Can an Active Directory be used as an OpenID provider? WIF is an option, but it's quite complicated and not very widespread.
Yes, you can. Just host an ASP.NET web site that itself uses Active Directory authentication, and exposes an OpenID Provider using DotNetOpenAuth.
ADFS 4.0, available from Windows Server 2016 onwards, allows authentication using OpenID.
There is also OpenID-LDAP server which claims to work with AD LDAP.
Or you can use RedHat Keycloak, which leverages any LDAP or Kerberos Server as a repository to be used with OIDC or even with poor man's auth SAML.
Related
Background:
We have a samba file server using security = user, authenticating users in local linux, works great.
We migrated our cloud solution to Office 365, which includes a Azure AD.
Question:
Is that possible to Samba authenticate users in Azure AD and map to local linux users?
I wouldn't like to join samba as domain member, actually, don't even know if it is possible, too cumbersome.
I'd like a simple solution to this issue.
According to the note of the offical document Overview of Azure Active Directory authentication over SMB for Azure Files (preview), as below, it seems to be impossible for authenticating Samba with AAD although this document is for Azure File Storage.
Azure AD authentication over SMB is not supported for Linux VMs for the preview release. Only Windows Server VMs are supported.
However, a workaround way I think is to combine a LDAP with Azure AD and then to authenticate Samba with LDAP. You can try to refer to the documents below to know how to do.
Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain
LDAP-based authentication for Samba
As above, it seems to be not a simple solution. Maybe you need to consider for your scenario using Samba to develop a web application with Azure AD authentication.
Using Azure Active Directory When i am applying single sign on for my web application i am able to do the Password-based single sign-on successfully.
But when i am doing with Integrated Windows Authentication(for kerberos authentication mainly), i am not able to configure it. i am very confused.
Can anybody guide me how to enable kerberos authentication for web application.
or please send me any example links how to set kerberos authentication for web applications.
Thanks!
If you are trying to use Azure AD with Kerberos for Windows Integrated Authentication there was a comment about AADConnect, which has some offerings, especially if you use ADFS for Federated sign-ins. There is also the Azure App Proxy with KCD support
I have few very specific questions to come to a understanding on Active Directory usage:
ADFS are the services/software to enable SSO login to applications using a single url for users stored in Active Directory. Right?
LDAP is a protocol that exposes other functionalities like fetching users, deleting user, authentication user via bind method etc. stored in Active Directory. Right?
Then can't LDAP and ADFS both work on the same Active directory? This link:
LDAP support in ADFS got me confused in where it is referring to LD and AD as separate entities.
Can't I apply both the mechanisms on same AD? I only have knowledge of LDAP. Trying to learn ADFS.
ADFS provides SSO capabilities for SaaS services and Modern LOB applications. Traditionally, it uses identities stored in Active Directory Domain Services to validate the credentials for a user. In 2016, we also added support to include identities stored in any 3rd party LDAP directory.
Irrespective of where the identity is stored ADFS offers SSO across the applications that trust it.
Hope this clarifies.
Thanks //Sam (Twitter: #MrADFS)
AD stores users, groups and credentials.
To access an attribute in AD, you use the LDAP protocol via e.g. the C# Directory Services API.
ADFS handles authentication against AD and also adds a federation layer on top of AD.
The correct way to access AD attributes via ADFS is to use claims-based authentication whereby you configure ADFS to provision the attributes (as claims) into the token and then extract them on the client side.
We are configuring a Siebel to authenticate against a Microsoft Active Directory with Kerberos enabled.
Kerberos authentication is not enabled in Siebel under Unix so we're planning to use simple authentication.
It is possible to authenticate to a Microsoft Active Directory without Kerberos when Kerberos is enabled in the domain controller?
Best regards,
Yes, you can authenticate to a Microsoft Active Directory without Kerberos, using either NTLM or LDAP. NTLM though, is disabled by default in AD 2008 and above. LDAP authentication through bind calls can be used as well by application servers who can't do ether NTLM or Kerberos. Classically, LDAP is meant as a directory lookup protocol and not really meant as an authentication protocol. Typically, these scenarios involve application servers running on non-Microsoft platforms. Be advised that Kerberos is the most secure protocol of the three and is the industry standard for authentication.
I'm trying to figure out, if it's possible to authenticate via an on-premise ADFS, using OpenID Connect?
I wasn't able to find any examples on that - is this scenario supported? Or should I federate ADFS with AAD?
No, ADFS 1.0/2.0 do not support OpenID Connect.
Update: the newest version of ADFS i.e. ADFS 2016 does.
As of Windows Server 2016 RTM - OpenID Connect is now fully supported.