I have spent many hours trying to get my Silverlight Business application to run on Azure. My findings so far (open to correction)
Asp net authentication works with a Silverlight web application but not if Ria services is added. This is because Azure only allows one form of authentication per hosting and WCF will not work if the authentication mode is not Anonymous. This mean using WebContext is out of the question.
For the same reason passive federated claims authentication (either OpenID or custom STS) will not work with Ria services.
There is some good stuff in the Identity Training Kit. Active federated claims should allow a login popup to by used. Again there is an example in the kit. I initially didn't look at the "Out of Browser" example until I realised that it should work In Browser as well. I created a custom STS which the Web app called successfully, but I got "service not found" - I assume on the return leg.
I have now decided to pull the plug on all this as I need to get my application up and running. The Silverlight client already communicates with my database via Ria Services - why do I need to create extra pipelines when the authentication data is going to be in the same database? Would security be comprimised by simply checking a user name and password against my database? Would the System.ServiceModel.DomainServices.Client.ApplicationServices namespace be useful in this?
Second statement in your list is not accurate. You can use claims based identity with Ria Services. See here:
http://blogs.msdn.com/b/eugeniop/archive/2009/11/22/updated-ria-and-wif-samples.aspx
http://blogs.msdn.com/b/eugeniop/archive/2009/11/25/ria-services-and-wif-part-ii.aspx
Related
I'm investigating options for adding AzureAD authentication to Angular SPA application with .NET core backend. I'm using VS 2019 MVC project with Angular (same as dotnet new Angular is producing). It's using .NET Core 3.1 and Angular 8.
From what I learned so far I have 3 options:
Built in Azure App Service Authentication
Adal.js - looks like the older brother of,
MSAL.js - which after making it work locally with Azure AD I learned on this page that "At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. Please check back for updates." I couldn't make it work on Azure today so maybe this Note is for a good reason.
EDIT: Interestingly now point 3 works for me on Azure App Service so I'm not sure what this note means.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I never worked with Angular and I don't have any experience with Azure AD and I need someone that implemented it already to at least tell me which option I should choose and I can go from there.
My requirements so far are that no screen is accessible to users unless they log in and that I will be able to read information about them from Azure AD - Roles, groups.
I think the option 1 could meet your requirement, the configuration of Azure AD in Authentication / Authorization is higher than your code, the user could not access the app unless they log in.
To read the information about the roles, groups, you could check this good blog.
Here you have an angular E2E auth scenario using App Service built in authentication:
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-auth-aad
I believe the part you are interested in is this one:
Enable authentication and authorization for front-end app
This way app service is the one redirecting you to AAD and getting a valid token that you can just pass in to your APIs afterwards. If the APIs are hosted in App Service as well, then APP service will be the one validating the token for you, so your backend code does not need to worry about authentication (you still need to handle authorization)
I have a requirement to create an admin UI where I need to list all users registered on IdentityServer to start assigning permissions and roles. This application internally uses PolicyServer, but as a superadmin user, I would need to see all users registered on IdentityServer. Here IdentityServer is responsible for authentication and the other application that uses PolicyServer is responsible for the authorization.
Which is the correct way to proceed:
1- This admin UI application should be connected to the same database that IdentityServer uses to get all the users?
2 Or should I need to extend IdentityServer on this way?:
http://docs.identityserver.io/en/latest/topics/add_apis.html
I followed this issue here:
IdentityServer/IdentityServer3#2607
but still, it is not clear for me how to proceed on the question above.
Well, the users database is usually provided by ASP.NET Identity, not so Identity Server.
I had the same issue and I went on to develop the admin Web app in the same host as Identity Server, thus using the database connection to get to the users (and the API resources, clients, etc.).
I argue that this is the simplest way to achieve what you want. And still allows you to provide a complete API on your Identity Server for external apps. I also did that (for scenarios where client apps are allowed to view/edit the user profile, for example). The API was built using plain ASP.NET Core MVC.
Is it possible in WIF to combine active and passive federation? We currently have multiple Silverlight clients that communicate with 1 or more WCF services. The problem is that some of these services are hosted on a different domain. This means that, when we are using passive federation, calls to those services will fail when the user is not yet logged in for that domain (WIF will try to redirect the call). So is it possible to use passive federation when logging in to the website/Silverlight client and active federation when communicating with services? And has anyone done this (with Silverlight...)?
Your scenario sounds like this: You have a website that authenticates the user using passive federation to obtain a token. You hold on to the issued token, and pass it down into your silverlight client. The silverlight client uses that token to do active federation with your backend WCF services.
The most common way I've seen to achieve this is through RIA services. I've found this article which provides a nice introduction to this. Also, the identity developer training kit has an end to end sample. Look for the one titled "Developing Identity-Driven Silverlight Applications".
You say that WIF will redirect you WCF service call. This seems to be exactly the same problem as in this StackOverflow question: Passing SAML Token to WCF service from Asp.Net, and therefore my answer to that question might apply to your situation as well.
I have an interesting situation that I haven't been able to crack. Here is the environment that my Silverlight application runs in.
We have a SharePoint 2010 intranet that is the main host for the application. On a web part page, we have a Silverlight web part that contains the application. We use the Client Object Model to deduce who the logged in SharePoint user is. The users of this application access the SharePoint site OUTSIDE of the AD domain that they use to login; meaning they have an AD account, but their computers are part of various domains. The Silverlight application makes calls to a WCF service over https via SOAP protocol.
The question is, how do I secure the services so that the only valid requestor is the Silverlight application when being called from inside the context of a logged in SharePoint user?
Each end-user has an AD account that is created for them. The SharePoint site is an extranet that requires each user to login using their AD credentials. However, no end-user is accessing a site from a computer that is part of the domain.
I've attempted using Windows Authentication, but we have a requirement that the user must not be prompted to login (to the web services) after they have already logged into SharePoint. I've attempted using the Client Object Model to "pass" authentication/credentials to the service, but no luck there.
We have to disable Anonymous Authentication before we go to live, so I've got to figure out a way to secure the services but not make the users login a 2nd time inside the application.
out of the box you cant, silverlight cant delegate to any external service for security reasons. What you can do is to secure your WCF channel via some other method (certificate based for example) and send through the current username manually. On the SharePoint end you can then impersonate the user.
It will be quite a fiddly thing to get going though :)
Scenario: I need to configure a WPF application to send credentials from integrated security to an ADFS server and receive tokens back. I can't find guides describing in detail how to do this. The focus seems to be on web applications, web services, & WCF.
What are the steps to configure a WPF client? Is it possible to setup through a config file the same way a web app is configured?
You want to implement an Active WS-Trust scenario. Follow Lab 4 - Federation with ADFS with "active" clients" from here: http://claimsid.codeplex.com/releases/view/68061 .
If you chose to call ADFS manually to get tokens follow WIF, ADFS 2 and WCF Article Series by Dominick Baier here: http://leastprivilege.com/2010/10/14/wif-adfs-2-and-wcfpart-5-service-client-more-flexibility-with-wstrustchannelfactory/
Both of those resources have helped me to implement Active WIF Scenario.