Here is what we want at high level.
My Requirements,
Clients should be able to access my application using their existing username/password.
My clients should be able to provide me their user-roles, and based upon that I will manage the resource authorization in the server.
Client will share the database. (Multitenancy).
The OAuth 2.0 examples I went across are, utilizing Authentication Servers such as Facebook/Google, where in users can login thru their google or facebook account.
I wan't my clients to be able to login with their own accounts.
As far as CAS Authentication server is concerned it directs the user to its own login page.
I am looking for a standard way, where in I can use spring security and allow my clients to single sign on user their own credentials. Any references will be of great help. Thank you.
As already mentioned CAS is a web SSO, so you need to pass through it's own authentication page in order to get the SSO working. There are many ways to get CAS working with your authentication persistent system (in my projects I usually use JPA as my customers have many old applications based only on relational db persistence).
In your project I suppose you can setup CAS to use your application authentication method, while your application can point directly to CAS for authentication itself. What I mean is that your application as well should use CAS for single sign on, so the users can enter their credentials just once. Finally you can customize CAS theme in order to get login and error pages with the same layout as your application (you can even load CAS login page in an iframe and then reload your application page on success if you want to integrate it inside your webapp).
If I understood what you wrote you want it to behave this way:
you login in your application
your application tells CAS you logged in
you access another application
the other application asks CAS if the user is logged in and CAS answers yes
But the "easy" explanation of the workflow is:
you try to access a secured part of any application secured with CAS (your or another)
the application asks CAS if the user is logged
CAS answers no, so the user is redirected to CAS login
the user authenticates with CAS
CAS redirects the user to the calling application
the application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the application
the user try to access another application
the "another" application asks CAS if the user is logged in and CAS answers yes
the user can access secured parts of the "another" application
CAS is a web SSO so you will be able to share the user identity accross multiple web applications and Spring Security is a good CAS client.
You can also enable the CAS server to delegate authentication to Facebook or Google.
The idea is to have your CAS server authenticate your users and get their profile and then push them to the web applications.
I thought CAS provided a REST API.
If that could be used for login then the various apps could present their own login interface and send the username / password to CAS.
Related
Our current system contains two web applications with OAuth2 centralized user management. Application A is an OAuth client and application B is the OAuth provider. And application A is for internal users and application B is for external users as well as internal users.
To integrate with CIAM for external user onboarding, our system needs to call the user invitation API. That only can be done by application A due to some restriction. Is that doable as an external user will only have access to application B. To invoke CIAM APIs, the client needs to be registered with Azure application ID. That won’t be a problem if the same Azure app ID can be shared between two applications or the invitation could be for another application with a different Azure app ID.
• As you have said CIAM here, thus considering Azure AD B2C as the IdP and authorization provider, the application B that you have stated here which will act as an OAuth provider for application A thus resulting in it being a client and the other application being a provider. Thus, as a matter of fact, you cannot share tokens between the apps for inviting a user from one app to another app. Also, sharing the same application ID between two different applications registered in different tenants is also not possible.
• But you can acquire a token interactively on the second application, i.e., application B and once the silent call fails, then the interactive flow will rely on the Azure AD B2C session cookies to give the user Single sign-on. You can achieve the above said through configuring the Azure AD B2C session behaviour with regards to single sign-on on an application. This setting allows you to maintain a user session exclusively for an application, independent of other applications. For example, you can use this setting if you want the user to sign into Application B regardless of whether the user is already signed into Application A.
Thus, in this way, you can share a sign-in between two applications. For more information and details regarding this, kindly refer to the below documentation below: -
https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-azure-ad-b2c-session-behavior
ADB2C How to share user token between two different applications?
I'm working on an application that has an angular 6 front end and a .net core 2.0 back-end and am trying to set it up so that my application authenticates users via Azure active directory. The issue is that I want the .net core back-end to do all the authentication programmatically when I have the front end pass an email and password. Everything that I've seen so far online suggests to have the front end redirect to the Microsoft login page but we are using our application as a boiler plate project and want to be able to change the type of authentication easily in the back-end without having to change the angular front-end. Does anyone know how I could go about this?
You can use Resource Owner Password Credentials Grant .The process will like that you collect the user credentials in Angular app and post to .net core back end , then finish the authentication in back-end app with user's credential. But that is not recommended because The ROPC flow requires a high degree of trust and user exposure and you should only use this flow when other, more secure, flows can't be used.
Also :
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.
Personal accounts that are invited to an Azure AD tenant can't use ROPC.
Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead.
If users need to use multi-factor authentication (MFA) to log in to the application, they will be blocked instead.
Reference : https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.
I'm tried to build a new rich application and i'm having some problems designing the authentication process.
I've only two requirements :
An API needs to be available
An ADFS needs to be used to authentication
My first thoughts was to build the API and to use Angular.js for the frontend. However, I can't see how the authentication should work.
My API needs to be available though scripts. As far as I saw, the ADFS authentication always display t the webpage for the authentication process.
API are usually secured with OAuth2. We used an client id and a client secret to generate a token. But I can't have this behavior with an ADFS.
The only solution I see is to provide two authentications behavior with my application. One with the ADFS for the web access and in the web interface, add a possibility to generate a client id and a client secret associated with an user account that could be used for the API to the headless authentication.
Someone has already faced this kind of scenario?
Thanks a lot!
I assume the 'ADFS needs to be used for authentication' really means 'users should be able to use their Active Directory domain credentials to authenticate'.
If that is the case, you should take a look at Thinktecture IdentityServer. It's an OAuth2 authorization server that you can use with a Active Directory identity provider.
P.S. ADFS 3.0 that comes with Windows 2012R2 only supports the authorization code grant, which is not suitable for JavaScript apps.
I'm very new to LDAP and Active Directory and I'm probably understanding something completely wrong.
I know ASP.NET Identity and forms authentication (however, I'm also quite new to that) and my question is actually if it is possible to use certain features you can use with forms authentication (explanation further below) with Active Directory.
I'm building an MVC web application and I'd like to authenticate my users against Active Directory. That would be possible with ADFS. The template you get when using ASP.NET Identity in VS2013 uses passive authentication. Is it however possible to not do this redirect to the Active Directory domain but create a custom login page for the user?
Is it also possible to do user management with Active Directory like that is possible with forms authentication? I was thinking about:
A page where the user can register himself
Ability for the user to change his password (I know this is possible with ADFS, but the user may not be logged in. I want him to do this when he's logged in, with a self-made page.)
Logging in on a new computer should ask for a code specified in an email
Set up password policy in the application
... (Other things that I might have forgotten)
When these things aren't implicitly possible with Active Directory, please advise on how to configure the application to acquire this functionality (when possible with Active Directory).
Thank you very much in advance for helping me!
EDIT 1:
To leave my question not too open, I maybe better just start with that custom login page. When I understand it well, the normal flow when using ADFS to authenticate your users against is:
A user tries to access a web page of an application for which he needs to be authenticated
(Passive) redirect to a login page provided by ADFS -> user enter his AD credentials
ADFS returns token
Token is sent to the web application (that ADFS trusts)
When the web application thinks everything is ok, it stores an authentication cookie in the user's browser (I guess), and the user can access the web page
What I would like:
A user tries to access a web page of an application for which he needs to be authenticated
Redirect to a login page of that same web application where the user can enter his credentials
The entered credentials are sent to ADFS (I guess) and it returns something (a token?) with information about whether the login succeeded or not (This step could be preceded by a call to some (self-made) service (a Web API application) that multiple client applications could use for their authentication against the same directory)
When the login succeeded, the web application stores a cookie in the user's browser and the user is able to access the page
I don't know if that makes sense? I'm just wondering how companies that use Active Directory to store user information can still have a custom login page, registration page and other user management stuff. (Or don't they use AD but do they just have their own databases?)
Normally if you want a custom login page you use an ADFS active profile implementation (e.g. WCF) to do the authentication.
User provisioning is not part of ADFS. To do this you need an Identity Manager e.g. PingFederate, OpenIDM.
If you are using ADFS 2.0 or 2.1, you can customize the pages (because they run on IIS) and add these features or redirect to a separate website which does.
Most of what you want is OOTB AD functionality. Refer: Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement).
Password policy can be extremely complex. I don't know of any API's that explicitly do this.
If you are using ADFS 3.0, these is no ISS so you are pretty much out of luck.
It's not really an answer to my question here, but if someone is interested in what I eventually did: you can read it (very briefly) here.