I am creating a Silverlight application for our company intranet that uses Windows authentication. I would like to use a authentication domain service class. Where can I find current documentation explaining how to get the authenticated user name etc.?
A good start is the msdn library. Take a look at this where authentication, roles and profiles are explained and tutorials are provided.
Related
I have created an azure function. I want this azure function to be only accessible for people who are using my Custom React Microsoft Teams Tab Application.
How can I do that
Thanks,
This is actually a very detailed question as there are many aspects to security, but here are some starting points:
you could look to ensure your users are, at least, logged in to Office 365, or even specifically to a certain tenant. MSAL would help with this, which is Microsoft's client-side Javascript authentication library for authenticating against Azure AD
You could look to add authentication into the Azure Function as well - see here for an example.
Using the browser's built in CORS capability is also a very easy thing to implement. Here's an example of that - it will block user browsers to only calling the function from your own domain (wherever your tab is hosted).
Of course, none of these is foolproof, but they should give you some good starting points.
I am writing a MVC 4 web app and want to use the new WIF and ADFS to Authenticate users. I also want to provide a profile page for users to "self serve" changes like phone number or maiden name.
I am looking for resources/tutorials (a good book) to show me how to wire it all up.
Users will be stored in active directory so I'm guessing that I should use the ADMembershipProvider for some of this. I believe there is a profile store attached to ADFS (or I can set one up) and I want to know if its good practice to interact with it directly or is the an API that with let me add claims etc.
Finally, how does all this fit into the new WebSecurity stuff?
You asked for books on the subject of ADFS. You could try the patterns and practices book A Guide to Claims-Based Identity and Access Control.
In terms of the ADMembershipProvider, you don't need it.
ADFS under the hood handles the AD integration, You configure claims rules which determine which attributes ADFS extracts out of AD.
Update
In terms of editing the user in AD, this is an Identity Manager scenario. ADFS is a STS so it doesn't handle this. You need to do this directly e.g. Howto: (Almost) Everything In Active Directory via C#. Be aware that you need an AD login that enables write access to do this. This is a different credential set to the set that allows you to login to ADFS.
ADFS just provides the login screen. Out the box you don't get any self-service functionality. You need to customise the ADFS screen yourself e.g. AD FS 2.0 Sign-In Pages Customization Overview.
Scenario: I need to configure a WPF application to send credentials from integrated security to an ADFS server and receive tokens back. I can't find guides describing in detail how to do this. The focus seems to be on web applications, web services, & WCF.
What are the steps to configure a WPF client? Is it possible to setup through a config file the same way a web app is configured?
You want to implement an Active WS-Trust scenario. Follow Lab 4 - Federation with ADFS with "active" clients" from here: http://claimsid.codeplex.com/releases/view/68061 .
If you chose to call ADFS manually to get tokens follow WIF, ADFS 2 and WCF Article Series by Dominick Baier here: http://leastprivilege.com/2010/10/14/wif-adfs-2-and-wcfpart-5-service-client-more-flexibility-with-wstrustchannelfactory/
Both of those resources have helped me to implement Active WIF Scenario.
I m building a multi-tenant mvc application hosted in windows azure.
I would like to leverage access control service to allow user to get authenticated thanks to google, facebook, live id etc...
I managed to get a simple authentication working with a postback url that is configured in the Relying Party Application Settings.
but in my scenario it is more like that:
client1.mydomain.com/login or client1.com/login will go to the the providers pages select let's say google then he will sign in and then he will be redirected to client1.mydomain.com/Admin or client1.com/Admin
how can I achive that for any clients? should I add a relying party application for each client? can it be done by code? Is it ok with facebook?
I would like also the admin panel to be in silverlight, once the client is authenticated will he remain authenticated in the silverlight app?
Thank you by advance for any help or links that can help.
Fred
To answer your questions I would say yes to all. Each application would have to be set up as a relying party. So you would need to configure your app to use WIF and point to your Azure ACS.
All of these scenarios are covered in the Microsoft identity developer training kit.
Hopes this helps.
I have spent many hours trying to get my Silverlight Business application to run on Azure. My findings so far (open to correction)
Asp net authentication works with a Silverlight web application but not if Ria services is added. This is because Azure only allows one form of authentication per hosting and WCF will not work if the authentication mode is not Anonymous. This mean using WebContext is out of the question.
For the same reason passive federated claims authentication (either OpenID or custom STS) will not work with Ria services.
There is some good stuff in the Identity Training Kit. Active federated claims should allow a login popup to by used. Again there is an example in the kit. I initially didn't look at the "Out of Browser" example until I realised that it should work In Browser as well. I created a custom STS which the Web app called successfully, but I got "service not found" - I assume on the return leg.
I have now decided to pull the plug on all this as I need to get my application up and running. The Silverlight client already communicates with my database via Ria Services - why do I need to create extra pipelines when the authentication data is going to be in the same database? Would security be comprimised by simply checking a user name and password against my database? Would the System.ServiceModel.DomainServices.Client.ApplicationServices namespace be useful in this?
Second statement in your list is not accurate. You can use claims based identity with Ria Services. See here:
http://blogs.msdn.com/b/eugeniop/archive/2009/11/22/updated-ria-and-wif-samples.aspx
http://blogs.msdn.com/b/eugeniop/archive/2009/11/25/ria-services-and-wif-part-ii.aspx