Scenario: I need to configure a WPF application to send credentials from integrated security to an ADFS server and receive tokens back. I can't find guides describing in detail how to do this. The focus seems to be on web applications, web services, & WCF.
What are the steps to configure a WPF client? Is it possible to setup through a config file the same way a web app is configured?
You want to implement an Active WS-Trust scenario. Follow Lab 4 - Federation with ADFS with "active" clients" from here: http://claimsid.codeplex.com/releases/view/68061 .
If you chose to call ADFS manually to get tokens follow WIF, ADFS 2 and WCF Article Series by Dominick Baier here: http://leastprivilege.com/2010/10/14/wif-adfs-2-and-wcfpart-5-service-client-more-flexibility-with-wstrustchannelfactory/
Both of those resources have helped me to implement Active WIF Scenario.
Related
I am new to Azure and Office Add in. I want to migrate one of my Office add in authentication mechanism. currently the authentication is implemented using Office-JS-helpers. I want to replace this library with any other alternative. Could anyone share the best way to migrate.
Application : Office Add in (Word and Outlook)
Add in is written using React 16+ version
App hosted on service fabric in azure
Authentication enabled using Azure AD
Note : I am Looking for SSO Authentication mechanism.
The Overview of authentication and authorization in Office Add-ins section in MSDN explains how to build and configure Office Add-ins to successfully implement authentication and authorization. You are interested in the following - Enable single sign-on (SSO) in an Office Add-in.
I have a requirement to implement SSO for desktop applications created using WPF and office plugins developed using VSTO. I have some basic knowledge about SSO that how it works for websites (based on redirection).
I did some research and found that there is no way we can access the WebBrowser control in WPF to get the access token. I need to use the access token to call the rest services created in java and hosted on some URL.
Is there any way to get access token using windows applications.
Also, as per my understanding only Web-Addins support SSO with Azure AD v2.0. Can you guide me to some good links to achieve it? Please let me know if my question makes sense or some additional information is required.
*All clients do not use Azure AD solution.
Is it possible in WIF to combine active and passive federation? We currently have multiple Silverlight clients that communicate with 1 or more WCF services. The problem is that some of these services are hosted on a different domain. This means that, when we are using passive federation, calls to those services will fail when the user is not yet logged in for that domain (WIF will try to redirect the call). So is it possible to use passive federation when logging in to the website/Silverlight client and active federation when communicating with services? And has anyone done this (with Silverlight...)?
Your scenario sounds like this: You have a website that authenticates the user using passive federation to obtain a token. You hold on to the issued token, and pass it down into your silverlight client. The silverlight client uses that token to do active federation with your backend WCF services.
The most common way I've seen to achieve this is through RIA services. I've found this article which provides a nice introduction to this. Also, the identity developer training kit has an end to end sample. Look for the one titled "Developing Identity-Driven Silverlight Applications".
You say that WIF will redirect you WCF service call. This seems to be exactly the same problem as in this StackOverflow question: Passing SAML Token to WCF service from Asp.Net, and therefore my answer to that question might apply to your situation as well.
I have spent many hours trying to get my Silverlight Business application to run on Azure. My findings so far (open to correction)
Asp net authentication works with a Silverlight web application but not if Ria services is added. This is because Azure only allows one form of authentication per hosting and WCF will not work if the authentication mode is not Anonymous. This mean using WebContext is out of the question.
For the same reason passive federated claims authentication (either OpenID or custom STS) will not work with Ria services.
There is some good stuff in the Identity Training Kit. Active federated claims should allow a login popup to by used. Again there is an example in the kit. I initially didn't look at the "Out of Browser" example until I realised that it should work In Browser as well. I created a custom STS which the Web app called successfully, but I got "service not found" - I assume on the return leg.
I have now decided to pull the plug on all this as I need to get my application up and running. The Silverlight client already communicates with my database via Ria Services - why do I need to create extra pipelines when the authentication data is going to be in the same database? Would security be comprimised by simply checking a user name and password against my database? Would the System.ServiceModel.DomainServices.Client.ApplicationServices namespace be useful in this?
Second statement in your list is not accurate. You can use claims based identity with Ria Services. See here:
http://blogs.msdn.com/b/eugeniop/archive/2009/11/22/updated-ria-and-wif-samples.aspx
http://blogs.msdn.com/b/eugeniop/archive/2009/11/25/ria-services-and-wif-part-ii.aspx
I need Single Sign On for two types of application: Silverlight 3 and Windows Forms.
Do you have any advice about how I could implement this?
Windows authentication is one possible solution. Any other?
Thanks
Best regards
Is the user authenticating through a Windows domain? If so you could use the domain credentials from both IIS (assuming that will host web services for Silverlight) and your WinForms.
On the IIS side you would use windows authentication for the web site hosting the Silverlight.
You can get the current user with WindowsIdentity.GetCurrentUser(). From there you can get the username, etc, and map that security context to your application's internal authorization.
The overall idea here is that the single sign-on would occur when the user logged into their workstation, and both the Winforms and IIS (Silverlight) would use that security context.