I have several authenticate user accounts I need to make. How can I set there accounts so that they can do TOTP Authentication?
Currently if I create a user/password for them then go to security, I see the TOTP Authentication screen where I can scan. However, how do I give the user the ability ?
If I provide them user/password but want them to have TOTP setup to there mobile device how do I do that?
Thanks in advance,
Mike
You may have come across this by now, but there is a permission "Set up TFA for account" provided by TFA Basic, which you'll want to ensure you set for relevant roles (which may well be simply "authenticated user").
In case you were looking to use the "require TFA" for a role, then any user with that role will be unable to log in all by themselves, and will get an error "Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator".
Therefore, if you wish to enforce TFA, you'll need to do some custom implementation unless you're in a position to walk each user through initial setup (I suspect not). https://www.drupal.org/node/2622030 should provide some pointers for this.
You could consider https://www.drupal.org/project/tfa_rules instead of enforcing TFA: at the least it offers a default rule which encourages those who have not enabled TFA to do so.

Active Directory and User Management

I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.

Implementing SSO and Spring Security for SAAS

Here is what we want at high level.
My Requirements,
Clients should be able to access my application using their existing username/password.
My clients should be able to provide me their user-roles, and based upon that I will manage the resource authorization in the server.
Client will share the database. (Multitenancy).
The OAuth 2.0 examples I went across are, utilizing Authentication Servers such as Facebook/Google, where in users can login thru their google or facebook account.
I wan't my clients to be able to login with their own accounts.
As far as CAS Authentication server is concerned it directs the user to its own login page.
I am looking for a standard way, where in I can use spring security and allow my clients to single sign on user their own credentials. Any references will be of great help. Thank you.
As already mentioned CAS is a web SSO, so you need to pass through it's own authentication page in order to get the SSO working. There are many ways to get CAS working with your authentication persistent system (in my projects I usually use JPA as my customers have many old applications based only on relational db persistence).
In your project I suppose you can setup CAS to use your application authentication method, while your application can point directly to CAS for authentication itself. What I mean is that your application as well should use CAS for single sign on, so the users can enter their credentials just once. Finally you can customize CAS theme in order to get login and error pages with the same layout as your application (you can even load CAS login page in an iframe and then reload your application page on success if you want to integrate it inside your webapp).
If I understood what you wrote you want it to behave this way:
you login in your application
your application tells CAS you logged in
you access another application
the other application asks CAS if the user is logged in and CAS answers yes
But the "easy" explanation of the workflow is:
you try to access a secured part of any application secured with CAS (your or another)
the application asks CAS if the user is logged
CAS answers no, so the user is redirected to CAS login
the user authenticates with CAS
CAS redirects the user to the calling application
the application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the application
the user try to access another application
the "another" application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the "another" application
CAS is a web SSO so you will be able to share the user identity accross multiple web applications and Spring Security is a good CAS client.
You can also enable the CAS server to delegate authentication to Facebook or Google.
The idea is to have your CAS server authenticate your users and get their profile and then push them to the web applications.
I thought CAS provided a REST API.
If that could be used for login then the various apps could present their own login interface and send the username / password to CAS.

Resources