we developed applications with custom STS as identity provider. Now we planning to use thinktecture identity server (Idsrv) as primary and ADFS as secondary to replace our custom STS. I enabled WS-Federation protocol in Idsrv and added Idsrv and ADFS as identity providers. we developed web application that trusts Idsrv. I also used HRD url to show the list of identity providers whenever user access the web application. It works fine for both identity providers.
Flows :
Idsrv provider web app-->HRD-->Idsrv-->HRD--->Web app
ADFS web app-->HRD-->ADFS-->HRD--->Web app
I also specify the home realm in web application to use the identity provider as default without showing HRD. It works good.
I want to develop a wcf service that trusts Idsrv. I want to utilise the wcf service from wpf client. Based on the user's domain, I need to specify the identity provider as default.
How can I specify the identity provider in wpf client?
my requirement is same as
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/198
The HRD concept does not exist in WCF / SOAP. You would need to go to the idp first and then exchange that token with a token from IdSrv.
Unfortunately, we haven't implemented those endpoint in idsrv. There is a PR on github with an implementation, maybe you wanna give that a try.
Related
We have a SAAS model web application that is used to serve multiple customers. Few of these customers have their own SAML2.0 Identity Providers against which they want their users to get authenticated.
How can I create a service provider for my web application in which I can configure these multiple Identity providers and redirect the user to their respective login page based on the URL and redirect them back after successful authentication?
Can someone please guide me on this. So far what I have done is install the Shibboleth service provider on each of my servers and use that one server to serve only 1 customer who requires Authentication using their Identity provider, but this will not work with SAAS based model application.
Varun
What you're looking for is something known as a discovery service. This enables the user to select the identity provider appropriate for them so that the SP can send them there to authenticate.
There's a page on the Shibboleth wiki describing this concept: IDPDiscovery
The Shibboleth SP ships with a discovery service known as the EDS that you can deploy locally: EDS
You could also build one as a static web page, or use a central discovery service provided by someone else if, for example, you're part of a federation that provides one.
I'm working with a company that has a WinForms application running on a corporate windows network. The application currently connects to a web application server that has its own private username/password store. The web app server has JSP based UIs, but also has some web services which support JWT based authentication.
The company would like to use use accounts from its windows domain to authenticate the users rather than using a separate set of usernames and passwords. The company's domain has an AD FS server and the web application is a SAML service provider.
The question is, is it possible to use the identity information from the original windows login to get a SAML token from ADFS and then use that token to talk to web services on the web application machine?
We're looking at Windows Identity Foundation built into the .net framework as a possibility. Open ID Connect also seems like a possibility, but we don't want to have to present the user a web page for them to log in; we want to use the original windows login identity information to automatically grant access to the service provider.
Is this possible?
SAML support is already built into the web application, but if necessary we could add support for OpenID Connect.
ADFS does have the ability to generate JWT tokens but sadly not for SAML.
There is no way to convert a SAML token to a JWT one that is signed.
SAML doesn't really have support for web API / web services.
WS-Fed does but it's WCF not web API.
The easiest way is to convert to OpenID Connect. That does deliver a JWT token that you can use to authenticate to a web API. You need ADFS 4.0 to do this.
I am building a web application with
Asp.net Core 2.0 Web API
AngularJS 4+
SQL Server
User signup/login only through Google/Facebook/LinkedIn. I will save user info like name and email I receive from them into SQL db table. I do not have a plan to offer manual registration on my website with email and password. I do not want to maintain user credentials, forget the password, securing user passwords and all nitty-gritty around that.
As of now, there is no plan to build a mobile app. I am learning .Net Core and stumble upon IdentityServer4 as a recommended way to provide identity in asp.net core applications. I went through all docs, example and tried out few sample application. I think I am clear how configuration and workflow of identityserver.
My questions are
Is it worth employing IdentityServer4 in my architecture since my identity is external provider only? I was thinking about using default Asp.net Identity with.AddCookie(), .AddGoogle() and .AddJwtBearer() to retrieve the cookie from Google/Facebook/LinkedIn, use AddGoogle AddFacebook AddLinkedIn middleware to handle callback, extract claimprincipal and set Jwt token for Angular JS app to use in its XMLHttp request.
What benefits do I get outsourcing this work to IdentityServer4 besides identity in one place best practice?
I appreciate your tiny or big feedback on this.
IdentityServer is great for handling many clients that access many protected resources. You seem to have one client (the so called AngularJS 4+ app) and one resource, the Asp.net Core 2.0 Web API.
A point of clarity is that you have no need for ASP.NET Identity and all those middlewares for Google, LinkedIn, etc. If your client is truly an Angular javascript application, then it does not need a server side component like ASP.NET Core- it is simply a browser application. You can use a javascript library like oidc-client and configure your external authentication providers according to their own needs. You will receive an id_token and/or access_token to store in browser and utlimately pass to your Api Resource.
Speaking of your Api Resource, this application can validate directly with the token issuer, be it Google or Facebook or whoever.
So with this setup: (a) a browser app (Angular), (b) a server WebApi (ASP.NET CORE), and (c) and an identity/access control service (Google, Facebook, etc.) you certainly do not need any additional applications that run ASP.NET Identity or IdentityServer4. Seems like it would be easier without them.
If your Angular app is actually in an ASP.NET MVC, then the same is true.
If your Angular app and your WebApi are all part on one ASP.NET project then the same is true and all you need is an identity provider to return an id_token.
I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application.
I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:
Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?
Thanks
In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.
Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.
I need to do SSO between episerver CMS and Liferay CMS using SAML. I know that LifeRay can act both as Service Provider as well as Identity Provider. I want to know that can Episerver CMS also act as Identity provider as well as service provider?
EPiServer uses the standard ASP.NET provider model for authorization/authentication, and by default ships with Windows and SQL membership and role providers for forms authentication.
In other words, I'm not aware of anything particular OOTB that would enable SAML SSO. But seeing as there's nothing EPiServer-specific about authentication, you should be able to add SSO support just as you would for a vanilla ASP.NET app.